Printable Version of Topic Click here to view this topic in its original format

Unofficial VirtualDub Support Forums > Off-Topic > Firewall Issue - Revisted

Posted by: rjisinspired Mar 14 2012, 12:00 AM

Not long ago I posed the question about my firewall constantly bombarding me with TCP/OUT connections, requesting "*" (SYSTEM) for TCP/OUT. I have been having this problem for months. The IP addresses and port numbers vary each time. When I use a disable rule for the above, everything is disconnected, including my web server. These requests can happen even right before I start my server, right after just logging on to windows. I don't know what to do at this point. I have scanned my computer with just about many programs for antivirus, spyware, malware, trojans, etc, and I keep coming back as clean. Nothing shows as suspicious activity on my computer. These alerts happen at random and when they do they come at me. They also cause me to taskmgr kill my firewall and restart it because I cannot access it through systray. My system stalls until the dialog boxes from the prompts disappear. I have also been getting my antivirus component "ipmGUI" keep shooting up with differing IP addresses, this is strange.

Posted by: dloneranger Mar 14 2012, 12:24 AM

That's an unusual one Telnet shouldn't be accessing random ip's You can google 'xp disable telnet' if it's not something you use I'd be worried about it if it happened here, as it looks nastily like virus activity Have you tried microsofts boot cd antivirus? http://connect.microsoft.com/systemsweeper The local port and remote ip/port would have been useful though, as it's uncertain from the screenshot if it's connecting from port 23->52914, or the other way around

Posted by: rjisinspired Mar 14 2012, 12:37 AM

It looks like something on my side wants to access out from my port 23 to a remote IP at port 52914 . The port numbers for local and remote can be different. The IP is some business address in Italy. The addresses range from anywhere it seems even to some secure LLC company. I haven't tried MS's offline scanner yet.

Posted by: rjisinspired Mar 14 2012, 12:41 AM

I'm able to start my computer fine. This has been happening for a while now.. The application is "*" which is stumping me but from what I gather this means "all apps"? If I set a rule to disable then forget web serving and using other web related apps. I have been using antivir for antivirus. I have used antipsy/malware apps, emsisoft, malwarebytes and superantispyware and all using full/deep scanning and nothing shows.

Posted by: rjisinspired Mar 14 2012, 01:47 AM

The interesting thing, now that it came to me, I change the services to different states after reinstalling a fresh OS. I disable a few of these services and telnet is actually one of those services that was/is disabled.

Posted by: rjisinspired Mar 14 2012, 04:33 AM

Another one, this time from local port 65533 to a remote port of 55512 to Enzu Inc? juinorsender.braslia.me What the heck is this? am I sending out to remote IPs or are they sending responses to me to send them something?

Posted by: dloneranger Mar 14 2012, 07:34 AM

Well it's not telnet, that'd be to remote port 23 * means it's coming from a system process - something that's part of the OS Unfortunately, that could be genuine or from something nasty that's attached itself to a system process It's unusual that it's using port 23 to go out from, normally anything going out is given a random port number from >1024 to <65536 and connects to a fixed port number at the other end The only things I can think of that connect to a wide range of remote port numbers are p2p apps and malware/virus type apps At http://technet.microsoft.com/en-us/sysinternals there are some useful apps that might help you track it down ProcessExplorer can show you what dll's are used by svchost, you could check for odd dll's that may be in unusual places TcpView can show all connections made to/from your pc

Posted by: dloneranger Mar 14 2012, 07:55 AM

If nothing suspicious turns up from all the scanners etc or checking it manually Then you might be a conflict like eg the antivirus and firewall detecting each other Some antivirus progs can have proactive functions where they will scan incoming web pages etc and check them Others have network scanning as well So..... It's feasible that you might be in a catch22 situation Antivirus check something on a remote port Firewall blocks it Antivirus sees something tampering with it and block the app that did it (the firewall) Firewall now has to be killed and restarted You could check that by disabling your antivirus for a while and see if it still happens Should be safe enough (as long as you don't start running every app you can download while it's off) If it is a virus, then you're not in any extra danger, as it hasn't detected it anyway

