Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outgoing packets


  • Please log in to reply
30 replies to this topic

#1 hunangel

hunangel

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 23 April 2009 - 10:30 AM

Hi,

I have the Zonealarm free firewall and it keeps blocking packets sent from my computer to another people's computers through their port 139. It's happening in exact intervals 13 minutes. Should I be concerned?
Any kind of help appreciated.

BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:32 PM

Posted 23 April 2009 - 11:32 AM

It depends on what "other computer".
If within you LAN and you trust it, it's standard communication on NetBIOS ports, and if ZA is properly configured, NetBios packets will not be blocked.
If on the internet, then it's not good unless you're doing VPN or similar.

Bottom line: ZA is blocking it according to your current settings, so no danger.

#3 hunangel

hunangel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 23 April 2009 - 04:07 PM

It's on the Internet and I'm not using VPN. Actually, I would like to know what does it mean, I searched on google, but couldn't find anything particular about it. I don't have printer and files sharing enabled, I don't use torrents, some time ago I found about 5000 worms on my computer after scan and some Trojan horses, so I'm trying to find out if there is still something going on. Thanks for your answer anyway.

#4 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:32 PM

Posted 23 April 2009 - 04:59 PM

In the network properties your NetBIOS maybe enabled, so disable it if you don't use it.
If you don't use a router, get one. You can block those ports (137-139) as well as 135 and 445.
ZA would not be blocking if the packets weren't attempting to go out by something in the system.

http://en.wikipedia.org/wiki/NetBIOS

There is a possibility of some malware trying outbound connections. In that case see the Hijack This forum section here.

#5 hunangel

hunangel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 24 April 2009 - 06:16 AM

Thank you very much for your advice. Well, I blocked all the ports, despite that I'm still getting high rated alerts on incoming packets to my port 138. Is this possible if I previously closed it?

#6 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:32 PM

Posted 24 April 2009 - 07:48 AM

I like to use two tools to see what ports are open on my system. The Windows Worms Doors Cleaner and TCPView.

See what WWDC says; it will tell you about any dangerous ports that are open on your system and allow you to disable/close them. Run TCPView when there is no Internet programs running to see your network status (open ports, network activity, etc.) when idle.

You can also run a port check on your system. GRC’s Shields Up is a very popular one.

XP-Antispy also has a lot of useful functions, including the ability to turn several things off that can leave you open, and the tooltips nicely document the functions.

Did you turn off NetBIOS? Control Panel->Network Connections->{Your Network Adapter}->Properties->Properties->TCP/IP->Properties->Advanced->WINS. Is it Default, Enabled, or Disabled? Depending on your network configuration, you can usually disable it altogether. If you have a router, you can set it to default and configure the setting in the router instead. Try setting it to disabled and reboot. If your network connection won’t work at that point, set it to default and reboot. If it still won’t work, set it to enabled and reboot. You will also want to check what network clients, services, and protocols are installed for your NIC. You said that file/print sharing wasn’t enabled, but is it installed (and unchecked)? Do you have other items in the network connection list (the fourth step in the above chain)?

Edited by Synetech, 24 April 2009 - 07:50 AM.

****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#7 hunangel

hunangel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 25 April 2009 - 03:45 AM

hey synetech, thanks a lot for your help. Yes, the netbios was disabled in the WINS tab, that's why I didn't understand the alerts. The file/print sharing is unchecked. In the network connection list I have the IP protocol configuration, DNS and Options, which contains Protocol TCP/IP filtering. I closed down port 445 as well, I'll see what happens. Once again, thank you very much for your help.

#8 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:32 PM

Posted 25 April 2009 - 11:15 AM

I meant to close down some of those ports in the router from connections to the web.
On Windows system itself, it's not a good idea. Windows uses ports 135 and 445 for various services so you may find Windows not working properly.
Specifically, svchost.exe and SYSTEM are listening for connections and should be permitted on the LAN.
Read Microsoft KB832017 - you can enter the KB number into google search.

I don't believe you answered a key question - what IP is ZA blocking for you? Is it local or is it on the internet? You can check what it is using DNSstuff site.

#9 hunangel

hunangel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 25 April 2009 - 01:23 PM

I checked the IP on a DNSstuff site and it's from the internet. Actually, I wrote that already in a post above. It seems to reside somewhere in Switzerland. The WWDC warned me that it seems to be that my system is infected by a virus, because the svchost uses much more virtual memory than it's usual.

#10 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:32 PM

Posted 25 April 2009 - 02:38 PM

Yes you did answer and I missed it. Good enough to know it's Switzerland.
I would also, at this point, suspect something is trying to get out. Posting a HijackThis log on this forum might make sense.
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Before you do, perhaps you can download Superantispyware
http://www.superantispyware.com/
Install it, update it (tell ZA it's ok to connect, of course), and scan.
If it finds some spyware, trojans, or other trash, it will clean it up.

#11 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:32 PM

Posted 25 April 2009 - 02:57 PM

tos226 is right about some ports be necessary for Windows. For example, I wasn’t using the prefetcher for a long time because I had the task scheduler disabled (I have other, better means of scheduling tasks). When I found out that the prefetcher requires the task scheduler, which in turn requires DCOM, which leaves port 135 open, I had to choose between using the prefetcher and possibly getting some extra performance, or keeping my system completely closed off. I decided to enable DCOM and get whatever performance boost I could, and have my router (and ZA) block off port 135. Black Viper’s page gives some good tips on which services and such can be disabled, for example I have RASMan and Telephony disabled, because I have a router which doesn’t require them. That’s why I said to test after each change.

hunangel, you may want to get a packet sniffer and take a look at what exactly is being sent. I find NirSoft’s SmartSniff to be the quickest and easiest to set up and use (actually you don’t really have to install or configure anything other than selecting your network card). You can set it to capture packets while your system is idle network-wise, and look at what is in the packets being sent to give you a clue as to what it may be and where to look.

Edited by Synetech, 25 April 2009 - 02:57 PM.

****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#12 hunangel

hunangel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 27 April 2009 - 03:58 AM

Well, I tried the smartsniff, but I'm not really sure how to read the outcome information, interesting thing is that however ZA states that the packets are sent out to port 139, I couldn't find it in the log from smartsniff, the only used ports were 137 and 138. The remote IP was correct.

#13 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:32 PM

Posted 27 April 2009 - 11:19 AM

Here’s some tips to help:

Make sure that you are not downloading anything or have anything running that uses the network in order to avoid clutter in the logs (eg, don’t use the browser to post here while capturing). Then run TCPView to see what ports are open. Make sure that any established connections close, including any that are waiting. Also make sure that you have the show-unconnected-endpoints option selected. Then you can see what have processes have connections open. System or SVCHOST may be listening on a port or two, and that can be okay or not; it depends, but if there’s any non-system processes, you will want to look at those first. :thumbsup:

You can run SmartSniff and have it capture packets for a while (is it still happening every 13 minutes?) When you see some entries in SmartSniff’s log, you can start viewing them right away (while letting it continue capturing packets). SmartSniff will list the IP and ports involved and the actual data that was sent/received is in the bottom pane. Look at that and see if there is any clear text in the headers or binary data. That will easily help figure out what is going on. If there’s no plain text, then there may be something else going on, such as some malware sending encrypted information, that we’ll have to ferret out. :flowers:
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#14 01d5od

01d5od

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 27 April 2009 - 12:36 PM

You could do a netstat -abno in the command to see the connection(s) and the port and process involved:

<img src="http://i236.photobucket.com/albums/ff2/Oldsod/netstat.jpg">

Also, the NetBIOS connections (ports 137-139) can be disabled in the Properties of the Internet Protocol (TCP/IP) IF there is no LAN printer/scanner connected/being used or any file sharing done on the home network.

Richard.
ZA Pro & Avira antivirus & SSM Pro & Privoxy & Protowall & Opera for security. Topped off with a limited user account on fully updated XP HE SP3.

#15 hunangel

hunangel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 27 April 2009 - 01:01 PM

Thanks very much for your advice. I ran the smartsniff again and there is clean text or binary data with every log, but the same thing happened again. I got an alert from ZA, but the smartsniff didn't catch the thing. That particular connection from ZA log is not in the smartsniff log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users