-
June 10th, 2003, 02:35 PM
#1
Member
kernel32.dll sending udp packets
os:winme
Kernel32.dll sending packets- pls help
Firewall( sygate perssonal firewall)
File name – kernel32.dll sending udp packets via port 137.139.138.with gui rules (GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP )
As a solution I remove the bios service . but now am getting udp packets toward 137.138.139.68 ports
I tied blocking that rules by doing this
Rules: (GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP(
Action: block this traffic
Hosts : all
Appliction : all [ internet explorer- included ]- pressing ok 4 saving that.
Result :
First I get this informtion alert frome the firewall [ appliction Win32 kernel core component
has been blocked,file namekernel32.dll
When I run the browser –IE- I get a firewall-informtion alert[ appliction internet explore has
been blocked, file name iexplore.exe
When I checkd the running appliction log :
Appliction : internet explore.exe
Protocol: udp
Status : listen
Local port : 1149
Remot port : nothin here
Ip address: 127.0.0.1->0.0.0.0
Process: 4293025521
Appliction path C:\ program files\ internet explore\ IEXPLORE.EXE.
some rules which are records in the trafic log
-------1--------
rule: Block all
application name: nothing here
source port : 68
source IP : 0.0.0.0 ( sorce port and source ip indication to my pc port and my ip )
desttination host : 255.255.255.255
source port : 67
direction: incoming
protocol: udp
action : blocked
-------2-------
rule: allow non-first fragment ( 1st time seeing this rule since I use sygate firewall)
application name: nothing here
source port : 0
source IP : x.x.x.x ( its not my ip)
desttination host : x.x.x.255( the 1st 3 parts belong to the network that my pc connect to
source port : 0
direction: incoming
protocol: udp
action : allowed
--------3---------
rule: GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100
application name: nothing here
source port : 137
source IP : x.x.x.x( ip belonge to the network…etc)
desttination host : x.x.x.255 ( same ip in no (2)
source port : 137
direction: incoming
protocol: udp
action : blocked
when I allow the hall trafic ( both incoming \outgoing)one of the rule is
rule: allow all ( i allow it)
application name:C:\windows\system\kernel32.dll
source port : 68
source IP : 0.0.0.0
desttination host : 255.255.255.255
desttination port : 67
direction: incoming
protocol: udp
action : outgoing
--
I need ur help in:
Is that traffics ( udp packets) normal?( I saw that packets sent by the kernel32.dll in many diffrient pcs.
blocking kernel32.dll.how?
What if I dellet the file kernel32.dll?
what is this rule about(allow non-first fragment)?
Ips ( 0.0.0.0,255.255.255.255) when try to add a rule 4 blocking those ip .firewall alert its notcorrect ips, so why they seen in the firewall traffic log ?
I copy and past the rules from the firewall log avoiding the mistakes.
Sorry 4 the caps and thanx n advance.
coolcamel
-
June 10th, 2003, 02:58 PM
#2
Re: kernel32.dll sending udp packets
Originally posted here by coolcamel
What if I dellet the file kernel32.dll?
Your system will never boot again.
If you are worried about this kind of (outbound) traffic unbind NetBIOS from your external inferface. Or, if you really don't need file/printer sharing, stop and disable the server service.
Getting requests from the Internet to these ports is considered 'normal' traffic. Just block them on your firewall.
0.0.0.0 and 255.255.255.255 are special addresses. 0.0.0.0 means your own ip on that interface and 255.255.255.255 is the broadcast address.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 10th, 2003, 03:04 PM
#3
I assume you are in windows 95/98/ME (because Windows NT/2000/XP does not have a kernel32.dll process)
kernel32.dll sending udp packets via port 137 - 139
It does that all the time. That is the Windows netbios name service, or network browser, or mailslot API or something else.
It is normal, and cannot easily be stopped (maybe removing Windows File Sharing and Client for Microsoft Networks), and nothing to worry about.
What if I dellet the file kernel32.dll?
That is not advisable. It is a core component and I am certain that Windows would fail to boot very early on without it.
what is this rule about(allow non-first fragment)?
I think it allows applications to recieve broadcast packets. This is normally necessary for correct operation, and not a big security risk because few protocols use broadcasts, and they cannot be routed over the internet (Unless something is *really* wrong)
Ips ( 0.0.0.0,255.255.255.255) when try to add a rule 4 blocking those ip .firewall alert its notcorrect ips, so why they seen in the firewall traffic log ?
Neither of them is a "real" IP address. They might be used in DHCP requests though, hence you might see them.
Those are not a problem because they are also non-routable. Don't block them, they are non-routable anyway.
-
June 10th, 2003, 08:24 PM
#4
Member
are you behind something thats using NAT? If so you **may** have a trojan.
I had one on my computer a month back that as far as I could tell was designed as a device driver. Basically it would accept the API's of ALL running apps, and let through a select few so everything would *seem* normal and even hijacked a few. I put a rule in my firewall blocking ALL traffic to and from 0.0.0.0 then I started getting hits from all over the internet coming to my box. I inspected my Netgear MR314's web based admin console and found that somebody had set my computer to the default DMZ server. I'm not an expert at this by any means, but I would suggest you try to block all traffic, sit back, and watch your logs. You may be surprised at what you find, then again, you may find nothing. Hope this helps.
-
June 10th, 2003, 09:15 PM
#5
ALL traffic to and from 0.0.0.0
Any Ip packet which is travelling around with 0.0.0.0 as a source or destination address should be dropped by the next router. If it has all 0s as the destination address, it can forget being routed anywhere anyway.
Routers on the internet are supposed to drop any packet if they have unroutable source or dest addresses - which usually means either they're private (10.*, 192.168 etc), loopback (127.*) or invalid (all 0s, or all 255s)
I don't understand how you can report packets with these nonexistent IPs on them.
-
June 11th, 2003, 04:21 PM
#6
Member
its really helped
thanx for ur time and ur replies.
coolcamel
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|