Posted by: rjisinspired Mar 14 2012, 08:21 AM

I did receive 2 TCP/OUT for system, just now, and nothing registered with TCPview during the hits. One came from Latvia? Port 23 wants to access the Latvia IP at port 13686. The other, port 1234 wants to access "unknown.prolexic.com" IP on port 80. Oh, 3rd - port 50350 wants to connect to serverclub at port 80 I went to prolexic and I must say the logo is kind of humorous - DDoS attacks end here. Yeah what about the attacks I'm getting here? In TCPview I have about a handful of system processes in TIME_WAIT, which were from using the browser, and two "systems" under microsoft-ds, one of them is listening in. ? Everything else looks fine. I see my web server, my browser and what I'm connected to with those. I went into ProcessExplorer but didn't find any out of the ordinary dlls within svchost.

Posted by: rjisinspired Mar 14 2012, 08:22 AM

If I disable Antivir's realtime protection module the stuff still happens. I should had mentioned that I am using Filseclab firewall. Have for a very long time. Only had this stuff happening for some months. There are times where these connect attempts will not happen but when it does boy do I get nailed! This firewall does have the tendency to not be responsive, interface-wise like trying to open it up from systray or it just locks up while the GUI is visible but the service still goes. You have to task kill it and reopen the GUI, have to do this kind of a lot when these attacks come my way. Doesn't matter if antivirus is on or not. I stuck with Filseclab because it is light, small footprint, doesn't bog stuff down, until now that is. The computer is unresponsive until the prompts go away, lol.

Posted by: rjisinspired Mar 14 2012, 08:39 AM

If anyone has any firewall recommendations I'm open to suggestions. Maybe my firewall is the problem? Years ago I tried Zone Alarm but had stopped because it was going toward bloat and was hogging a little. Thing is I would like a really light firewall. In my last thread I also had a Verizon issue but it was a separate issue and was fixed. Boy, they don't make these things easy, do they?

Posted by: dloneranger Mar 14 2012, 03:41 PM

It doesn't look good the pc shouldn't really be connecting to random ip addresses Is there any way to narrow down what may be causing it? eg Does it only happen when you have a web browser open Does it happen in 'safe mode with networking' Other than that, the best bet's the microsoft scanner I linket to earlier It makes a boot cd, so rootkits etc can be detected Personally, I'd just wipe the os and reinstall if in doubt

Posted by: rjisinspired Mar 14 2012, 04:18 PM

I do know that I have received these hits some times even before turning my web server on. Right after logging on to the net. I did try and play around with Antivir. Disabling the advanced protection of apps and processes, also too so that I could stop the real time service in services.msc. Was in a way hoping there might had been a conflict there but I'm not sure if Antivir is the culprit. My start up items are as follows: Antivir, Ditto (Clipboard app), Device Detector 3 (Olympus detector for my digital audio recorder), ERUNT Autobackup. Before I rebooted a little over 90 minutes ago I disabled the following: Filseclab Messenger (something to do with the firewall), FileZilla Server (had this for about a short time, FZ would load but not start and I kept forgetting to disable it), hkcmd and igfxpers. I disabled some things to see if that would had made any difference but it didn't. I'm still looking into this. The last couple of hits I have had since after rebooting were headed toward Apple?, system TCP/OUT at local port 58585 to an Apple url at remote port 443. I have a screencap of that alert also. Why connect to Apple for? Guess my computer wants to go places and mingle with the movers and shakers I guess.

Posted by: dloneranger Mar 14 2012, 04:28 PM

Connecting to port 443 is an SSL connection Probably one of apples things just checking for any updates

Posted by: rjisinspired Mar 14 2012, 04:30 PM

I don't even have quicktime on here. To my knowledge I don't have anything apple on here.

Posted by: Jam One Mar 14 2012, 05:37 PM

QUOTE (rjisinspired @ Mar 14 2012, 12:39 PM) If anyone has any firewall recommendations I'm open to suggestions. ... Just a thought of the moment -- a hardware firewall. That is, a router. A Wi-Fi router with built-in firewall.

