Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)

that remote MAC address is a Dlink product, who makes your router >? Look at its MAC's and see if one matches. NDisuio, you might want to right click it and choose properties and see who wrote that file. Think you'll see it is a Microsoft file and installed date is probably the date you or the manufacturer loaded windows.

You really should find yourself a Sygate forum.

Hello bumtracks,

You are right on the money! Yes, I have a Dlink router. How did you know that? And that is it's MAC address. Now why would my Dlink router be attacking me?

And you are right that the ndisuio.sys file appears to be from Microsoft (although google searches show it's related to the Nortel c:\\windows\\system32\\drivers\\eacfilt.sys somehow).

Even if I wasn't using Sygate, these attacks from eacfilt.sys & ndisuio.sys would still be occurring (wouldn't they?) - so I don't see how it's Sygate related.

The nat router is a wireless nat router and the xp machine connects to the router wirelessly?

Sounds like spoofing. Like bumtracks said, identify the device with the above MAC address.

What are the few?

There is nothing to indicate that these are attacks or originating from the Dlink router. Many routers employ netbios features (ports 137 & 138).

This traffic is not from ndisuio.sys, but received by it.

Short of having a node which is capable of protocol analysis in place of the Dlink, I'm afraid that any theory concerning the source of the traffic would be mere speculation. You could try connecting your computer directly to the modem and examining what sort of traffic it receives.

That's normal. Packets are transferred at the local level using an Ethernet protocol - which just happens to be able to carry IP as well as

130+ other networking protocols. If you have a total of two devices on your local network - such as a computer and a router, then the MAC address that your computer will be talking to is ALWAYS the address of the router, no matter if you are talking to ftp.locus.gov or any other address out on the Internet. The MAC addresses used are where the packet is coming-from/going-to on this particular hop.

Then your firewall is working - don't worry about it.

So crap coming in from the world is being blocked. Fine. End of problem.

[compton ~]$ etherwhois 00-80-C8 00-80-C8 (hex) D-LINK SYSTEMS, INC. 0080C8 (base 16) D-LINK SYSTEMS, INC. 53 Discover Dr. Irvine CA 92618 UNITED STATES [compton ~]$

PORT 11 would be unusual, as that is a rarely used service. 1900 is PlugNPray, 53 is a name service that translates between IP addresses and hostnames, and 137 is the windoze toy version of name service. On the other hand, these toy firewalls also report ICMP Type numbers as 'port' numbers (ICMP doesn't have ports - the idiots who wrote the firewall are trying to not techno-babble and making a false statement) and a ICMP Type

11 would be a Time Expired message, normally seen with TRACERT (or the real traceroute).

If the packet is destined for that address, then your router is translating it from your 69.110.35.129 prodigy address to RFC1918 (local use only) addresses. That address can't exist out in the world, because it's a local only address and no one knows where (or which) person is using it.

[compton ~]$ etherwhois 00-0D-60 00-0D-60 (hex) IBM Corporation 000D60 (base 16) IBM Corporation 3039 Cornwallis Road Dept FCGA, Bldg 660, Office F106 Research Triangle Park NC 27709 UNITED STATES [compton ~]$

Using an IBM box? The FF:FF:FF:FF:FF:FF address is the Ethernet broadcast, and is never used to actually send/receive data packets.

You asked ARIN who the address belongs to. ARIN doesn't know, because the address is allocated out if one of the four other Regional Network Registrars - in this case RIPE in Europe. If you asked RIPE, they'd tell you the address is assigned to AFRINIC (the new African RIR) and asking _them_ finally tells you the address is assigned to a DSL ISP in the Rabat, Morocco area. Most likely, an 0wn3d box run as a zombie.

I can't talk about ndisuio.sys, because I got rid of windoze in 1992. The fact that your firewall is blocking INBOUND crap and you are not seeing a problem means that everything is fine - you need not worry about it.

Old guy

Thank you for the advice. Please tell me what to do and I will follow.

From my IBM PC, I went to the web page http://192.168.0.1 which is the D-Link NAT router setup web page, logging in as "admin" with a blank password. This brought up a web page with lots of buttons and tabs. In the "Device Info" frame button "Status" tab, the LAN MAC address was listed as

00-80-C8-A0-43-9B. Interestingly the wireless MAC address was a *different* number. Go figure. Does this confirm that it is my D-Link NAT router which is causing the problem but the LAN thinks it's wireless?

Looking at the SPF traffic log, I see only the following two MACs: Local Host = 192.168.0.10 with the Local MAC = 00-0D-60-34-5A-23 Local Host = 239.255.255.250 with the Local MAC = FF-FF-FF-FF-FF-FF

Looking up

says: OrgName: Internet Assigned Numbers Authority OrgID: IANA Address: 4676 Admiralty Way, Suite 330, Marina del Rey, CA, 90292 Comment: This block is reserved for special purposes (RFC 3171)

I looked up "spoofing" which appears to be something that it is not. For example, a machine with an IP address which isn't really their IP address.

Who is doing the spoofing here?

You are correct. I'm amazed how much you can tell me just from these numbers. The MAC address is that of my Dlink NAT router.

OK. If it matters, I found I could also tell Sygate Personal Firewall to automatically block numerous OUTGOING requests from C:\\WINDOWS\\system32\\ntoskrnl.exe (whatever that is) without stopping Internet connections but I could not block duplicate INCOMING & OUTGOING requests from/to C:\\WINDOWS\\system32\\drivers\\eacfilt.sys without killing the ability to connect to the Internet (dunno why). The interesting part is that the lines for the allowed incoming & outgoing eacfilt.sys in the Sygate traffic log are *exactly* the same (with respect to ports, IP addresses, MACs, and time stamps) as the blocked incoming ndisuio.sys requests. So I suspect all three are related in some fashion.

