I have too much firewall activity

I

Ian

In my firewall logs, I am getting information sent to my computer every 4
secs or so. I am currently using the new XP SP2 firewall but I also got the
similar activity when I used Zonealarm. The IP addresses vary but tend to
start with 81.156, as an example:


2004-08-26 22:08:30 DROP TCP 81.156.185.233 81.156.58.12 4141 445 48 S
3869061011 0 65535 - - - RECEIVE
2004-08-26 22:08:36 DROP TCP 81.156.249.172 81.156.58.12 4195 445 48 S
1738999339 0 65535 - - - RECEIVE
2004-08-26 22:08:36 DROP TCP 81.156.249.172 81.156.58.12 4199 1433 48 S
1739036499 0 65535 - - - RECEIVE
2004-08-26 22:08:39 DROP TCP 81.156.231.115 81.156.58.12 4316 445 48 S
4243233531 0 65535 - - - RECEIVE
2004-08-26 22:08:39 DROP TCP 81.156.249.172 81.156.58.12 4195 445 48 S
1738999339 0 65535 - - - RECEIVE
2004-08-26 22:08:39 DROP TCP 81.156.249.172 81.156.58.12 4199 1433 48 S
1739036499 0 65535 - - - RECEIVE

I have set my firewall settings to allow echo or ping, but as you can see I
still get plenty of activity. I have AVG antivirus up to date and also use
Pandascan antivirus web checker and I run spybot and lavasoft adaware often.
can anyone help?



--




Ian
 
D

Dennis Lazo

ian,

your activity log shows nothing out of the ordinary. port 445 is basically
the port that other computer checks if you are on a network and is done
basically by other computers on the same network that you are. however, as
some firewalls do not have outbound blocking (like windows firewall), there
will be computers which will be probing port 445 of other computers even
when they are not on the same network.

more info on port 445:
http://grc.com/port_445.htm

hope this helps.
--
Regards,
Dennis Lazo

the email address from where this message has been sent from is unmonitored.
your replies may not be received. replies may be sent at
http://dennislazo.com/email/.
information herein is provided as is with no warranties, and confers no
rights.
 
I

Ian

Thanks, very helpful. Does this high level of activity slow down my
computer or internet connection though?

Ian
 
I

Ian

just a thought, I have SP2 and was wondering why a fix for this hadn't been
established...
 
D

Dennis Lazo

ian,

you are welcome.

the level of activity should not slow down your computer or internet
activity as these "probes" are so minimal you won't even notice. in fact,
you may not have even noticed it at all if you were not scanning the logs,
right? LOL!

anyways, it is good that you have a firewall. port scans may be done by
crackers, worms, trojans, etc, to see if your computer is "on the net" and
if they could "invade" you. a good firewall can block all the scanning and
make the prober believe that your computer is in fact not connected to the
net.

also, it would be wise if you could block ping and icmp echo.

if you would like to check if your computer is "not available to everyone"
you may check https://www.grc.com/x/ne.dll?bh0bkyd2

hope this helps.
--
Regards,
Dennis Lazo

the email address from where this message has been sent from is unmonitored.
your replies may not be received. replies may be sent at
http://dennislazo.com/email/.
information herein is provided as is with no warranties, and confers no
rights.
 
L

Lanwench [MVP - Exchange]

How is your system supposed to stop other computers from trying to connect
to you? All it can do is stop them from accomplishing it.
 
T

Tom Pepper Willett

That's exactly what a firewall is for..to prevent them from breaking in.

You can't control what someone else's computer does. You can only control
your computer.