Posted by: evropej Mar 14 2012, 07:55 PM

Get a good router such as wrt54gl and install the third party firmware to make it a super firewall.

Posted by: dloneranger Mar 14 2012, 08:33 PM

Routers are good inbound firewalls, they hardly ever do outbound firewalling though, which is his issue

Posted by: IanB Mar 14 2012, 09:24 PM

Your PC is being probed from outside with connects to TCP port 23 (SYN packets). According to the the TCP standard, if a host has no ready listeners (telnetd in this case) the kernel is supposed to send a RST packet to say Connection Refused. This is what your firewall is bitching about. If you were running the telnet service (telnetd) then the firewall should winge about telnetd answering the connect instead of the kernel (system). Your firewall should be blocking all stray incoming connections, you probably have accidentally added a rule to allow this. Check your rules carefully. Windows PC's should really not be directly connected to the internet. Get yourself a NAT firewall router. If you have one already check the config for Port Forwarding and make sure there are no NAT rules that you do not explicitly want. Never use the wild card rule, which forwards all unspecified connects to a default host.

Posted by: evropej Mar 14 2012, 09:26 PM

PS most virus programs these days cannot be detected. Create a good image restore system such as Acronis. Do not fool yourself into thinking that any virus program will successfully detect a root kit which runs at the kernel level. Backup your data, reinstall windows. Create an image for a blank install of windows. Install applications and settings all offline. Create backup image on a separate drive of a full installation. Once you are backed up with a blank and full image, then go online a patch windows. Do this all behind a nice firewall such as a router which will always be the first line of defense. Microsoft declared over ten years ago that they cannot defend you from malicious software hence you need something other than software to protect yourself. I restore regularly, no need for virus scans or troubleshooting or headaches of any kind. Be mindful of software firewalls since they only work for non root kit applications. Promiscuous access to hardware by root kits bypasses all software including the windows kernel.

Posted by: phaeron Mar 16 2012, 09:02 PM

What kind of firewall throws up outbound connection alerts for a RST sent by the kernel for an unbound port? That seems like a pretty useless notification.

Posted by: IanB Mar 16 2012, 10:10 PM

QUOTE (phaeron @ Mar 17 2012, 08:02 AM) What kind of firewall throws up outbound connection alerts for a RST sent by the kernel for an unbound port? That seems like a pretty useless notification. Generally ones that have an issue with the tcp state associated with the packet in question. Poor firewalls don't implement tcp state tracking at all, so you need both an in rule and an out rule for a full TCP connection. Good firewalls that do implement tcp state tracking including the target process identification, would reject out bound packets that do not match the original rule profile, i.e. must be the telnetd process. In this case the in bound packet should have been caught because telnetd was not the recipient. So I suspect the first case here, i.e. in rule only, out rule missing. In this case the notification is useful because it is alerting that something is in error. But generally, yes I agree we have lameness breeding even more lameness.

Posted by: rjisinspired Mar 17 2012, 06:28 AM

Thanks for the input and suggestions guys. I am thinking of getting a router some time down the line. Telnet was set for blocking both ways with the zone "(*) any" chosen in Filseclab. Plus Telnet had been disabled when I reinstalled the OS late last year. I replaced my firewall two nights ago from Filseclab to Privatefirewall. Priivatefirewall acts sort of like Zone Alarm without the bloat. I have not had any issues nor any pop ups so far. One thing that this new firewall didn't do was block port 135, the other one did. I had to use DCOMbobulator to close down that port. Port 139 still remains open, as it did with Filseclab. Shields Up still shows 139 being opened. I did try to disable Netbios through control panel but part of the internet didn't work anymore, web server for example. Nobody could see nor download my files so I had to re-enable Netbios. In Win 98 I was able to fully disable all of that stuff but XP seems to be a different beast when it comes to that. Things now are running much better now, all is quiet, lol.

Powered by Invision Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)