Outbound Policy Violations gone haywire ... Please Help

Hi there, just installed Comodo Firewall Pro 2.4.18.184 (Database Version 3.0) on WinXP SP2.

Unfortunately, my Network Monitor is going haywire. It logs massive amounts of Outbound Policy Violations. (There are also inbound violations, but the majority are outbound.) Every 5 seconds I log anywhere from 5 to 20 violations. Sometimes 5 or 10 violations are even logged every second. There are hundreds every minute, and it never stops. Here is a small sample:

Inbound Policy Violation (Access Denied, IP = 194.117.241.172, Port = 10676)ġ Description: Inbound Policy Violation (Access Denied, IP = 194.117.241.172, Port = 10676)
Protocol: TCP Incoming
Source: 194.117.241.172:52735
Destination: 62.87.146.65:10676
TCP Flags: SYN
Reason: Network Control Rule ID = 6

ߗ / B Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)Ĕ Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 62.87.146.65
Destination: 218.82.175.135
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 6

ߗ / B Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)đ Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 62.87.146.65
Destination: 81.51.55.10
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 6

ߗ / B Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)Ĕ Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 62.87.146.65
Destination: 213.103.58.237
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 6

I shut down the programs that were using connections: Firefox, BitComet, GoogleDesktop, etc. Even when no programs were showing under the “Connections” tab, I was still logging hundreds of violations a minute. I have thoroughly checked my computer and found no spyware, viruses, trojans, etc.

I am connecting to my DSL Internet through a WinPoET PPPoE Adapter. Could this be the problem?

Thanks,
Brendan

Checking the IP addresses in your log,

Address 62.87.146.65 - is a user account on dialog.net.pl. Since this is outbound, I’m presuming this is your address at the time you were connected to the Internet.

Inbound address 194.117.241.172 - looks to be a user IP address at net.zeork.com.pl

Outbound addresses of
218.82.175.135 - is a user IP address at dynamic.163data.com.cn - mainland China

81.51.55.10 - - is a user IP address at abo.wanadoo.fr - France

213.103.58.237 - is also a user IP address at cust.tele2.fr - France

Just based on that, I’d say that your machine has been infected, and is part of a zombie network.
But since the outbound traffic is ICMP port unreachable messages, it looks like it could be DDoS traffic, or using an ICMP tunnel. Hard to tell without seeing a packet dump.

Even though you have scanned your machine and not found any malware, these log messages and the volume that the log messages are occurring very strongly suggest your machine is seriously infected. Have your run a HiJAckThis scan on your machine?

Also, try running from a command prompt “netstat -anob”. This will report what program is attached to each port for anything that is running at that moment.

Thanks for your reply!

I ran HijackThis but didn’t find anything very suspicious. I’m not an expert though, so something could have flown under my radar.

I have established a pattern for when I receive violations. When I first start up my computer and internet connection, I actually don’t receive many outbound violations. What I do receive are inbound violations every few seconds. Here is a sample:

Date/Time :2007-10-28 11:31:05
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 78.8.0.219, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 78.8.0.219:2735
Destination: 78.8.2.208:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 6

Date/Time :2007-10-28 11:31:05
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 78.8.49.21, Port = MS-ds(445))
Protocol: TCP Incoming
Source: 78.8.49.21:4964
Destination: 78.8.2.208:MS-ds(445)
TCP Flags: SYN
Reason: Network Control Rule ID = 6

Date/Time :2007-10-28 11:30:55
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 83.116.217.125, Port = 27964)
Protocol: TCP Incoming
Source: 83.116.217.125:14626
Destination: 78.8.2.208:27964
TCP Flags: SYN
Reason: Network Control Rule ID = 6

Date/Time :2007-10-28 11:30:50
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 83.116.217.125, Port = 27964)
Protocol: TCP Incoming
Source: 83.116.217.125:14626
Destination: 78.8.2.208:27964
TCP Flags: SYN
Reason: Network Control Rule ID = 6

According to netstat, these are the processes connecting during that time:

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1300
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP 78.8.2.208:139 0.0.0.0:0 LISTENING 1336
– unknown component(s) –
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 2612
[alg.exe]

TCP 169.254.227.210:139 0.0.0.0:0 LISTENING 4
[System]

UDP 0.0.0.0:500 : 1012
[lsass.exe]

UDP 0.0.0.0:4500 : 1012
[lsass.exe]

UDP 0.0.0.0:1030 : 1888
[spoolsv.exe]

UDP 78.8.2.208:138 : 1336
– unknown component(s) –
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 78.8.2.208:123 : 1336
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 78.8.2.208:137 : 1336
– unknown component(s) –
ntdll.dll
– unknown component(s) –
[svchost.exe]

UDP 78.8.2.208:1900 : 2012
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

Please let me know if any of these are suspicious.

