Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help tracking down firewall log entry


  • Please log in to reply
18 replies to this topic

#1 aromack

aromack

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 24 October 2016 - 05:21 PM

Hi all,

 

I am a bit concerned since my avast firewall started recently blocking "system" and "host process for windows. When I check the firewall log I have these entry's.

 

10/24/16 3:07:24 PM    192.168.1.18    (remote port)161    192.168.10.135  (local port)49173    UDP    Out    System    No rule found

(I have several of these and my network is on the 192.168.10.xxx)

 

Is there a way to find out exactly what is causing this entry and what device is 192.168.1.18?
 



BC AdBot (Login to Remove)

 


#2 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:04 PM

Posted 24 October 2016 - 05:33 PM

Do you happen to have iTunes installed? or Apple's version of the "cloud"

 

UDP port 49173 is Apple's XSAN (Storage Area Network) 

 

and to find out which device is that IP you can download, install and run Ze(Nmap)

 

https://nmap.org/zenmap/

 

and in the "Target" field you can type in 192.168.0.1/24

 

that will scan for ANY "Alive" host, then you just have to find the IP on the list to the left and then the main window will tell you all the info it gathered on it.  

 

As for the port 161 that is an SNMP port (Simple Network Management Protocol)

 

Here is more info:

 

http://www.speedguide.net/port.php?port=161


Edited by Viper_Security, 24 October 2016 - 05:37 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#3 aromack

aromack
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 24 October 2016 - 06:02 PM

Hi thank you very much, I do not have itunes.

 

When I try the Nmap scan it says.

 

Starting Nmap 7.31 ( https://nmap.org ) at 2016-10-24 16:00 Pacific Daylight Time
NSE: Loaded 142 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:00
Completed NSE at 16:00, 0.00s elapsed
Initiating NSE at 16:00
Completed NSE at 16:00, 0.00s elapsed
Initiating Ping Scan at 16:00
dnet: Failed to open device eth0
QUITTING!
 

I am using a wirless adapter.


Edited by aromack, 24 October 2016 - 06:04 PM.


#4 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:04 PM

Posted 24 October 2016 - 06:10 PM

Okay, eth0 is ethernet. wlan0 is wireless. 

 

did you run the program as admin? if not run as admin and try again.

 

else:

 

 

and it most likely failed because of WinPCAP, if you have that in your programs list remove it, run Zenmap as admin and try again.


    IT Auditor & Security Professional

hQBT2G3.png


#5 aromack

aromack
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 24 October 2016 - 06:42 PM

I do not see WinPCAP in add/remove programs.  I set Zenmap to run as admin and still not go.

I forced my ip address to change just to see if that would do anything and it still appears.

    10/24/16 4:33:04 PM    192.168.1.18    161    192.168.10.xxx   49173    UDP    Out    System    No rule found
    10/24/16 4:33:04 PM    192.168.1.18    161    192.168.10.xxx    49173    UDP    Out    System    No rule found
    10/24/16 4:33:15 PM    192.168.1.18    161    192.168.10.xxx    49173    UDP    Out    System    No rule found
    10/24/16 4:33:15 PM    192.168.1.18    161    192.168.10.xxx    49173    UDP    Out    System    No rule found

I looked at my connected devices in my router and nothing there either, so it seems my system is trying to broadcast to that 192.168.1.18 address.

 

Edit: I found it as Npcap in add/remove and am running the scan over again right now.

It found several open ports for xxx.xxx.1.xxxx all are port 119 and none are 1.18 :(.


Edited by aromack, 24 October 2016 - 06:49 PM.


#6 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:04 PM

Posted 24 October 2016 - 06:47 PM

Odd, okay try this one out. 

 

it should work easier for you. 

 

http://angryip.org/download/


    IT Auditor & Security Professional

hQBT2G3.png


#7 aromack

aromack
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 24 October 2016 - 07:05 PM

I put 192.168.1.18 base IP and the bubble is red with no information. Host name my computer name.

IP:    192.168.1.18
Ping:    [n/a]
Hostname:    [n/s]
Ports:    [n/s]
Web detect:    [n/s]
NetBIOS Info:    [n/s]
Filtered Ports:    [n/s]
TTL:    [n/s]


Edited by aromack, 24 October 2016 - 07:07 PM.


#8 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:04 PM

Posted 24 October 2016 - 07:14 PM

Scan your entire network. for the IP range put in 192.168.0.1 and 255.0.0.0

 

 

you will get a LOT of nothing thre but it will scan your entire network for live hosts. 

 

and if it can't find that IP. what's changed? did someone leave? did someone come over? etc.

 

EDIT: it will take a while to scan but it will be accurate.

 

 

Ha, just noticed the "Preferences" button and in "Display" you can make it show only live hosts.


Edited by Viper_Security, 24 October 2016 - 07:17 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#9 aromack

aromack
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 24 October 2016 - 07:29 PM

Well that came up with a bunch of ip's but none in the range .1.xxx range. This just started happening within the last week or so.


Edited by aromack, 24 October 2016 - 07:41 PM.


#10 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 24 October 2016 - 07:51 PM

Glasswire is VERY helpful at easily identifying which parent processes (and countries) are responsible for various connections....

 

http://www.filehorse.com/download-glasswire/screenshots/


Edited by MDD1963, 24 October 2016 - 07:56 PM.

Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#11 aromack

aromack
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 24 October 2016 - 08:23 PM

Well i found out that port 49173 is the spooler. So does that mean 192.168.1.18 is trying to access a printer that is not there?  I do not have a printer attached to this system. 



#12 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:04 PM

Posted 24 October 2016 - 08:32 PM

It could be.  too soon say for sure at the moment.

 

and here is a legitimate link to glasswire right from their website.

 

https://www.glasswire.com/

 

-----------------------------------------------------------------------------------------

 

You could download wireshark and monitor the packets as they happen.


Edited by Viper_Security, 24 October 2016 - 08:32 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#13 aromack

aromack
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 24 October 2016 - 08:34 PM

Thank you very much, calling it a night for now and back at it tomorrow.  Thanks again for all the help and will keep posted about this.



#14 aromack

aromack
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 25 October 2016 - 10:48 AM

Ok, so this morning I shut down the print spooler service. After shutting down the spooler i no longer see the 192.168.1.18 ip address being blocked in my firewall. I then had a couple other ip's I did not recognize so used the tool you guy provided me above and was able to find out that it was my Direct Tv DVR and clients. After I shut down ssdp discovery service those went away.

 

Now it appears that my Firewall is blocking my routers ip address and the call is being made to the svhost.exe I also started to see this

    10/25/16 8:39:18 AM    0.0.0.0    -    224.0.0.1    -    IGMP    In    System    Public/High Risk Zone
 

Also Windows keeps changing from Home network to public when ever the system is reboot.



#15 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:04 PM

Posted 25 October 2016 - 03:44 PM

Multicast routers use IGMP to learn which groups have members on each of their attached physical networks" (https://www.rfc-editor.org/rfc/rfc2236.txt) "224.0.0.1 is assigned to the permanent group of all IP hosts (including gateways).This is used to address all multicast hosts on the directly connected network.

 

 

 

IGMP- The feature allows a network switch to listen in on the IGMP conversation between hosts and routers. By listening to these conversations the switch maintains a map of which links need which IP multicast streams.


    IT Auditor & Security Professional

hQBT2G3.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users