Tom
| just a thought, I have SP2 and was wondering why a fix for this hadn't
been
| established...
|
| --
|
|
|
|
| | > Thanks, very helpful. Does this high level of activity slow down my
| > computer or internet connection though?
| >
| > Ian
| >
| > --
| >
| >
| >
| >
| > | >> ian,
| >>
| >> your activity log shows nothing out of the ordinary. port 445 is
| >> basically the port that other computer checks if you are on a network
and
| >> is done basically by other computers on the same network that you are.
| >> however, as some firewalls do not have outbound blocking (like windows
| >> firewall), there will be computers which will be probing port 445 of
| >> other computers even when they are not on the same network.
| >>
| >> more info on port 445:
| >> http://grc.com/port_445.htm
| >>
| >> hope this helps.
| >> --
| >> Regards,
| >> Dennis Lazo
| >>
| >> the email address from where this message has been sent from is
| >> unmonitored.
| >> your replies may not be received. replies may be sent at
| >> http://dennislazo.com/email/.
| >> information herein is provided as is with no warranties, and confers no
| >> rights.
| >>
| >>
| >>
| >> | >>> In my firewall logs, I am getting information sent to my computer
every
| >>> 4 secs or so. I am currently using the new XP SP2 firewall but I also
| >>> got the similar activity when I used Zonealarm. The IP addresses vary
| >>> but tend to start with 81.156, as an example:
| >>>
| >>>
| >>> 2004-08-26 22:08:30 DROP TCP 81.156.185.233 81.156.58.12 4141 445 48 S
| >>> 3869061011 0 65535 - - - RECEIVE
| >>> 2004-08-26 22:08:36 DROP TCP 81.156.249.172 81.156.58.12 4195 445 48 S
| >>> 1738999339 0 65535 - - - RECEIVE
| >>> 2004-08-26 22:08:36 DROP TCP 81.156.249.172 81.156.58.12 4199 1433 48
S
| >>> 1739036499 0 65535 - - - RECEIVE
| >>> 2004-08-26 22:08:39 DROP TCP 81.156.231.115 81.156.58.12 4316 445 48 S
| >>> 4243233531 0 65535 - - - RECEIVE
| >>> 2004-08-26 22:08:39 DROP TCP 81.156.249.172 81.156.58.12 4195 445 48 S
| >>> 1738999339 0 65535 - - - RECEIVE
| >>> 2004-08-26 22:08:39 DROP TCP 81.156.249.172 81.156.58.12 4199 1433 48
S
| >>> 1739036499 0 65535 - - - RECEIVE
| >>>
| >>> I have set my firewall settings to allow echo or ping, but as you can
| >>> see I still get plenty of activity. I have AVG antivirus up to date
| >>> and also use Pandascan antivirus web checker and I run spybot and
| >>> lavasoft adaware often. can anyone help?
| >>>
| >>>
| >>>
| >>> --
| >>>
| >>>
| >>>
| >>>
| >>> Ian
| >>>
| >>>
| >>> ---
| >>> Outgoing mail is certified Virus Free.
| >>> Checked by AVG anti-virus system (http://www.grisoft.com).
| >>> Version: 6.0.745 / Virus Database: 497 - Release Date: 27/08/2004
| >>>
| >>
| >>
| >
| >
| > ---
| > Outgoing mail is certified Virus Free.
| > Checked by AVG anti-virus system (http://www.grisoft.com).
| > Version: 6.0.745 / Virus Database: 497 - Release Date: 27/08/2004
| >
|
|
| ---
| Outgoing mail is certified Virus Free.
| Checked by AVG anti-virus system (http://www.grisoft.com).
| Version: 6.0.745 / Virus Database: 497 - Release Date: 27/08/2004
|
|
 
I

Ian

--


Thanks I visited the GRC site and this is what the report stated:

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server
within your PC. It is likely that no one has told you that your own personal
computer may now be functioning as an Internet Server with neither your
knowledge nor your permission. And that it may be serving up all or many of
your personal files for reading, writing, modification and even deletion by
anyone, anywhere, on the Internet!
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE!
Standard Internet behaviour requires port connection attempts to be answered
with a success or refusal response. Therefore, only an attempt to connect to
a nonexistent computer results in no response of either kind. But YOUR
computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which
represents advanced computer and port stealthing capabilities. A machine
configured in this fashion is well hardened to Internet NetBIOS attack and
intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED.
(This is very uncommon for a Windows networking-based PC.) Relative to
vulnerabilities from Windows networking, this computer appears to be VERY
SECURE since it is NOT exposing ANY of its internal NetBIOS networking
protocol over the Internet.



everything looks fine as you said it might be except for the first paragraph
about my pc acting as an internet server. what do you think. really
helpful responses by the way, I appreciate it.

Ian
 
A

Alex Nichol

Ian said:
Thanks, very helpful. Does this high level of activity slow down my
computer or internet connection though?
Click to expand...

No - but blocking that port is very necessary. It is the one the BLAST
and Sasser worms got in through , and your messages probably represent
attacks from them (they were running to hundreds an hour at one point).
You need to stop them as early as possible; blocking the vulnerability
once they get through should also be done, but would be a bigger
overhead than shutting the door in their face
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Vista Firewall and local IPV6 traffic dropped? 1
winxp VPN Server/client windows firewall problems 2
Winxp VPN server/client problems 1
Firewall rule created, but firewall drops 1
.tmp files 1
Funny directory 5
Windows XP doesn't Boot on FIRST Bootup 6
Trouble with Direct3D 0

Top