Items Blocked by Firewall

I have been looking through the firewall log trying to understand what is being blocked.
I found a web site which allows me to lookup IP addresses and have found the following:

Some of the Source IP addresses being blocked are:
61.160.213.23 - Beijing, China
221.195.73.68 - China
218.75.79.32 - China
61.139.54.94 - China
189.168.173.220 - Mexico
88.54.170.10 - Italy
149.254.48.2 - T-Mobile, London
70.101.104.60 - Frontier Communications, Rochester, NY
74.63.225.44 - Limestone Networks-Dedicated Servers, Dallas, TX

192.168.0.1 - Private Address ?
63.245.208.11 - Mozzila Firefox
76.224.3.238 - SBC, my ISP

My question is, are some of these hacking attempts (such as China, Mexico, Italy) or are they
just advertising attempts?

What about the requests from Firefox and from my ISP? Should they be allowed? If so, how would I set up a rule to allow the good stuff and keep out the bad?
Or is everything okay the way it is?
I don’t want to be blocking valid requests for legitimate traffic.
I Don’t mean to be a pest, but would like to understand what’s happening.

Thanks,
Chuck

Hi Chuck, to enable us to help, you’ll need to tell us things like the Protocol (TCP, UDP, etc…) and the Source & Destination Ports of the blocks. An easy way is to expand the Firewall event screen so all the information is visible, take a screen shot & post it here.

I can say that IP 192.168.0.1 is indeed a private LAN that cannot be used on the Internet. It’s either your system, another LAN member or possibly a router/gateway or some thing like that. You should also post your set-up, including LAN set-up (members, etc…) & Internet connection type. Thanks.

Greetings Kail,

Thanks for quick response,
2 screenshots of firewall log are:

I have all ports stealthed and global rules are:

I hope you can read them… not sure how to increase readability… I’m using Gadwin Print Screen 4.3
if you have a better way of posting screenshots, please let me know. I’m using photobucket

This is a standalone desktop. No networking (except internet)
AT&T DSL connection through wired dsl modem only (no wireless stuff)
only security package I now have is CIS 3.10 (nothing else to conflict with CIS)

If you need more info, let me know what I can provide
Just would like to know if this is normal and Okay or if some of this should be getting through such as
my ISP requests or Firefox requests (my default browser)

I really appreciate any help or info you can provide so I can understand what’s going on.

Chuck

image removed by mod, kail

Yep, I can read them… just (I’m oldish). Unfortunately, I have something else to do at the moment. I should be able to look at these within the next few hours, unless someone else jumps in.

In the meantime, I recommend that you disconnect & reconnect your ADSL connection in order to change Internet IP number. As as Moderator I can see your Internet IP number, but you shouldn’t publish that IP number in public. HOWEVER, not a real problem since I note you seem to have something called a “dynamic IP”, which basically means your Internet IP number changes every time you reconnect your ADSL connection… and that’s why I’m recommending you do that. :slight_smile:

Also, please confirm the following; Are you a gamer? Do you use remote connection software to/from other PCs? Do you use a chat client (MSN, ICQ, etc)? Do you use any P2P/file-sharing applications? Do you use Ping/Trace-type networking tools? Thanks.

No problem Kail,

I’m sure you have quite a bit on your plate…

I’m a little ‘oldish’ too, so I can relate.

Not a gamer, no big software on the system at all

BTW: this is Windows XP Home… SP3
no remote connection stuff that I’m aware of. I don’t connect to any remote pc’s.
I do not do any chatting other than what’s at Yahoo mail.
There was some p2p software (360 Share) on the computer, but I un-installed it due to
security concerns… Also Itunes had this thing called Bonjour which, to me, sounds like a p2p app.
That was also un-installed.

I do have connection software installed to keep the DSL connection up and running (StayOn Pro V4)

I had Mcafee Internet Security Installed which apparently had StayOn Pro integrated into their software
in order to keep the connection alive and when I un-installed Mcafee and installed CIS,
everytime I closed the browser, the connection would drop and I would have to reboot the modem
to get the line active again. Quite frustrating.

Installing StayOn Pro V4 solved that problem.

Thanks again Kail, Whenever you have the time, I’m in no hurry, just kinda want to understand
how to work with the firewall.

Chuck

Hi Chuck, it would really help me a lot, if you emailed the HTML export of the Firewall Event log to me. It would allow me to investigate the reported blocks & cite things much easier, thanks. My email address in on the left, under my name… the

icon.

Just a quickie, is Southwestern Bell Internet your ISP?

ISP = SBC Global.

PS Chuck, sorry “a few hours” turned into a lot longer than previously anticipated. :slight_smile:
PPS Toogie, if you’re familiar with SBC, please do join in.:slight_smile:

Thanks, Kail.

The logs are on their way. Thanks much.

Chuck

OK, basically I think you’re being probed.

