A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How to tell if a firewall alert is suspicious or not



 
 
Thread Tools Display Modes
  #31  
Old September 16th 05, 02:48 PM
Duane Arnold
external usenet poster
 
Posts: n/a
Default

Gerard Schroeder wrote in
:

On Thu, 15 Sep 2005 12:51:41 GMT, Duane Arnold wrote:

That's for you to determine by using a link like to one below and
entering the IP into the WhoIs search box and finding out of the IP
is dubious or not.


That's only HALF the answer.
All it tells you is WHO made the request.
That doesn't tell you if the request is valid.


Well that's true and Sygate is really not telling you either.


For example, the posted DNS address has NOT contacted me ever in the
more than a year that my DSL to D-LINK setup has been in existance.
So, WHY should a machine which purports to be a DNS machine all of a
sudden contact me today?


I don't know why you'll have to figure it out. For me when the ISP's DNS
servers wanted to contact the public or external WAN IP used by the FW
appliance, it was due to me configuring a static IP on one of the
machine's NIC on the LAN. I set the machine's NIC back to using DHCP IP
and I have not seen the DNS servers trying to initiate contact with my
network.


On the other hand, many of the requests happen every day all day.
That STILL doesn't make them innocuous; it just makes them "probably"
not suspicious. That would include, for example, the NDIS User mode
I/O Driver, the NDIS Filter Intermeidate Driver, the Generic Host
Process for Win32 Services, etc.


You must have a Win XP machine as you're talking about NDIS User mode
where in my case the wireless NIC driver was using NDIS User Mode to
phone home to several sites. So at the time I set BlackIce to not allow
communications by the NDIS User Mode driver. I am not using wireless
anymore, so I disable Wireless Zero Configuration Service on XP to close
that door.

All I'm asking is for these events,
none of which are explicitly user initiated, is it reasonable to tell
the Sygate Personal Firewall to ACCEPT all these requests without
complaint?


It comes down to you knowing what's happening and who is doing it and not
using Sygate like a crutch because Sygate is not giving you the true
picture. You talk about NDIS User Mode and whatnot SVChost.exe (Generic
Host Process), which are just doing their jobs and that is to communicate
on the network LAN or WAN. It's not those processes that are initiating
the communication as they only do it on the behalf of other processes
that are making the requests. You need to determine what those processes
are that are doing it and make determinations if it's legit or not and
take the appropriate action.

One uses the proper tools like Process Explorer to look at processes and
see what processes hidden ones are using a particular process and not use
Sygate like some kind of a crutch.

Long version

http://www.pcworld.com/downloads/fil...780,RSS,RSS,00.
asp

Short version

http://tinyurl.com/99vur

The link talks about tools you can use.

Long version

http://www.windowsecurity.com/articl...jan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html


Short version

http://tinyurl.com/klw1

And for the particular Windows O/S you are using, you can go get a
Windows Resource Kit book that will tell you everything about the O/S and
what is happening. You may be able to check one out at the public
library.

I don't have any solutions such as BlackIce with its Application Control
running on my machines, because personal FW solutions that are using it
are a worthless feature IMHO.

I have BlackIce running on my laptop, but the Application Control feature
is disabled as I don't need it asking me the ridiculous questions as I
got a good take on what's happening or I know how to use the proper tools
and find out what is happening.

Some other tips and there is one for Win 2K too.

http://labmice.techtarget.com/articl...ychecklist.htm

The buck stops with you and the O/S. It doesn't stop anywhere else.

Duane



Ads
  #32  
Old September 16th 05, 03:51 PM
Duane Arnold
external usenet poster
 
Posts: n/a
Default

Gerard Schroeder wrote in
:

On Thu, 15 Sep 2005 13:43:02 GMT, Duane Arnold wrote:

If the user's machine was sitting behind a simple NAT router for the
protection and not running the PFW solution on the machine, none of
the ridiculous authorization questions the end-user is dealing with
would be asked.


I have DSL going to a D-Link just like everyone else.

Is this D-Link wired and wireless transmitter the "NAT Router" you
bespeak of?


You don't specify a model number so I'll assume it's wire/wireless AP
router that falls into this category.

http://www.homenethelp.com/web/explain/about-NAT.asp

Duane
  #33  
Old September 16th 05, 07:00 PM
null
external usenet poster
 
Posts: n/a
Default

Gerard Schroeder wrote:

The question becomes:
1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
2. HOW do we obtain possible REASONS for a machine contacting us on this
port?

