|
-
September 8th, 2003, 05:37 PM
#1
Member
odd firewall log entry
Hi!
I was watching my firewall transactions in real time, and noticed my machine, which is a newly built dell box with xp, all updates and patches, running up-to-date norton virus scan corporate edition.
What is worrying me is this entry:
Connected to: 217.106.234.173 (traceroute shows the last named to hop to be: msk-dsr7-ge0-0-0-22.rt-comm.ru [217.106.6.66])
Port: 137
Direction: Out
Connection: Denied
Connection Details: UDP
So, uh. I've run a couple trojan scans. They turn up empty. The chances of me being haxored are fairly slim. I'm on a firewalled network, the machine is about a week and a half old. I've installed kiwi syslogger, which runs as a service. Install is pretty vanilla other than that. Yahoo Messenger running through the HTTP port, Watchguard firewall monitoring software, virus scanner, office 2k.
Anyone have any ideas? Im looking through our logs now for other suspicious activity....
Ok, watching my machine shows these as well, both to port 137 udp, which the firewall is blocking:
19 41 ms 40 ms 40 ms rback2-fa2-1.austtx.swbell.net [151.164.20.43]
20 810 ms 850 ms 553 ms 64.217.72.178
11 25 ms 25 ms 25 ms gige7-1.ipcolo1.NewYork1.Level3.net [64.159.17.99]
12 25 ms 26 ms 25 ms 67.72.16.92
No other hosts seem to be doing this but mine.
-
September 8th, 2003, 05:42 PM
#2
That Ip address belongs to G-Lock software..visit their website and see for yourself..
I scanned that IP for you and ports 21,25 80 and few others are opened...
Http to Ip and see.. I dont know why that IP appeared..seems like legitimate company.????
Are you sure you dont have a software package you've downloaded from their website in the past,,and the software is performing some type of update...
-
September 8th, 2003, 05:49 PM
#3
Member
Ok, this is getting stranger then. I have a shortcut in My Favorites to their website (specifically http://www.glocksoft.com/aatools.htm) in my IE. I have none of their software installed, but I was evaluating the feature set of their products and had made a shortcut to go back to it when I had time.
What strikes me as really strange is port 137?! Is this a stupid windows/ie thing? I've never heard of anything like this. I have offline files and folders disabled, so it can't be trying to synch.
-
September 8th, 2003, 05:57 PM
#4
The short cut is common with some websites..once you visit a particular web site they automatically add themselves to your favorites list...from what I know 137 UDP is netbios names services...not a 100% sure..was it by the way TCP or UDP?
also, when your firewall notifies you of incident, does it give you name of process/application ..If so go to your registry, search for it and remove it..and also check for it in your processes list..
-
September 8th, 2003, 05:59 PM
#5
Member
I'm not getting any listing of application no. I might dl/install a personal firewall like zone alarm or whatnot and see what it says. All the packets so far are UDP, and now its up to 3 IPs its doing this too.
One doesnt resolve, and one is for some 'networking' company and the page says they are currently offline.
-
September 8th, 2003, 06:03 PM
#6
I am probably being paranoid (as usual) but hits on 135, 137, and139 make me twitchy. A lot of crap and networms scan for these ports?
Have you tried Spybot Search & Destroy and ZoneAlarm 6.0..........your idea with the firewall is also good.
You might also like to try SamSpade 1.14 as an analysis tool (please read the instructions/disclaimer  )
Cheers
-
September 8th, 2003, 06:03 PM
#7
Yea Im not sure whats happening to you,,,Yu will have to do a bit of investigating
For starters Go to grc.com and use "shields up" to scan your computer ...Scan it with your firewall turned off...
You might wanna also scan your PC for viruses by another source other than what you have ,,
go to www.commandondemand.com for free scan.
Good Luck
-
September 8th, 2003, 06:05 PM
#8
Member
I'm behind a corporate network, I'll see if I can wire myself into the DMZ for a shields up test though, good idea.
I'll try the other vscan too thanks, I just had another IP roll through the log, I'm thinking I might just fdisk and start over.
-
September 8th, 2003, 06:09 PM
#9
if you do fdisk, fdisk the master boot record as well
fdisk /mbr (to be on safe side)
-
September 8th, 2003, 06:17 PM
#10
Originally posted here by nihil
I am probably being paranoid (as usual) but hits on 135, 137, and139 make me twitchy. A lot of crap and networms scan for these ports?
Have you tried Spybot Search & Destroy and ZoneAlarm 6.0..........your idea with the firewall is also good.
You might also like to try SamSpade 1.14 as an analysis tool (please read the instructions/disclaimer )
Cheers
ZoneAlarm is at version 4.0 
http://www.zonelabs.com/store/applic...og_view_id=201
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
