kernel32.dll sending udp packets

Printable View

June 10th, 2003, 02:35 PM
coolcamel

kernel32.dll sending udp packets

os:winme
Kernel32.dll sending packets- pls help
Firewall( sygate perssonal firewall)

File name – kernel32.dll sending udp packets via port 137.139.138.with gui rules (GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP )
As a solution I remove the bios service . but now am getting udp packets toward 137.138.139.68 ports
I tied blocking that rules by doing this
Rules: (GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP(
Action: block this traffic
Hosts : all
Appliction : all [ internet explorer- included ]- pressing ok 4 saving that.

Result :
First I get this informtion alert frome the firewall [ appliction Win32 kernel core component
has been blocked,file namekernel32.dll

When I run the browser –IE- I get a firewall-informtion alert[ appliction internet explore has
been blocked, file name iexplore.exe
When I checkd the running appliction log :
Appliction : internet explore.exe
Protocol: udp
Status : listen
Local port : 1149
Remot port : nothin here
Ip address: 127.0.0.1->0.0.0.0
Process: 4293025521
Appliction path C:\ program files\ internet explore\ IEXPLORE.EXE.

some rules which are records in the trafic log
-------1--------
rule: Block all
application name: nothing here
source port : 68
source IP : 0.0.0.0 ( sorce port and source ip indication to my pc port and my ip )
desttination host : 255.255.255.255
source port : 67
direction: incoming
protocol: udp
action : blocked
-------2-------
rule: allow non-first fragment ( 1st time seeing this rule since I use sygate firewall)
application name: nothing here
source port : 0
source IP : x.x.x.x ( its not my ip)
desttination host : x.x.x.255( the 1st 3 parts belong to the network that my pc connect to
source port : 0
direction: incoming
protocol: udp
action : allowed

--------3---------
rule: GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100
application name: nothing here
source port : 137
source IP : x.x.x.x( ip belonge to the network…etc)
desttination host : x.x.x.255 ( same ip in no (2)
source port : 137
direction: incoming
protocol: udp
action : blocked
when I allow the hall trafic ( both incoming \outgoing)one of the rule is
rule: allow all ( i allow it)
application name:C:\windows\system\kernel32.dll
source port : 68
source IP : 0.0.0.0
desttination host : 255.255.255.255
desttination port : 67
direction: incoming
protocol: udp
action : outgoing
--
I need ur help in:
Is that traffics ( udp packets) normal?( I saw that packets sent by the kernel32.dll in many diffrient pcs.
blocking kernel32.dll.how?
What if I dellet the file kernel32.dll?
what is this rule about(allow non-first fragment)?
Ips ( 0.0.0.0,255.255.255.255) when try to add a rule 4 blocking those ip .firewall alert its notcorrect ips, so why they seen in the firewall traffic log ?
I copy and past the rules from the firewall log avoiding the mistakes.
Sorry 4 the caps and thanx n advance.

coolcamel
June 10th, 2003, 02:58 PM
SirDice

Re: kernel32.dll sending udp packets

Quote:

Originally posted here by coolcamel
What if I dellet the file kernel32.dll?

Your system will never boot again.

If you are worried about this kind of (outbound) traffic unbind NetBIOS from your external inferface. Or, if you really don't need file/printer sharing, stop and disable the server service.

Getting requests from the Internet to these ports is considered 'normal' traffic. Just block them on your firewall.

0.0.0.0 and 255.255.255.255 are special addresses. 0.0.0.0 means your own ip on that interface and 255.255.255.255 is the broadcast address.
June 10th, 2003, 03:04 PM
slarty

I assume you are in windows 95/98/ME (because Windows NT/2000/XP does not have a kernel32.dll process)

Quote:

kernel32.dll sending udp packets via port 137 - 139

It does that all the time. That is the Windows netbios name service, or network browser, or mailslot API or something else.

It is normal, and cannot easily be stopped (maybe removing Windows File Sharing and Client for Microsoft Networks), and nothing to worry about.

Quote:

What if I dellet the file kernel32.dll?

That is not advisable. It is a core component and I am certain that Windows would fail to boot very early on without it.

Quote:

what is this rule about(allow non-first fragment)?

I think it allows applications to recieve broadcast packets. This is normally necessary for correct operation, and not a big security risk because few protocols use broadcasts, and they cannot be routed over the internet (Unless something is *really* wrong)

Quote:

Ips ( 0.0.0.0,255.255.255.255) when try to add a rule 4 blocking those ip .firewall alert its notcorrect ips, so why they seen in the firewall traffic log ?

Neither of them is a "real" IP address. They might be used in DHCP requests though, hence you might see them.

Those are not a problem because they are also non-routable. Don't block them, they are non-routable anyway.
June 10th, 2003, 08:24 PM
Jonesy69

are you behind something thats using NAT? If so you **may** have a trojan.

I had one on my computer a month back that as far as I could tell was designed as a device driver. Basically it would accept the API's of ALL running apps, and let through a select few so everything would *seem* normal and even hijacked a few. I put a rule in my firewall blocking ALL traffic to and from 0.0.0.0 then I started getting hits from all over the internet coming to my box. I inspected my Netgear MR314's web based admin console and found that somebody had set my computer to the default DMZ server. I'm not an expert at this by any means, but I would suggest you try to block all traffic, sit back, and watch your logs. You may be surprised at what you find, then again, you may find nothing. Hope this helps.
June 10th, 2003, 09:15 PM
slarty

Quote:

ALL traffic to and from 0.0.0.0

Any Ip packet which is travelling around with 0.0.0.0 as a source or destination address should be dropped by the next router. If it has all 0s as the destination address, it can forget being routed anywhere anyway.

Routers on the internet are supposed to drop any packet if they have unroutable source or dest addresses - which usually means either they're private (10.*, 192.168 etc), loopback (127.*) or invalid (all 0s, or all 255s)

I don't understand how you can report packets with these nonexistent IPs on them.
June 11th, 2003, 04:21 PM
coolcamel

its really helped

thanx for ur time and ur replies.

coolcamel