Horrified at what I find in my Firewall Report

(Please repost this if this is the wrong forum)

Bought the new version of McAfee which includes a firewall. Finally got around to turning it on (I'm on a cable modem connection). I'm blown away by the number of servers trying to send me TCP and UPD packets. Some of the server IP addresses trying to hit me are registred to what seems to be legit companies - (eg a pharmicutical company) they just have nothing to do with me. Conversely, I seem to be transmitting (but now blocking) outgoing TCP packets to sites I've never heard of (although I can ID a few - I don't know why I'm sending them info)
What the heck is going on - since this morning I've logged over 64 warnings of blocked transmissions to/from my computer.
Can anyone give me a clue or direct me to a resource so I can learn what is happening here. I'm almost wishing I hadn't turned it on.

Thanks

 

Hi WFC_Exile
Let the firewall do it's job......and it sounds like it is. Ignore the "probes ".
That your computer is trying to call out......is a concern. You might want to install and run Ad-aware ?

Daizy

 

Surely can!


Spy/Adware!

Download and install and run the below:

Spyware and adware removal

http://security.kolla.de/index.php?lang=en&page=download

http://www.lavasoftusa.com/downloads.html

This will get rid of the programs on your computer that are trying to get out (at the same time killing performance and causing stability problems). Remove all they find.

Now as for the ones trying to come in. This will reduce it by some because you got rid of the invitations. But the rest of the probes are plentiful and normal. Not new, but been there the whole time Norton Firewall just allowed you to see and be aware of them.

Mike

 

Opps special lady


Crossed in the mail. Grin...........

mike

 

http://grc.com/dos/drdos.htm
Read the page above, while I am not saying that you are being used for a DrDOS attack, it will explain how TCP and UDP packets are used to connect over the internet.

 

Thanks Daizy and MFlynn - I'm already running Ad Aware and I delete the items it finds regurlarly, however they haven't updated their reference file since September, so I'm sure it's missing stuff. I will also install and run the Kolla program as well now. I also have a third called Spybot which I have not yet installed - Time to do it, I now see. Never quite understood whatthey were protecting me from - now I do.

Thanks MarkP62 - for the link to the excellent white paper. When I digest it all I think I will know a lot more than I now about the problem and the process

What's really scary is the clowns from inside legit non-internet corporations probing me with PC Anywhere and similar apps. What are they hoping to find / do? anyone know why someone does this?

Thanks - I love this bbs!

 

Well Pcanywhere is just scanning for the IP it has been told to connect too. This normal.

The rest are doing similar some good some bad.

If you are clean on the inside (no spy/adware or virus) and the premissions list in the firewall is clean. FORGET the rest! Or play with them untill they get uninteresting but at this stage they are causing no problem.

Yes the Adaware has an old def but still run it! But more importanly run it in combo with Spybot which is the other link I sent. If you use the one you have and it is a few weeks old update it before you run it!

mike

 

Wanted to let you know that Spybot stopped the outgoing packets completely. Some of them were coming from what was supposed to be opt-out cookies (which I had sought from their web site) from Hitbox and some of their other companies. Not quite true, I think. Also, I was suprised at all the buried logs and recent file lists (like the Word Document file log going back years! Burned that one and soon some others as well. The guys in Singapore doing port scans are becoming boring already

Anyway, thanks again all!

WFC Exile

 

10-4 to that

Good

mike

Daizy backspacing all the splats is getting to me

 

Hardly recognize that it's you Mike!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

spybot error messages

Speaking of Spybot, I have noticed when I run it, that although I get an "all clear" on spyware, that I get a load of messages with a red exclamation point for the "Windows Registry ", annotating what would appear to be errors, with descriptions like "missing shared DLL" and "wrong app path" with references to numerous paths for system components that seem to be working just fine. Anyone able to save me some time and fill me in on what this is all about ???

 

Ok. Making progress. One thing pops out. I am continually rejecting packets from 10.39.160.1

It's constant. Every 2-3 minutes. Don't really know how to look these things up. However did a Google search on the IP and found this: http://cryptome.org/gov-deepnet.htm

Does anyone know anything about this or what it represents. It's a little creepy to be sure. Seems to be related to government monitoring of internet traffic. Anyone else find this IP address on their intrusion reports?

 

I used a program named IPLookup and came up with this.

OrgName: Internet Assigned Numbers Authority
OrgID: IANA

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Please see RFC 1918 for additional information.

RegDate:
Updated: 2002-09-12

OrgTechHandle: IANA-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-823-9358
OrgTechEmail: res-ip@iana.org

Hmmm, has me wondering! I do not recall ever coming up with an IP starting with 10 before.

 

Did you take a look at the link? Also, I found somewhere else that that block of numbers is supposed to be reserved for private internets (ie inside a company)

In the time I've been writing this (2 min) , I've blocked two packets already. Here is some more detail from the firewall report:

McAfee Firewall automatically blocked incoming traffic from IP address 10.39.160.1. You have configured McAfee Firewall to always block traffic to or from this address. The IP protocol type was 17 [UDP]. The remote address associated with the traffic was 10.39.160.1. The network adapter for the traffic was "Linksys LNE100TX(v5) Fast Ethernet Adapter ".

The binary data contained in the packet was "ff ff ff ff ff ff 00 09 12 87 9c 54 08 00 45 00 01 48 29 b8 00 00 ff 11 e6 c4 0a 27 a0 01 ff ff ff ff 00 43 00 44 01 34 37 36 02 01 06 00 ba 3e 05 0e 00 00 80 00 00 00 00 00 00 00 00 00 00 00 66 66 20 66 66 20 66 66 20 66 66 20 66 66 20 66 66 20 30 30 20 30 39 20 31 32 20 38 37 20 39 63 20 35 34 20 30 38 20 30 30 20 34 35 20 30 30 20 30 31 20 34 38 20 32 39 20 62 38 20 30 30 20 30 30 20 66 66 20 31 31 20 65 36 20 63 34 20 30 61 20 32 37 20 61 30 20 30 31 20 66 66 20 66 66 20 66 66 20 66 66 20 30 30 20 34 03

The binary data contained in the packet was "%s "

Name: Unknown
IP Address: 10.39.160.1
Location: Unknown
Network: RESERVED-10

The Internet Assigned Numbers Authority (IANA) has reserved this IP address
for private Internets.


Registrant contact information is not available.


Does this mean anything to enyone? (I have now blocked 10 incoming TCP packets from this site in the last 6 minutes_

 

I did a google, and discovered that it is not it's IP, it only contains the IP on the webpage. The IP on your link is 161.58.201.197 .
I am guessing that you do not have a network installed. A thought did occur to me if you do have a network card and if it is wireless....

 

Mark,

I think you missed what I was trying to indicate.

161.58.201.197 is the IP for 'cryptome.org' , however if you examine the Visual Route Report found on the page from the link ( http://cryptome.org/gov-deepnet.htm) , hop # 1 is the same IP address (10.39.160.1 ) which is hitting me with TCP packets every two minutes, every second my computer is on.

The same is true for the second Visual Route Report for 'jya.com' .

I'm trying to figure out what 10.39.201.1 is. It's not a normal IP address.

 

New info: It's a forged IP address. My ISP security department is investigating. The address range 10.0.0.0 - 10.255.255.255 is reserved for internal (corporate intranet) use only.

 

I did understand what the 10 IP is. That is how I came up the thought of a wireless network card working, someone in the neighborhood.

 

Someone recommended using ARIN to look up IPs. Maybe this one will give you a better idea on what that IP is. Just wanted to pass this on FYI.