That advice was the purpose of the original question.


I don't know of a simple answer to your questions. The only people I
have ever had contact with that could *possibly* explain the reasons for
*every* incoming/outgoing packet are security experts - most notably
firewall experts.

So, one of the posters gave a solution for you, a solution that I use
frequently: deny the request and see if anything breaks.

Good luck.

--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.

  #34  
Old September 16th 05, 07:04 PM
null
external usenet poster
 
Posts: n/a
Default

Gerard Schroeder wrote:

I'm confused whether the D-Link wired and wireless box I have connected to
the DSL modem is considered the "router" you bespeak of. Is it?


I can't say with 100% certainty if the D-Link is a router, but it
probably is.

--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.

  #35  
Old September 18th 05, 03:11 PM
No_Name
external usenet poster
 
Posts: n/a
Default


Gerard Schroeder wrote:
On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:

"Gerard Schroeder" wrote in message

snip
What would be nice is for users to post (and for experts to doublecheck)
what they consider to be innocuous requests uninitiated by them which
appear in their yes/no request list from Sygate.

I am willing to START that list of what appears to be common innocuous
requests (for expert review).


Google the name of the process initiating the outgoing connection.


Here is my list of common requests not explicitly initiated by me which my
Sygate Personal Firewall seems to report daily so that others may consult
it before accepting or rejecting a Sygate Personal Firewall request to
allow access:

NDIS User mode I/O Driver (ndisuio.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?


that's not important. 192.168.0.1 is from your LAN. if you receive
a packet from a computer on your LAN, it's not big deal!

NDIS Filter Intermediate Driver (eacfilt.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?


ditto

NDIS Filter Intermediate Driver (eacfilt.sys)
is trying to broadcast to [192.168.0.255]
using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over
TCP/IP).
Do you want to allow this program to access the network?


So now this process, (you may google it), but it's clearly being
harmless. It is on your comp, and sending a packet to every computer on
your LAN.
Don't think that one of your computers is attacking another!

NDIS User mode I/O Driver (ndisuio.sys)
has received a Broadcast packet from the remote machine [192.168.0.100].
Do you want to allow this program to access the network?


ditto


Firefox (firefox.exe)
is being contacted from a remote machine news.google.com [216.239.37.147]
using local port 1615 (NETBILL-AUTH - NetBill Authorization Server).
Do you want to allow this program to access the network?


I juse use firefox as a web browser. It just makes outgoing
connections. So, once the outgoing connection was made, packets go
either way. Each outgoing connection may use a diff port, I don't see
why this local port is called NETBILL-AUTH maybe i'm wrong. but
this is firefox, nothing to worry about.


Firefox (firefox.exe)
is being contacted from a remote machine [206.13.28.12]
using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?


ditto. dunno what this opennl is about - even after googling. but this
is firedox, surely not receiving an incoming connection .unless you're
not using it as just a web browser or something.

do you recognise OpenNL?!

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to [207.46.157.60]
using remote port 443 (HTTPS - HTTP protocol over TLS/SSL).
Do you want to allow this program to access the network?

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to time.windows.com [207.46.130.100
using remote port 123 (NTP - Network Time Protocol).
Do you want to allow this program to access the network?


windows does make these annoying outgoing connections. it may not be
worth checking out waht windows is doing. any outgoing connection from
svchost.exe should be considered fine. unless svchost.exe got
overwritten by a malicious version. You can't be that paranoid on a
windows system. trust svchost.exe ! it's a famous windows prcoess. as
sygate knows

Firefox (firefox.exe)
is being contacted from a remote machine [80.237.203.14]
using local port 4503
Do you want to allow this program to access the network?


yes
you want to use your web browser.

The windows firewall which blocks all incoming connections is very
good. Yes, malware may make outgoing connections. But at least you'll
let windows processes communicate outside. and you'll let your browser
communicate.

And has has been said. don't be afraid of some spyware transmitting.
If it's there, then remove it. If it were dangerous, it'd get past
your attempt at blocking outgoing connections anyawy.


Blocking outgoing connections as paranoidly as you are now causes the
mess that you have now. far more stress than any spyware!!!

