Author Topic: Strange Intrusion Attempt.  (Read 2454 times)

0 Members and 1 Guest are viewing this topic.

Offline WARP-10

  • Bronze Member
  • Posts: 9
Strange Intrusion Attempt.
« on: January 21, 2010, 02:47:34 pm »
Does anyone know why the IP 4.79.142.206 at Level 3 Communications, Inc. on port 47538 would want to access C:\WINDOWS\system



Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7905
Re: Strange Intrusion Attempt.
« Reply #1 on: January 21, 2010, 02:57:13 pm »
Hi, That is not an IANA assigned port.  It can be used informally by software as a forwarded port, or for inquiring about updates to the software, etc.  Have you recently installed any new software?  Level 3 is one of the large high level ISPs, so that in itself is not necessarily any problem.  What firewall (hardware or software) do you have?
Don't Read?  Can't learn!

Offline WARP-10

  • Bronze Member
  • Posts: 9
Re: Strange Intrusion Attempt.
« Reply #2 on: January 22, 2010, 07:18:16 pm »
What I am interested in is stopping that port 47538 from sending out a closed response. Along with 3 other ports doing the same thing.

I like all my ports to be stealth but it really isn't stealth if some program is sending out a closed response because that only tips off any network/port sniffers that there really is a computer at that IP address when other wise it would be invisible for lack of responses.

Yesterday I installed a2 AntiMalware just to check it out. I think that might be the source of the talking port because I turned that off in MSCONFIG and now all my ports are stealth again.

I can go turn it back on again, reboot and reconnect, check again to see if that program is the one giving my presence away on those ports to any potential interest that isn't the IP that I may currently have a connection with.
« Last Edit: January 22, 2010, 07:25:16 pm by WARP-10 »

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7905
Re: Strange Intrusion Attempt.
« Reply #3 on: January 23, 2010, 07:44:23 am »
Hi,

Here is a great little monitoring program which will watch and record all your packet flows, both in and out, by application.  The log/reporting has filtering capabilities so you can reduce the fairly large volume that the report can grow to.  Download this:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

start it either when your system starts or afterward, go about your business, and just let it run in the background for a day or so.  That will tell you what is happening, or at least what programs are accessing what ports, and using what protocols.  Used for a day or so, it will help pin point things down.  Post questions here that may be raised from running TCPView.

a2.  That may be as simple as a2 either asking if there is an available definition update, or the a2 remote server seeing whether your copy of a2 is alive and ready to accept an automatic update.  That's a perfectly legitimate use, and not anything to concern yourself about.  Stop a2 from using that port and you may not be able to do definition and engine updates.

Remember, as long as a trusted program is originating outbound packets for specific legitimate reasons, stopping them may damage the program.

Next, (or even first) go here: http://www.grc.com/intro.htm and follow the links to ShieldsUp!.  That great (and completely safe) test will give you a real idea just how stealthy your security has made you.  Run all the tests, and come on back to report.  You should know that there are simple things that you can do to completely stealth your system - my LAN has been completely stealth for the better part of a decade now.
Don't Read?  Can't learn!

Offline WARP-10

  • Bronze Member
  • Posts: 9
Re: Strange Intrusion Attempt.
« Reply #4 on: January 23, 2010, 09:19:00 am »
I use TCPView and ShieldsUp! but I don't know what is sending a closed response. What is current is in the attachment.

It is those ports that are telling ShieldsUp! that the ports are closed. The ports in question are:

Port 1051
Name: optima-vnet
Purpose: Optima VNET

Port 1049
Name: td-postman
Purpose: Tobit David Postman VPMN

Port 1043
Name:    
Purpose:    

Port 1036
Name: pcg-radar
Purpose: RADAR Service Protocol

Port 1034
Name:    
Purpose:    

Port 1033
Name: netinfo-local
Purpose: local netinfo port   

Port 1031
Name: iad2
Purpose: BBN IAD

Port 1040
Name: netarx
Purpose: Netarx

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7905
Re: Strange Intrusion Attempt.
« Reply #5 on: January 23, 2010, 10:34:08 am »
Hi, I think there is some confusion.  First, ports are not stealthed outbound - never.  Inbound ports are either open (can be seen, will respond to pings, open to inbound requests), closed (can be seen, will respond to pings, not open to inbound requests), or stealthed (cannot be seen, will not respond to pings, not open to inbound requests).  A good hardware firewall can set any port (inbound or outbound) to open or closed, and inbound ones only to stealth.  A software firewall with HIPS can add program level controls that change the settings by program either receiving or sending a packet.  A software firewall cannot overrule the settings at the hardware firewall.

Now, many programs communicate with other parts of their program or the system using an "internal" internet within a single system.  You will note some lines have either an IP of 127.0.0.1 or "localhost".  Those are feedback links to your own system that never exit as packets to either your LAN or the Internet, but are used to communicate internally.

Now, the ports you reference in your list:

1051 - may be malware (W32.Kassbot)
1049 - appears legit
1043 - BOINC (various distributed projects such as SETI-at-Home, etc.)
1036 - Nebula Secure Segment Transfer Protocol, legit
1034 - likely malware (Zincite, W32.Mydoom, W32.Zindos)
1033 - local netinfo port, usually legit
1031 - This is probably a dynamically assigned port used by a program supporting MS RPC (remote procedure calls - a critical system component) over TCP
1040 - possible Trojan backdoor

Now, instead of feeding us info a tiny bit at a time, I strongly recommend that you carefully read and follow all the pinned topics at the top of our http://spywarehammer.com/simplemachinesforum/index.php?board=10.0 forum.  Then start a new topic in that forum by posting a HJT log.  Do not post the HJT log in this topic.  Once you do that, one of our experts will help you diagnose and remove any malware that may be on your system.


« Last Edit: January 23, 2010, 10:40:00 am by PCBruiser »
Don't Read?  Can't learn!