Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recommended software to block outbound port access on Windows 2003?


  • Please log in to reply
3 replies to this topic

#1 eschulma

eschulma

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 07 November 2013 - 03:27 PM

We've found out that some program is accessing a "bad site" from our Windows 2003 Server (Malwarebytes blocked it, but could not identify the process).

 

Among the many things I now need to do, I'd like to way to block outbound IP traffic from all but authorized software on the server. Apparently, Windows Firewall on this OS won't do; it only blocks inbound! And most of the firewall add-ons I've seen do not support Windows Server 2003. Any suggestions for firewall software that still supports 2003?



BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:38 AM

Posted 07 November 2013 - 08:41 PM

How do you connect to the internet, and do you have Universal Plug and Play disabled?

#3 eschulma

eschulma
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 08 November 2013 - 02:19 PM

This is our corporate web and mail server, which has a T1 line. Not sure I understand about Plug and Play?

 

Netstat showed me the culprit, using

 

netstat -n -a -b 10 -v | findstr "91.223.82.86"

 

the parent process is our mail server sending to their port 25. So a software firewall would not have prevented that...though I'd still be interested in finding good firewall options.



#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:38 AM

Posted 08 November 2013 - 07:09 PM

That IP via nslookup and whois provides the following:

cryptodan@alphacentari:~$ nslookup 91.223.82.86
Server:		96.244.76.115
Address:	96.244.76.115#53

Non-authoritative answer:
86.82.223.91.in-addr.arpa	name = server1.sendmymails.biz.

Authoritative answers can be found from:
82.223.91.in-addr.arpa	nameserver = ns2.rdns.iws.co.
82.223.91.in-addr.arpa	nameserver = ns1.rdns.iws.co.
ns1.rdns.iws.co	internet address = 37.46.127.253
ns2.rdns.iws.co	internet address = 37.46.127.249

cryptodan@alphacentari:~$ whois 91.223.82.86
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '91.223.82.0 - 91.223.82.255'

inetnum:        91.223.82.0 - 91.223.82.255
netname:        IWS-NETWORK
descr:          International Widespread Services Limited
country:        NL
org:            ORG-IWSL2-RIPE
admin-c:        IIWS-RIPE
tech-c:         IIWS-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         EUGSH-MNT
mnt-routes:     EUGSH-MNT
mnt-domains:    EUGSH-MNT
source:         RIPE # Filtered

organisation:   ORG-IWSL2-RIPE
org-name:       International Widespread Services Limited
org-type:       other
address:        Ras Al Khaimah
address:        P.O. Box 1055
address:        UAE
phone:          +971 56 653 9955
remarks:        *************************************************************
remarks:        | We are Internet Services Provider
remarks:        *-----------------------------------------------------------*
remarks:        | In case of Spam/Virus/Portscans/Attacks/Fraud Activity etc
remarks:        | please send an email to abuse@iws.co
remarks:        | for any other questions  info@iws.co
remarks:        | Be friendly ...!
remarks:        | Unfriendly emails will be ignored!
remarks:        *************************************************************
mnt-ref:        IWS-NETWORK
mnt-by:         IWS-NETWORK
source:         RIPE # Filtered

person:         IWS Networks Ltd
address:        International Widespread Services Limited
address:        Ras Al Khaimah
address:        P.O. Box 10559
address:        UAE
phone:          +971 56 653 9955
abuse-mailbox:  abuse@iws.co
abuse-mailbox:  abuse@hostplay.com
nic-hdl:        IIWS-RIPE
mnt-by:         IWS-NETWORK
source:         RIPE # Filtered

% Information related to '91.223.82.0/24AS60778'

route:          91.223.82.0/24
descr:          IWS Networks Ltd.
origin:         AS60778
mnt-by:         EUGSH-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.69 (WHOIS2)
What process is that IP listening on or using?

You can find out via netstat -ano and comparing that output to the PID's listed in Taskmanager.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users