To continue … things really start to go haywire when I run BitComet. (And yes, I have tweaked Comodo and BitComet according to the tutorials on this site.) When I first start a BitComet download, I get tons of inbound violations (up to dozens a second) until the connections max out. Then there is a mix of inbound and outbound violations. Then, after I close BitComet I start to get more and more Outgoing Violations until it reaches hundreds a minute. The only way to stop them is to cut the internet connection.

Sorry I can’t be any more specific. I’m really quite perplexed at this point. Any ideas?

Update: I uninstalled BitComet and used CCleaner to remove leftover registry entries, etc. But the inbound violations continue, so they are clearly not related to BitComet.

The inbound TCP and UDP ports 135 and 445 stuff is just the usual variety of junk on the Internet these days. It’s decidedly unfriendly traffic, but with CFP that traffic is harmless as the traffic can’t get to your machine.

I’m beginning to think that the other inbound TCP traffic is ‘delayed reaction’ queries related to BitComet. If your machine gets identified as a server, then traffic will be directed to your machine from all over the place. All of that traffic will be to one TCP port. In the sample log you provided, it looks like it could be TCP port 27964. I suspect that incoming port would change each time you restarted the machine, and BitComet reconnected to its network, and then all the other BitComet users start piling in on your machine.

The earlier log, with the ICMP port unreachable messages, would have been traffic to other BitComet users that your machine was no longer a server. As long as your Internet address and port number were still listed in the BitComet network mesh, you would have gotten inbound traffic to a turned-off server, with the corresponding outbound ICMP traffic. That would continue until the mesh times out (presuming it has a time-out counter), or until you change Internet address.

The details are probably down in how the BitComet protocol and server mesh does its job. I’m not knowledgeable enough on those details to know if what I’ve described above is right. Your solution of uninstalling BitComet will work becasue it takes your machine out of the network mesh.

Your netstat listing is showing the normal Windows components doing what they do. The 169.254.227.210 entry seems atypical, simply because I haven’t seen something like that before in the LAN environments I work in. If yours is a single machine, that could make sense. The 169.254.0.0/16 address block is used by Windows machines for self auto-configuration when there isn’t a LAN environment.

So, it looks like your machine is not a malware zombie, but maybe it was a filesharing drone.

Thanks again for the reply.

So I guess my only question is, then, am I in any danger, and is there anything I should do to improve the situation? I’m still a little confused, because I thought the point of a good firewall was to make your IP address invisible to avoid inbound threats. Yet I still get dozens of inbound violations every minute. Is this normal?

I have gone ahead and disabled logging for the Network Monitor in Comodo. That cuts down on Comodo eating up the processor, but when I get slammed with inbound and outbound violations it still slows down my machine considerably. Any ideas on making tangible improvements?

Thanks (again),
Brendan

Just to add to grue155’s explanation,

You mentioned you shut the internet connection off to stop the traffic and the 169.254.x.x address could be coming from having no connection and not being able to go to the DHCP server to get a public IP address.

As far as the bombardment from the other addresses coming in and being blocked, when you use a Torrent program you basically are advertising your pc to the world. When you shut off the Torrent program your pc knows that the program is shut off but the rest of the world doesn’t so those pc’s keep trying to connect to you. I noticed that the red packets are Sync packets probably trying to sync back up with your BitComet even though it isn’t there anymore.

You might try allowing the ICMP Port Unreachable packets out so that it will maybe tell the other pc’s that you aren’t available and they will stop trying to connect to you. When I have used those types of programs it can take from a couple of days to months for the traffic to stop.

Hope this helps

jasper