How to identify process sending outbound ICMP

indianrediff · October 28, 2007, 12:30pm

I have the following issue with my firewall. I am looking at the log and every second or so (with the processor being used at 100%) I see a message that an outbound ICMP request was blocked because of my policy rules. Well Thank God for that!

But my problem is that I am not able to identify which process is attempting to send out that ping! I am almost sure that it is malware of some kind because the IP addresses being pinged are different each time.

Right now it is trying an ICMP every 5 seconds or so.

e.g. for the past 5 attempts the following IP addresses are being pinged (form the HTML export feature of logging):

Date/Time :2007-10-28 08:28:32
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4
Destination: 77.221.73.90
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 16

Date/Time :2007-10-28 08:28:21
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4
Destination: 118.136.201.67
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 16

Date/Time :2007-10-28 08:26:25
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4
Destination: 89.32.55.228
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 16

Date/Time :2007-10-28 08:26:05
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4
Destination: 59.114.130.242
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 16

Date/Time :2007-10-28 08:25:34
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4
Destination: 117.25.28.31
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 16

Date/Time :2007-10-28 08:23:34
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4
Destination: 218.65.129.46
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 16

Date/Time :2007-10-28 08:21:23
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4
Destination: 84.68.216.34
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 16

grue155 · October 28, 2007, 2:03pm

An ICMP “port unreachable” is not the same thing as a ping, which is ICMP “echo request”. The unreachable is an error message, much like a telephone operator saying “the number you have dialed is not in service, please check the number and dial again”.

Your log is showing a lot of the same characteristics as another topic https://forums.comodo.com/help/outbound_policy_violations_gone_haywire_please_help-t14030.0.html where a fileshare client seems to have gotten way too busy.

indianrediff · October 28, 2007, 4:24pm

Thanks for responding so quickly! I have looked at the programs connecting at the same time. Like you have mentioned, it could be a P2P client gone berserk. I use uTorrent. It is a known issue that my router needs to get rebooted whne I have used uTorrent for a while. I also use Process Explorer to see if there is anything unusual running. I have run HijackThis - all clean.

I am at a near total loss on what to do. Even after rebooting with never having run uTorrent, I see this kind of behaviour.

Is there any way I can run WinPCap or some other packet sniffer to see what is happening? Or is that kind of speciality reserved for other boards?

grue155 · October 28, 2007, 5:32pm

Packet sniffers and firewalls kind of go together. Sometimes the only way to get the firewall rules correct is to know exactly what is on the wire, and that’s a sniffer. I’m partial to windump, but Wireshark or MS Network Monitor or any other will do the job equally as well.

You mention a router. Is it the usual consumer grade NAT/router box? I’m asking because these boxes usually do a good job of keeping unknown traffic out. Which means that CFP shouldn’t be seeing unknown inbound connection attempts. But your log has the various incoming connection entries. So I’m slightly confused about what’s doing what.

You also mention rebooting, but not anything about reconnecting. If the NAT/router is doing the connection work, then it would seem to be passing traffic. If you’ve got a NAT/router, what make/model is it, and how is it configured?

indianrediff · October 28, 2007, 9:11pm

Router: Linksys v2.02.2, Jan. 6, 2004. I believe it is a WRT54G. It is configured to have WEP encryption (not capable of WPA).

I looked once again at the URL you had provided earlier with someone else in a similar situation. I guess what is possibly happening is that some ICMP request must be coming in from the net, which I must be allowing. This request is being responded to by my host, stating that the port is unreachable (because uTorrent is down). But my firewall is stopping the ICMP request from going out causing the number of requests to keep coming in because the network doesn’t realise my host is down

Thanks for your invaluable input. I think this certainly helps.

What I have done is opened my ICMP (host unreachable) outbound response. I am also logging all incoming and outgoing ICP requests. If your theory is correct (and my supposition), I should see the answer in the logs.

Thanks again!

grue155 · October 28, 2007, 10:06pm

Watching the CFP logs should tell a lot. Inbound TCP or UDP traffic all trying to connect to one port is a sure indicator that the fileshare clients out on the Internet haven’t updated their contact lists yet. When they get back the ICMP “port unreachable”, that should give them a strong hint to update their list. No guarantee that the clients will actually update their lists, but instead just mark an entry as “try again later”.

Linksys router… Good router, although in need of an update if it can only do WEP encryption. WEP-128 these days is good for about 5 minutes or so, under a determined ■■■■■ attempt. Linksys undoubtedly has a firmware update in their Tech Support area.

Zito · October 29, 2007, 6:08pm

There’s a freebie utility called “What’s Running” which you can download from here which shows all applications running in real time.
If you see something you don’t recognize, just click it to get more info.

But you’re certainly doing a world tour with your IP addresses! I checked them all out and here are their locations:
77.221.73.90 - Lithuania
118.136.201.67 - Indonesia
89.32.55.228 - Romania
59.114.130.242 - Taiwan
117.25.28.31 - China
218.65.129.46 - China
84.68.216.34 - UK

If you want to check them for yourself, download “IPNetInfo” from here (double click any results you get to get more info).