Hello, I just set a rule for explorer.exe [because it was receiving or sending traffic and I didn’t know if that was right] to: Allow TCP/UDP from MAC any to MAC any, Source Port=Any, Destination=Any [idea on some other forum]
Since then I’ve been getting about 10 intrusion blocks/min from OS, System and svchost [all UDP] [been a long time since I created rules for them] and even after I removed the explorer.exe rule and rebooted it’s still happening. So any ideas on this?
CIS 2011 Pro, Win 7 64-bit
svchost [system32 and SysWOW64]:
Allow all Outgoing requests.
Block and log all Unmatching requests.
Windows System Applications:
Allow IP Out from MAC=any to MAC=any Where Protocol is any
Until someone comes up with a better idea, I suggest you visit a couple of the port scanning sites like Gibson’s Shields Up or Symantec Security Check and see if they dedect that port 20303 is open and therefore not stealth. Not foolproof since the possible backdoor might detect the port scan and shut itself down.
You can also open a command promt window as Admin and do a netstst -a -n -b. Then see what is listening on port 20303.
Was the direction of traffic outgoing in the rule you made for Explorer?
Your screenshot tells you are behind a router and you are getting traffic at a variety of ports which suggests these ports are opened in your router but there is no program listening to the incoming traffic.
Are you aware these ports must be open at your router and how to close them? Can you also show me a screenshot of your Global Rules?
As Boris suggests, this looks like p2p activity (Same destination port). if you’re using something like a torrent client, when it’s closed the other users in the swarm will still be looking for data from you, but because the application is closed the connections are picked up by Windows Operating System
I really don’t know what the hell, but after Boris’ comment I remembered I had opened uTorrent 3.0 [which can stream content, even though didn’t use that] for the first time after I installed it before the intrusions and etc, when I opened it again, the ‘intrusion’ alerts stopped, and when I closed it, they started happening again.
Weirdly enough, gameux.dll [Windows Games Explorer] was the guilty one, it had a rule to block all of its traffic, which I didn’t create [not recently at least], so when I deleted it, the problem stopped. Sorry to bother you with such stupid thing lol, well at least Symantec Checkup found 1 detection, thanks DonZ. And this is ShieldsUP report which I believe it’s a good thing:
Your Internet port 139 does not appear to exist!
Unable to connect with NetBIOS to your computer.
Obs.: I don’t believe iTunes would do that [even though I use it a lot] because I don’t stream/download/share any media other than download apps through it.
Anyways, just one last doubt, I saw explorer.exe trying to terminate cfplogvw.exe, which I don’t know if it’s a normal thing so any thoughts? Also any ideas where to download the original explorer.exe just to be safe?
Just one point, your original image shows inbound connections on UDP to port 20303. Whilst there are still some of these connections seen in your most recent image, gameux.dll is primarily making outbound connections to port 443, so these events would appear to be unrelated. What is your torrent port?
Before opening I still had some svchost issues.
When I opened it to check the port [20303 → default], the problem continued argh! Should I just uninstall this crippled version and go back to the last one? And maybe close all ports but 80 and then reopen to see if it stops or something??
The inbound connections you’re seeing from uTorrent are not a problem. As I explained in my earlier post, when you have uTorrent open the members of the swarm that are sharing the file(s) have an end-point to connect to (utorrent.exe), When you close the application, the swarm are not immediately notified about your absence and will continue to try and get pieces of the file(s) from you. However, there is now no end-point with which to connect, so Windows Operating System kicks in and takes over the connections.
The simplest way to stop your log files clogging-up with these entries is to create a rule that hides them. Basically, this involves editing the Firewall Application rules (see images) Once the rule is created, place it at the top of the list of Application rules.
With regard to the rules for uTorrent, if you haven’t done so already, you might want to make sure your rules are correct. Please take a look at Utorrent Rules
What I’m slightly more concerned about are the inbound connections for svchost. May I assume 192.168.0.1 is your router and 192.168.0.101 a PC on your LAN? It might be worth while finding out exactly which instance of svchost is the recipient of these connections.
You can do this from the command prompt, using netstat and tasklist, or you can simply download Process Hacker Once installed or unzipped, depending on which version you’ve downloaded, check the Network tab and find these connections. Look across to the right and find the column ‘Owner’ and note the name of the service involved.
Nice guide, that managed to stop the many logs yay! Got only a few more logs after uTorrent was closed.
Yep, exactly.
Wow amazing program, ty! Too bad CFW doesn’t log the PID so I don’t know which one could be the faulty svvchost =/. Is there other way to know which one was doing it other than by PID? Well I copied and saved all of the svchost’s PIDs, services and handles in .txt, if that’s of any use. I’m gonna go sleep and leave this PC on in case the info can still be recovered or something.
If you’re still seeing inbound connections on your utorrent port to Windows Operating System, don’t forget to add the rule I described above.
With regard to svchost and PID, unfortunately not. The problem with svchost is that it’s just a host for many other processes. On any typical Windows system you can expect to find several instances of svchost running, each with a different PID. Even when you have the PID, you still have to identify which individual process within the svchost instance is causing the connections.
CIS will show the PID for a process under ‘View Active Connections’ on the Firewall tab, but that’s all it shows. Once you’ve got the PID, you’ll still have to use some other method to get the individual services. For that, you could use Windows task manager, the information’s all there, but it’s not terribly intuitive.
Well I did a sfc /scannow and I don’t know if it fixed anything at all or not, but I rebooted and no more intrusions at all so far yup!
So if there is just no way of knowing what service inside which svchost was doing it, then I’ll just leave it that way for now, if anything happens again I’ll let you know.
I believe the problem is solved, thank you all for your time!
Apologies, perhaps my previous explanation wasn’t terribly clear. You can identify the individual process from the PID of the svchost host, but at times it can takes a little effort.