Take this chap 76.224.3.238. He’s using the same ISP as you and his connection attempts to you are something as follows…

As for source ports, the first 2 are 1089 and the rest are 5000, which implies a single application to me. Anyway, onwards. These are the inbound (blocked) destination ports…

UDP 161 (SNMP), source (1089) sorta fits.
TCP 80 (World Wide Web HTTP), seeing if you’re web server.
TCP 8080 (HTTP Alternate), again, web server.
UDP 137 (NetBIOS Name Service), asking for file sharing.
UDP 10421 (UDP Single Click Discovery Protocol), checking for possible infection to exploit.
UDP 10426 (UDP Single Click ICC), checking for possible infection to exploit.

He then waits for between 34-42 minutes and sends the whole lot again. I suspect this SB user is scanning a whole range of his fellow SB users looking for infected machines. Or, the user could be infected and it is their system that is doing this without their knowledge. And there are others, of differing types & volume. Large amounts of scanning & probing. In short it’s a mess. :slight_smile: I don’t think it’s a threat, CIS is dealing with it. But, I suspect the reason might be your Global rules… I think they’re making you highly visible and thus, a target. Can I have a better image of your Global Rules please, thanks.

Sorry, I made do with the previous one. :slight_smile: Assuming you don’t need all those allows, I would recommend running the Stealth Ports Wizard. But, before you do that, it would be best to export your current Profile (Miscellaneous - Manage My Configurations) to a file for backup. Just in case you don’t like what the Wizard did. The Wizard is a process that automatically sets up your rules based on few simple questions. So, you probably want the option "Block all incoming connections - stealth my ports to everyone". In short, disappear. :slight_smile:

192.168.0.1 is you or a router? There are some blocks with this IP, a UPnP broadcast was blocked. Some routers need UPnP… might be the reason you need the stay alive app to keep connected? Wild guess with no evidence. :slight_smile:

Thanks Kail,

I had all ports stealthed for about a week or more now, but added global rules allowing ICMP in
(host, port, network unreachable, and echo request), based on help from EricJH, to try and eliminate a lot of ICMP blocking. That seemed to have corrected the ICMP logging.

When my IP address changed, it started logging all ICMP again. I added the rule to allow in any
from my MAC. I don’t know if that was wise or not but it stopped the ICMP logging.

I just went back in to the stealth port wizard and selected stealth all ports.
The global rules did not change, and now I am getting the ICMP logging again.

I am sending screen shots as attachments to show the result.
Hopefully, they will be easier to read.

Chuck

image removed by mod, kail

[attachment deleted by admin]

Well, some of the Allow rules might allow other users/systems to see your system. This would verify that there is indeed a system behind the IP, although it would not tell them anything else. This might explain the probes & scans, trying to find what you are or, more importantly probably, if you can be exploited/infected. Whilst, as I said, CIS is dealing with all these probes & there is no risk that I can see, I would prefer to err on the side caution… please go to & download HijackThis. Post the results as a text file attached to the post. I would just like to make sure these scans & probes are not being provoked by something else.

The ICMP allow with the MAC address worries me. But, it is, with the others, under a Block & Log IP All rule and as a ICMP message itself part of the IP protocol, I don’t think any those Allow rules are actually reachable.

[i]PS I removed the Global Rules since they included your MAC. Just my paranoia, no worries. :slight_smile:

edit[/i]

Okay Kail, attached is the HijackThis results.

to be on the safe side (a good rule I think) should remove the rule For ICMP allow with MAC?

Or any other allow rule??

If all this is correctly being blocked, then I don’t need any addiitional allow rules,
(such as the host, port, network and echo rules.)

You’re pretty informed about all this and I will gladly go with any suggestions you have.

Thanks much,
Chuck

[attachment deleted by admin]

All looks OK, except for C:\WINDOWS\system32\sop.exe… I don’t think it’s a major threat, but Google indicates that it maybe adware/spyware… and I don’t like it being in System32 if it is. However, it could merely be a misplaced EXE (unlikely).

As far as those ICMP rules are concerned, you can leave them where they are at the moment. Since, unless I’m reading it wrong, with the Block & Log IP All rule directly above those ICMP rules, they are effectively disabled anyway (non-reachable). I hope that make sense?

[i]PS You seem to have AOL things running, previous ISP? They should go unless you need them.

edit[/i]

Also, I recommend running C:\WINDOWS\system32\sop.exe through CAMAS & VirusTotal. Just to see what they say.

fix this:

O3 - Toolbar: Searchme Toolbar - {4d02e7e6-5930-4b51-b9b0-9f21b3789400} - mscoree.dll (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Sorry, something else. 3Com/NVIDIA Network Access Manager… it has a firewall (which I’m certain you don’t want or need), it creates it’s own LSP winsock entries & is suspected of causing a fair few problems & conflicts. You should investigate this whole NAM app/driver/thing, determine if you need it & justify its continued existence to yourself.

Thanks languy. :slight_smile:

Here are (attached) Chuck’s Global Rules with the MAC number masked.

And, I’ve just noticed that the Block & Log IP All rule is in a different position in the 1st posted image (which this is) to the 2nd. Which one is current Chuck?

[attachment deleted by admin]