odd firewall log entry
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: odd firewall log entry

  1. #1
    Member
    Join Date
    Aug 2003
    Posts
    69

    odd firewall log entry

    Hi!

    I was watching my firewall transactions in real time, and noticed my machine, which is a newly built dell box with xp, all updates and patches, running up-to-date norton virus scan corporate edition.

    What is worrying me is this entry:

    Connected to: 217.106.234.173 (traceroute shows the last named to hop to be: msk-dsr7-ge0-0-0-22.rt-comm.ru [217.106.6.66])
    Port: 137
    Direction: Out
    Connection: Denied
    Connection Details: UDP

    So, uh. I've run a couple trojan scans. They turn up empty. The chances of me being haxored are fairly slim. I'm on a firewalled network, the machine is about a week and a half old. I've installed kiwi syslogger, which runs as a service. Install is pretty vanilla other than that. Yahoo Messenger running through the HTTP port, Watchguard firewall monitoring software, virus scanner, office 2k.

    Anyone have any ideas? Im looking through our logs now for other suspicious activity....

    Ok, watching my machine shows these as well, both to port 137 udp, which the firewall is blocking:

    19 41 ms 40 ms 40 ms rback2-fa2-1.austtx.swbell.net [151.164.20.43]
    20 810 ms 850 ms 553 ms 64.217.72.178

    11 25 ms 25 ms 25 ms gige7-1.ipcolo1.NewYork1.Level3.net [64.159.17.99]
    12 25 ms 26 ms 25 ms 67.72.16.92


    No other hosts seem to be doing this but mine.

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    That Ip address belongs to G-Lock software..visit their website and see for yourself..
    I scanned that IP for you and ports 21,25 80 and few others are opened...

    Http to Ip and see.. I dont know why that IP appeared..seems like legitimate company.????
    Are you sure you dont have a software package you've downloaded from their website in the past,,and the software is performing some type of update...

  3. #3
    Member
    Join Date
    Aug 2003
    Posts
    69
    Ok, this is getting stranger then. I have a shortcut in My Favorites to their website (specifically http://www.glocksoft.com/aatools.htm) in my IE. I have none of their software installed, but I was evaluating the feature set of their products and had made a shortcut to go back to it when I had time.

    What strikes me as really strange is port 137?! Is this a stupid windows/ie thing? I've never heard of anything like this. I have offline files and folders disabled, so it can't be trying to synch.

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    The short cut is common with some websites..once you visit a particular web site they automatically add themselves to your favorites list...from what I know 137 UDP is netbios names services...not a 100% sure..was it by the way TCP or UDP?

    also, when your firewall notifies you of incident, does it give you name of process/application ..If so go to your registry, search for it and remove it..and also check for it in your processes list..

  5. #5
    Member
    Join Date
    Aug 2003
    Posts
    69
    I'm not getting any listing of application no. I might dl/install a personal firewall like zone alarm or whatnot and see what it says. All the packets so far are UDP, and now its up to 3 IPs its doing this too.

    One doesnt resolve, and one is for some 'networking' company and the page says they are currently offline.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I am probably being paranoid (as usual) but hits on 135, 137, and139 make me twitchy. A lot of crap and networms scan for these ports?


    Have you tried Spybot Search & Destroy and ZoneAlarm 6.0..........your idea with the firewall is also good.

    You might also like to try SamSpade 1.14 as an analysis tool (please read the instructions/disclaimer )

    Cheers

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    Yea Im not sure whats happening to you,,,Yu will have to do a bit of investigating

    For starters Go to grc.com and use "shields up" to scan your computer ...Scan it with your firewall turned off...

    You might wanna also scan your PC for viruses by another source other than what you have ,,
    go to www.commandondemand.com for free scan.

    Good Luck

  8. #8
    Member
    Join Date
    Aug 2003
    Posts
    69
    I'm behind a corporate network, I'll see if I can wire myself into the DMZ for a shields up test though, good idea.

    I'll try the other vscan too thanks, I just had another IP roll through the log, I'm thinking I might just fdisk and start over.

  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    if you do fdisk, fdisk the master boot record as well
    fdisk /mbr (to be on safe side)

  10. #10
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by nihil
    I am probably being paranoid (as usual) but hits on 135, 137, and139 make me twitchy. A lot of crap and networms scan for these ports?


    Have you tried Spybot Search & Destroy and ZoneAlarm 6.0..........your idea with the firewall is also good.

    You might also like to try SamSpade 1.14 as an analysis tool (please read the instructions/disclaimer )

    Cheers
    ZoneAlarm is at version 4.0

    http://www.zonelabs.com/store/applic...og_view_id=201
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •