Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual firewall entries


  • Please log in to reply
3 replies to this topic

#1 langdon auger

langdon auger

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 14 March 2010 - 03:36 AM

Hi.

For a while I have been getting a lot of unusual entries on my firewall log (online armor). I don't know if they are from an infection or from someting trying to infect my computer or just something innocent. I have XP sp3, dialup.

I have done many scans using Avira AV, mbam, SASW, Clam win and a while back Dr Web. They didn't detect anything.

Here is an example of some of the log entries. The types of entires change from time to time.

13/03/10 17:16:07 TCP <- 124.254.68.93:17979, 67.174.203.204:50885
Rule not found. Packet dropped.
13/03/10 17:16:24 TCP <- 124.254.68.93:17979, 67.174.203.204:50885
Rule not found. Packet dropped.
13/03/10 17:16:24 TCP <- 124.254.68.93:17979, 67.174.203.204:50885
Rule not found. Packet dropped.
13/03/10 17:16:24 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.
13/03/10 17:16:24 TCP <- 124.254.68.93:17979, 60.241.84.126:55705
Rule not found. Packet dropped.
13/03/10 17:16:26 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.
13/03/10 17:16:27 TCP <- 124.254.68.93:17979, 60.241.84.126:55705
Rule not found. Packet dropped.
13/03/10 17:16:29 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.
13/03/10 17:16:33 TCP <- 124.254.68.93:17979, 60.241.84.126:55705
Rule not found. Packet dropped.
13/03/10 17:16:35 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.
13/03/10 17:16:41 UDP <- 124.254.68.93:17979, 113.190.210.172:18486
Rule not found. Packet dropped.
13/03/10 17:16:51 UDP <- 124.254.68.93:17979, 99.63.2.37:57103
Rule not found. Packet dropped.
13/03/10 17:16:51 TCP <- 124.254.68.93:17979, 99.63.2.37:59063
Rule not found. Packet dropped.
13/03/10 17:16:52 UDP <- 124.254.68.93:17979, 99.63.2.37:57103
Rule not found. Packet dropped.
13/03/10 17:16:54 TCP <- 124.254.68.93:17979, 99.63.2.37:59063
Rule not found. Packet dropped.
13/03/10 17:17:00 UDP <- 124.254.68.93:17979, 99.63.2.37:57103
Rule not found. Packet dropped.
13/03/10 17:17:00 TCP <- 124.254.68.93:17979, 99.63.2.37:59063
Rule not found. Packet dropped.
13/03/10 17:17:02 UDP <- 124.254.68.93:17979, 99.63.2.37:57103
Rule not found. Packet dropped.
13/03/10 17:17:27 UDP <- 124.254.68.93:17979, 121.246.242.114:43748
Rule not found. Packet dropped.
13/03/10 17:17:29 UDP <- 124.254.68.93:17979, 124.13.83.160:12129
Rule not found. Packet dropped.
13/03/10 17:17:30 TCP <- 124.254.68.93:17979, 79.45.231.60:2926
Rule not found. Packet dropped.
13/03/10 17:17:33 TCP <- 124.254.68.93:17979, 79.45.231.60:2926
Rule not found. Packet dropped.
13/03/10 17:17:39 TCP <- 124.254.68.93:17979, 79.45.231.60:2926
Rule not found. Packet dropped.
13/03/10 17:17:47 UDP <- 124.254.68.93:17979, 130.89.162.97:17011
Rule not found. Packet dropped.
13/03/10 17:17:55 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.
13/03/10 17:17:55 TCP <- 124.254.68.93:17979, 60.241.84.126:56031
Rule not found. Packet dropped.
13/03/10 17:17:57 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.
13/03/10 17:17:58 TCP <- 124.254.68.93:17979, 60.241.84.126:56031
Rule not found. Packet dropped.
13/03/10 17:18:00 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.
13/03/10 17:18:04 UDP <- 124.254.68.93:17979, 70.100.9.118:20095
Rule not found. Packet dropped.
13/03/10 17:18:04 TCP <- 124.254.68.93:17979, 60.241.84.126:56031
Rule not found. Packet dropped.
13/03/10 17:18:06 UDP <- 124.254.68.93:17979, 60.241.84.126:46664
Rule not found. Packet dropped.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 PM

Posted 14 March 2010 - 10:57 AM

Your log indicates the packet was dropped for various TCP/UDP addresses.

Packet loss occurs when one or more packets of data traveling across a computer network fail to reach their destination. Packet loss is distinguished as one of the three main error types encountered in digital communications; the other two being bit error and spurious packets caused due to noise.

http://en.wikipedia.org/wiki/Packet_loss

An IP address (Internet Protocol address) is a unique address used to identify a computer and communicate with other computers. Computers can use static or dynamic (DHCP) IP addresses. A static IP address is a number assigned to a computer by an Internet service provider (ISP) and intended to be its permanent (fixed) address on the Internet, thus, it will not change.

You can investigate IP addresses and gather additional information at:
For example, a search of the IP in this entry:
13/03/10 17:16:07 TCP <- 124.254.68.93:17979, 67.174.203.204:50885
Rule not found. Packet dropped provides this information.

A port (TCP/UDP) is an address associated with a particular process on a computer. Ports have a unique number in the header of a data packet that is used to map this data to that process. Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic/Private Ports. Default port values for commonly used TCP/IP services have values lower than 255 and Well Known Ports have numbers that range from 0 to 1023. Registered Ports range from 1024 to 49151 and Dynamic/Private Ports range from 49152 to 65535. An "open port" is a TCP/IP port number that is configured to accept packets while a "closed port" is one that is set to deny all packets with that port number.What are TCP and UDP ports
TCP/UDP Ports Explained
If your firewall provides an alert which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer. Alerts are often classified by the network port they arrive on, and they allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. It is not unusual for a firewall to provide numerous alerts regarding such attempted access. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion.

You can use netstat, a command-line tool that displays incoming and outgoing network connections, from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically; no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
-- If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it.

Online Port Scan allows you to scan individual TCP ports to determine if the device is listening on that port. There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity. For a list of TCP/UDP ports and notes about them, please refer to:

Edited by quietman7, 14 March 2010 - 10:58 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 langdon auger

langdon auger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 15 March 2010 - 04:27 AM

Thanks, I will work through what you have posted and see where it gets me.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 PM

Posted 15 March 2010 - 08:33 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users