Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several Firewall Alerts


  • Please log in to reply
5 replies to this topic

#1 roczek

roczek

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Rochester, NY
  • Local time:06:07 PM

Posted 25 June 2010 - 12:23 AM

I have 3 computers behind a linksys router. They are all wired, it's not wireless. My gf's kids are already kicked off of my computer for getting into things they should get into to (intentional, tricked, whatever) Now the other computer they are on now I suspect is the source of the problem from me seeing lots of internet connections trying to connect to my computer all of a sudden. I took a screen shot of one of them. I normally don't see any alerts, I only see my expected programs trying to reach the internet for the first time. Is that combofix.exe something that's OK to run as a scanner? What are some of the best scanners to run? Thanks!

I can't seem to directly attach a screen shot picture. The first one says the firewall blocked access to tcp port 57826 TCP flags: S.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 25 June 2010 - 06:11 AM

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

With that said, two effective security scanning tools are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.A firewall controls network traffic and serves two basics purposes:
  • Prevent incoming communications that you did not request from entering your computer;
  • Monitor what programs on your computer are allowed to communicate out.
The firewall does this by enforcing an access control policy to permit or block (allow or deny) inbound and outbound traffice. Thus, the firewall acts as a central gateway for such traffic by denying illegitimate transfers and facilitatint access which is deemed legitimate. The goal of the firewall is to prevent remote computers from accessing yours and provide notification of any unrequested traffic that was blocked along with the IP address. keep in mind however, that a firewall is not a panacea to solve all of your security problems. If you will open ports through your firewall to allow access to an infected machine, then the firewall is no longer relevant.

If your firewall provides an alert which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer.
Alerts are often classified by the network port they arrive on, and they allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it.What are TCP and UDP ports
TCP/UDP Ports Explained
It is not unusual for a firewall to provide numerous alerts regarding such attempted access. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion. If your computer is sending out large amounts of data, that can indicate that your system may have a virus or a Trojan.

If the alerts become too annoying, you should be able to go into your firewall settings and turn them off (Hide notification messages).

To check whether or not the port in question is open on your system you can use netstat from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
You can use Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity or various network traffic monitoring tools for troubleshooting and malware investigation.

There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity. For a list of TCP/UDP ports and notes about them, please refer to:You can investigate IP addresses and gather additional information at:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 roczek

roczek
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Rochester, NY
  • Local time:06:07 PM

Posted 25 June 2010 - 09:54 AM

I didn't realize windows had netstat. :thumbsup:

Are either of the tools mentioned above associated with or expected to open connections with 007guard.com ?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 25 June 2010 - 12:13 PM

Are you using Spybot S&D? Check the first line in your HOSTS file. If there is no 127.0.0.1 localhost line in your HOSTS file at the very beginning, the local name resolution will look to the first immunization entry which probably is 127.0.0.1 007guard.com.

To view the Hosts file in Notepad, go to Posted Image > Run..., and in the open box, copy/paste or type:
notepad %windir%\system32\drivers\etc\hosts
Click Ok.

See this discussion thread with an explanation by Spybot Team in regards to 007guard.com. Windows 7 users should also read here. For more information about 007guard.com and netstat, read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 roczek

roczek
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Rochester, NY
  • Local time:06:07 PM

Posted 25 June 2010 - 12:42 PM

Yes, I have Spybot S&D and that was the first entry in my hosts file. Lots of good tips here. Thanks!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 25 June 2010 - 12:47 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users