  #36  
Old September 18th 05, 03:23 PM
No_Name
external usenet poster
 
Posts: n/a
Default


Gerard Schroeder wrote:
On Thu, 15 Sep 2005 15:48:26 +0100, Mike wrote:

Novices do not have the knowledge as you so patently demonstrate.
You need a hardware firewall like the ones built into Zyxel routers etc.


Is the D-Link wireless/wired box connected to the DSL modem set up in the
default configuration sufficient?


it is a great help. it blocks all incoming connections. Beyond that, do
not block all outgoing connections, or allow yourself to be hassled by
your personal firewall over it.

Use software, like Active Ports, that will list Established
Connections. At least it won't hassle you with popups. It gives the
process name. Do not look for great lists . Just google the name of
the process that is making the outgoing connection. And if you get 100
links saying it's spyware, then you should start running different
spyware removal utilities until you successfully get rid of it.

Or is there something ELSE I should purchase to get this "hardware
firewall"?


your 'home router'(actually a NAT device) blocks incoming. I have a
DLink one too.
You can go to http://192.168.0.1 and configure it. Or if that dosen't
work, find out its IP
open a command prompt start..run..cmdENTER and type
ipconfig /all

and see what it says for 'Gateway' (That is your 'router').
do http://gatewayip

see, it has a firewall built in. But still, don't bother blocking
outgoing connections, even with that.

if you have spyware, get rid of it properly.

If you had a router you would not have seen it or been startled plus you
would have been protected.



and you do have a router. ('home router'). It blocks incoming. Which
is very good. You should look at outgoing but not be hassled with
popups. and not be paranoid. useg oogle on an unknown process making an
outgoing connection. just see if google says it's spyware.

  #37  
Old September 18th 05, 03:36 PM
No_Name
external usenet poster
 
Posts: n/a
Default


Gerard Schroeder wrote:
On Thu, 15 Sep 2005 19:25:21 -0600, Bruce Chambers wrote:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?


Do you have another computer on your internal network with that
specific IP address? Is that computer allowed to connect to the
Internet via your computer?


Of course not!

If I had another machine on the same tiny home network with that IP address
(which would be highly unlikely in a 192.168.0.XXX network), then I would
NOT have posted that specific request in the list above as it would have
been an obvious innocuous request.

Again, knowing the machine name & owner is only HALF the story. Actually,
it's only 1/3 the story as the following is important:
1. WHO is the owner of that machine?
2. WHAT is the purpose of the port being used?
3. WHY is that machine contacting me?

Is this information available somewhere?

Note that the WHO part is trivial to obtain, e.g., we can obtain that from:
http://www.dnsstuff.com
http://www.nwtools.com
http://www.netsol.com
http://remote.12dt.com/rns
http://www.zoneedit.com/lookup.html
etc.; but that doesn't tell us WHAT or WHY.


The WHAT part, albeit often highly technical, is not too very difficult to
obtain, e.g., we can use any of the following which describe the ports:
http://www.bekkoame.ne.jp/~s_ita/por...1200-1299.html
http://www.seifried.org/security/ports/1000/1258.html
http://www.iana.org/assignments/port-numbers
http://www.sonomawireless.com/~ports/port1200-1299.html
http://www.auditmypc.com/freescan/re...m/portlist.asp
etc.; but that doesn't tell us WHY they contacted us.

The WHY part is the key question.

For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp
tdp/udp port 1258 named the Open Network Library?

The question becomes:
1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
2. HOW do we obtain possible REASONS for a machine contacting us on this
port?

That advice was the purpose of the original question.


difficult to know those answers, especially on a windows machine. So,
ppl don't.

the key thing is knowing that it isn't malware.

Believe me, you can go further than you are in asking HOW and WHY. You
could download Ethereal - a packet sniffer, and start asking why this
program is sending this or that. It doesn't matter. You have to know
what Processes/Programs you trust.
I have no idea what that openNL was though. i'd have thought that local
ports on the client side wouldn't have names. Anyhow. you trust
firefox, don't you? And the Program/Process was firefox, so let it be.

And if you see a process that you don't understnad what it does. then
google, - Who cares what it does - all that matters is if it's a famous
trojan process.

if you're having problems with slow itnernet access, then it most
probably is spyware. And if the spyware were really dangerous, it'd
get past you. maybe replacing it'd have replaced a known microsoft
process , added some code, that process now makes an outgoing
connection. you may want to run spyware spyware checks.