-------------------------------------------------------------------- DATE: TIME: ACTION: DIRECTION PRO: REMOTE-HOST: REMOTE-MAC:

2/19/2006 10:21:23PM Allowed Outgoing TCP 192.168.0.10 00-80-C8-A0-43-9B

REMOTE-PORT: LOCAL-HOST: LOCAL-MAC: LOCAL-PORT:

80 192.168.0.10 00-0D-60-34-5A-23 2718

APPLICATION NAME: C:\\WINDOWS\\system32\\drivers\\eacfilt.sys

-------------------------------------------------------------------- DATE: TIME: ACTION: DIRECTION PRO: REMOTE-HOST: REMOTE-MAC:

2/19/2006 10:21:23PM Allowed Incoming UDP 192.168.0.10 00-80-C8-A0-43-9B

REMOTE-PORT: LOCAL-HOST: LOCAL-MAC: LOCAL-PORT:

1900 239.255.255.250 FF-FF-FF-FF-FF-FF 1900

APPLICATION NAME: C:\\WINDOWS\\system32\\drivers\\eacfilt.sys

-------------------------------------------------------------------- DATE: TIME: ACTION: DIRECTION PRO: REMOTE-HOST: REMOTE-MAC:

2/19/2006 10:21:23PM Blocked Incoming UDP 192.168.0.10 00-80-C8-A0-43-9B

REMOTE-PORT: LOCAL-HOST: LOCAL-MAC: LOCAL-PORT:

1900 239.255.255.250 FF-FF-FF-FF-FF-FF 1900

APPLICATION NAME: C:\\WINDOWS\\system32\\drivers\\ndisuio.sys

--------------------------------------------------------------------

Do you think my hunch that the three are related makes any sense to you? ndisuio.sys & eacfilt.sys & ntoskrn.exe

Yes. It *is* an IBM box. You are again very astute. I'm amazed how much you can tell from this seemingly jibberish numbers. I guess an "Ethernet broadcast" is nothing to worry about?

Oh my. What is an "Own3d" box zombie? It doesn't sound good. It actually sounds downright bad. Am I in trouble?

I looked it up on google and found:

0wn3d in 200 seconds Unprotected PCs can be hijacked in minutes Jacques' Hack Attack And this stops zombies how? All of which scares me to no end. Am I under attack by the OWN3D attackers?

No.

Don't worry about this one, it is in the multicast range.

It remains unconfirmed that the traffic is spoofed. The only way to trace the issue further would be a frame capture at the router. A NIDS can diagnose the nature of the traffic as malicious.

It looks like Own3d is a bad thing.

Pronounced:- Oun-duh To over take another PC with hacking and attack methods

I guess it was right to be paranoid. Now I have to find out how to stop the attacker.

NIDS??? Googling got me "Network IDs". Is that a tool? I tried googling for "nids download" but didn't get any tool to download.

One very wierd happening is I DELETED C:\\windows\\system32\\drivers\\ndisuio.sys and then rebooted and guess what! The ndisuio.sys CAME BACK! Oh my! How does that happen?

ndisuio.sys and ntoskrn.exe are parts of Windows, eacfilt.sys seems to be part of Nortel VPN.

Yours, VB.

Yes.

This is the role your PC has in the network, when you're trusting into "Personal Firewall" and Virus Scanner too much, using Internet Exploder as a web-browser and clicking on anything, which seems to be for free.

Everybody is. All the time. We call this network noise.

Yours, VB.

You cannot do that.

Instead, you could configure your software to be safe from such attacks. All those popups are making no sense.

Yours, VB.

Because Windows restores its parts when the user deletes them.

Yours, VB.

My oh my. It just gets scarier the deeper I dig.

By googling, I just found out that virtually every inbound connection to my port 1900 is an attack (according to

and every broadcast to 239.255.255.250 on port 1900 is an open invitation to an attack Oh my.

I added a key which is supposed to stop outbound port 1900 broadcasts:

\\Software\\Microsoft\\DirectPlayNATHelp\\DPNHUPnP\\UPnPModeType: REG_DWORD Value: 2 disabled

But, how do I tell Sygate Personal Firewall or my DLink NAT router to block all incoming port 1900 requests?

There is an "advanced rules" section of Sygate which maybe can be used to block all incoming port 1900 requests???

On Mon, 20 Feb 2006 07:47:35 GMT, Susan wrote: After disabling port 1900 in the WinXP registry ... Do any of these port connections look suspicious to you?

C:\\Documents and Settings\\Administrator>netstat -a -n Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING TCP 192.168.0.110:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 192.168.0.110:137 *:* UDP 192.168.0.110:138 *:*

C:\\Documents and Settings\\Administrator>netstat -a -n -b Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 192.168.0.110:139 0.0.0.0:0 LISTENING 4 [System] UDP 0.0.0.0:445 *:* - 4 [System] UDP 192.168.0.110:138 *:* - 4 [System] UDP 192.168.0.110:137 *:* - 4 [System]

Is your computer configured as a DMZ host?

I'm a bit confused because this page

intimates that broadcasts to that IP address are bad. I ran the UnPlug n' Pray tool at to stop that broadcast from happening.

This digging into what is going on is cascading from bad to worse. I thought it was bad but it's getting worse by the moment, I have so many security holes. Oh my!

I'm currently installing EVERY security fixit program at the freeware page

to see if that solves the problem.

In addition, I deleted the eacfilt.sys file (thanks for the information that it is NOT a Windows XP file). Hopefully it won't come back in the next reboot like the ndisuio.sys did.

Keep providing advise. It will not only help me but everyone who has the same problems!