Here is a selection from my firewall log that contains suspicious logs. I’ve searched some of the IP’s and gotten location results in Beijing among other places so I know they are remote…
How do you tell a hacking/ping attempt from something legitimate? I refuse to believe that my computer is this popular with hackers.
Can someone help me make heads or tails of this log? Thanks a ton, I’m still learning the firewall process after an insanely scary incident in which I was misdirected to a horrible, horrible web page that proceeded to install multiple keyloggers on my system (I believe it was this website). I got a new hard drive and am starting from scratch…want to do it right…but it is a lot to learn.
Are you using a NAT router? These are almost all “destination unreachable” responses from IPs that say you tried to access them via utorrent. For more detailed information you will need to wait for a utorrent expert; I am not a user. To see what the ICMPs mean, you can go to Internet Control Message Protocol (ICMP) Parameters
Remember those are blocks. No one is getting in. The Windows stuff should be out going only see here. What are your rules for uTorrent? What are your global rules?
Top One: Labled stealthing ports and blocking hackers. It is being logged when fired.
Action: Block
Protocol: IP
Direction: In
Source: Any
Destination: Any
IP Protocol: Any
2nd on List: Labled IGMP and being logged when fired
Action: Block
Protocol: IP
Direction: IN/OUT
Source: Any
Destination: Any
IP Protocol: IGMP
3rd on List: Labled Web Pages and not logged when fired
Action: Allow
Protocol: IP
Direction: Out
Source: Any
Destination: Any
IP Protocol: Any
4th on List: Labled as Preventing hackers and logged when fired
Action: Block
Protocol: IP
Direction: In
Source: Any
Destination: Any
IP Protocol: Any
Those are the only global rules I have set up so far, I realize that my fourth one and my first one match…I did the fourth manually and the 1st was a product of using the CFP Stealth Ports wizard to stealth all of my ports to everyone.
Are there any holes? Recommended rules I should apply? I am on a single computer via router (a new router is on order with a hardware firewall, that is next on the list of learning experiences.) So I do not need to worry about isolating any other computer on a LAN.
Thank you for that site, its very helpful. From what I can see, if I get an (8 ) ICMP on anything I better bring it here to have a look at huh…8 being an “echo” which to my knowledge is an attempt to ping my ports?
You have blocked all incoming (and allowed all outgoing) so the only thing you should see is responses to your outgoing, like the "destination unreachable"s. Unless you add more rules to allow ahead of the block all in.
Hmmm, as nice as that sounds…what if I end up with another keylogger? My surfing habits have changed completely but they are about as common as anything anymore and can be found anywhere. To my understanding the firewall does not prevent malware and whatnot from entering my computer due to my own stupidity, but rather keeps people from being able to access my computer and plant things on my hard drive without my knowing. Would a keylogger be able to phone home with my current settings?
My goals for this software and my soon to be hardware firewall are to keep people from dumping things onto my hard drive…I want nobody to be able to access this thing. Should I add anymore rules?
If your behind a hardware firewall thats set up fully stealthed you don’t need all those rules. I can pass a leak test with out a software firewall. I use Comodo for the HIPS and program control. Your hardware firewall is your best line of defense. You will need to port forward your router for uTorrent. Does uTorrent turn green? I only have 1 global rule and thats for P2P. Echo ping block. Something like that. LOL.You should have set up your router first then Comodo.If you want to stop dumping things on your hard drive then I suggest you use Sandboxie. Works awesome.
The router is in the mail, but I am doubtful it will arrive before the weekend when I am going away. I can always re-install/redo my rules once I set up the hardware firewall I suppose…but for now Comodo will have to do for protection. Where are you getting your leak tests? I would very much like to run one.
Do you have an antivirus/antispyware scanner. That is another line of defense for keeping malware out of your computer from connections you do allow. Once something enters your computer (and rememember that you currently don’t allow anything to make inbound connections), it is caught by the HIPS processing in D+ that will alert you if anything unknown tries to execute. Just say no until you understand why it is trying to execute.
I’ve got a cocktail of AV and Anti-Spyware programs running:
Anti-Virus
AVG Free
Anti-Spyware
Spybot SD
Spycatcher
Windows Defender
And I suppose Defense+ falls under both, as does AVG.
I had a similar group of spyware programs running when I got the keylogger. I was misdirected to this website, I think I ran scans after getting off but I’m not sure, then later that night I ran scans and found the ISpy keylogger and another one that I believe was 1-2-3…given my situation I got scared and ripped the HDD a day or so later.
Link to leak test. There is also a downloadable test. Where did you get your router from? You could have gone to Bestbuy and been home hooking it up already.
For awhile I was only using my hardware firewall and Sandboxie. Kept me well protected. But I download alot of things and recovering everything out of the Sandbox was a pita. So I only use Sandboxie when needed and use Comodo and Avira for my full time protection.
The scanner here has a lot of false postitives, so I hope it wasn’t what you ran to make you rip your disk. Always confirm spyware/virus hits with something lik avast! or avira that will let you do online scans and doesn’t have to be involved. Also, running multiple AVs/■■■ in real time can cause interference and loss of detection capability. Use one online, keep the other in reserve in case you need an independent opinion.
Spybot is not the best. Its past its prime. SuperAntiSpyware and Malware Bytes Anti Malware are the new guys on the block with lots of power. SAS and MBAM for short. Both are very good on demand.
You don’t need a real time spyware scanner if you have a good av. I use Avira Premium 8. You can get free 6 months. Avast is also good and free. Here is my set up. Never been infected in over 5 years.