Try using the windows firewall only for a year, and see if you have
problems. By the way. You are alraedy blocking incoming connections
with your router. So the windows firewall is doing the same thing, but
it's just another layer of security. Even turning off the windows
firewall won't be a prob, 'cos you're still blocking incoming
connections anyway.

  #38  
Old September 19th 05, 12:25 AM
Milrose Lewis
external usenet poster
 
Posts: n/a
Default

I always wonder what to do when you get a spoofed IP through your NAT.

For example, this Sygate personal firewall message got me wondering what
was REALLY going on here.

NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo
Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?

Yes No Details

Details:
File Version : 5.1.2600.2622
File Description : NT Kernel & System (ntoskrnl.exe)
File Path : C:\WINDOWS\system32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 192.168.0.108
ICMP Type : 8 (Echo Request)
ICMP Code : 0
Remote Name :
Remote Address : 202.232.13.185

Ethernet packet details:
Ethernet II (Packet Length: 120)
Destination: 00-80-c8-b0-33-8a
Source: 00-20-e0-2d-07-a5
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 4
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0x891b (Correct)
Source: 192.168.0.108
Destination: 202.232.13.185
Internet Control Message Protocol
Type: 8 (Echo Request)
Code: 0
Data (68 bytes)

Binary dump of the packet:
0000: 00 80 C8 B0 69 8A 00 20 : E0 8F 07 A5 08 00 45 00 | ....i.. ......E.
0010: 00 5C 01 6B 00 00 04 01 : 1B 89 C0 A8 00 64 CA E8 | .\.k.........d..
0020: 0D B9 08 00 E4 FF 03 00 : 10 00 00 00 00 00 00 00 | ................
0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0040: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0050: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0060: 00 00 00 00 00 00 00 00 : 00 00 4A 45 44 45 46 43 | ..........JEDEFC
0070: 41 43 41 43 41 43 41 43 : | ACACACAC
  #39  
Old September 20th 05, 07:20 AM
Michelle Peters
external usenet poster
 
Posts: n/a
Default

On Sun, 18 Sep 2005 23:25:47 GMT, Milrose Lewis wrote:

NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo
Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?


That's a KNOWN TROJAN. Kill it! DO NOT let it access your SYSTEM!

You have BIG PROBLEMS if that is occurring.
I suggest you immediately run a full system scan by going to
http://grc.com/default.htm (press on the "Shields Up" link)

While you're at it, scan for the trojan that initiated this request
http://www.windowsecurity.com/trojanscan (works only with IE)

Since your system was obviously compromised, request a full system audit
https://secure1.securityspace.com/sm...sic_index.html

Only after running these three programs that everyone runs monthly will
your system be safe from that trojan you have!
  #40  
Old September 23rd 05, 02:42 AM
Karl Levinson, mvp
external usenet poster
 
Posts: n/a
Default


"Michelle Peters" wrote in message
. ..
On Sun, 18 Sep 2005 23:25:47 GMT, Milrose Lewis wrote:

NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo
Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?


That's a KNOWN TROJAN. Kill it! DO NOT let it access your SYSTEM!

You have BIG PROBLEMS if that is occurring.


Hmm... you might be right. That IP address appears to be in Japan and
appears to have no DNS name. Is there any reason your machine should have
been contacting Japan at that moment? [Doing a whois lookup of the IP
address at www.netsol.com, which tells you to do a whois lookup at
www.apnic.net, gives this information.]


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Firewall not working (Error 10047) mistefani Security and Administration with Windows XP 4 October 1st 06 11:52 PM
Problem about Window Xp SP2 firewall and the buildin FTP command ping Windows Service Pack 2 2 June 23rd 05 02:47 PM
XPsp2 firewall - bug? - disables on certain networks RJ Windows Service Pack 2 7 January 24th 05 10:55 AM
XP (SP2) and Firewall Alert Setting... JFF KRWD Windows Service Pack 2 3 October 21st 04 03:14 PM
Windows Firewall Walter Hall Security and Administration with Windows XP 1 September 27th 04 09:05 PM






All times are GMT +1. The time now is 07:19 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.