Volker, what do you recommend for finding malicious outbound? Is there some freeware packet logging sw that can be set to be smart enough to alert users? Payware? If so, what would something like that cost?
Art
I don't know of a simple answer to your questions. The only people I have ever had contact with that could *possibly* explain the reasons for
*every* incoming/outgoing packet are security experts - most notably firewall experts.So, one of the posters gave a solution for you, a solution that I use frequently: deny the request and see if anything breaks.
Good luck.
I can't say with 100% certainty if the D-Link is a router, but it probably is.
Gerard Schroeder wrote in news:b005qf16e29s.n6jikuct2oxd$. snipped-for-privacy@40tude.net:
You don't specify a model number so I'll assume it's wire/wireless AP router that falls into this category.
Unfortunately, it is not possible to reliably detect hidden outgoing information without dropping connectivity. This is because of the existence of tunneling.
Even what professional IDSes are doing, is lacking reliability.
Therefore, I don't recommend trying to find "malicious outbound" at all; instead of this, I'm recommending preventing malware from running on your PC.
I think, this is a much better concept.
Yours, VB.
Sure, but to press my question more ... what about some external device?
Art
How do you do this, without losing connectivity to the rest of the network?
Yours, VB.
If you want an IDS, then there are many in the market - including open source and free software implementations, like
It's called a firewall - we can setup Tunnels between locations and once in the tunnel you don't have connectivity to anything in the local network except the path for the tunnel.
VB, it's starting to seem like you only have experience in Home network.
Google the name of the process initiating the outgoing connection.
that's not important. 192.168.0.1 is from your LAN. if you receive a packet from a computer on your LAN, it's not big deal!
ditto
So now this process, (you may google it), but it's clearly being harmless. It is on your comp, and sending a packet to every computer on your LAN. Don't think that one of your computers is attacking another!
ditto
I juse use firefox as a web browser. It just makes outgoing connections. So, once the outgoing connection was made, packets go either way. Each outgoing connection may use a diff port, I don't see why this local port is called NETBILL-AUTH maybe i'm wrong. but this is firefox, nothing to worry about.
ditto. dunno what this opennl is about - even after googling. but this is firedox, surely not receiving an incoming connection .unless you're not using it as just a web browser or something.
do you recognise OpenNL?!
windows does make these annoying outgoing connections. it may not be worth checking out waht windows is doing. any outgoing connection from svchost.exe should be considered fine. unless svchost.exe got overwritten by a malicious version. You can't be that paranoid on a windows system. trust svchost.exe ! it's a famous windows prcoess. as sygate knows
yes you want to use your web browser.
The windows firewall which blocks all incoming connections is very good. Yes, malware may make outgoing connections. But at least you'll let windows processes communicate outside. and you'll let your browser communicate.
And has has been said. don't be afraid of some spyware transmitting. If it's there, then remove it. If it were dangerous, it'd get past your attempt at blocking outgoing connections anyawy.
Blocking outgoing connections as paranoidly as you are now causes the mess that you have now. far more stress than any spyware!!!
it is a great help. it blocks all incoming connections. Beyond that, do not block all outgoing connections, or allow yourself to be hassled by your personal firewall over it.
Use software, like Active Ports, that will list Established Connections. At least it won't hassle you with popups. It gives the process name. Do not look for great lists . Just google the name of the process that is making the outgoing connection. And if you get 100 links saying it's spyware, then you should start running different spyware removal utilities until you successfully get rid of it.
your 'home router'(actually a NAT device) blocks incoming. I have a DLink one too. You can go to http://192.168.0.1 and configure it. Or if that dosen't work, find out its IP open a command prompt start..run..cmd and type ipconfig /all
and see what it says for 'Gateway' (That is your 'router'). do http://gatewayip
see, it has a firewall built in. But still, don't bother blocking outgoing connections, even with that.
if you have spyware, get rid of it properly.
and you do have a router. ('home router'). It blocks incoming. Which is very good. You should look at outgoing but not be hassled with popups. and not be paranoid. useg oogle on an unknown process making an outgoing connection. just see if google says it's spyware.
difficult to know those answers, especially on a windows machine. So, ppl don't.
the key thing is knowing that it isn't malware.
Believe me, you can go further than you are in asking HOW and WHY. You could download Ethereal - a packet sniffer, and start asking why this program is sending this or that. It doesn't matter. You have to know what Processes/Programs you trust. I have no idea what that openNL was though. i'd have thought that local ports on the client side wouldn't have names. Anyhow. you trust firefox, don't you? And the Program/Process was firefox, so let it be.
And if you see a process that you don't understnad what it does. then google, - Who cares what it does - all that matters is if it's a famous trojan process.
if you're having problems with slow itnernet access, then it most probably is spyware. And if the spyware were really dangerous, it'd get past you. maybe replacing it'd have replaced a known microsoft process , added some code, that process now makes an outgoing connection. you may want to run spyware spyware checks.
Try using the windows firewall only for a year, and see if you have problems. By the way. You are alraedy blocking incoming connections with your router. So the windows firewall is doing the same thing, but it's just another layer of security. Even turning off the windows firewall won't be a prob, 'cos you're still blocking incoming connections anyway.
I always wonder what to do when you get a spoofed IP through your NAT.
For example, this Sygate personal firewall message got me wondering what was REALLY going on here.
NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185]. Do you want to allow this program to access the network?
Yes No Details
Details: File Version : 5.1.2600.2622 File Description : NT Kernel & System (ntoskrnl.exe) File Path : C:\\WINDOWS\\system32\\ntoskrnl.exe Process ID : 0x4 (Heximal) 4 (Decimal)
Connection origin : local initiated Protocol : ICMP Local Address : 192.168.0.108 ICMP Type : 8 (Echo Request) ICMP Code : 0 Remote Name : Remote Address : 202.232.13.185
Ethernet packet details: Ethernet II (Packet Length: 120) Destination: 00-80-c8-b0-33-8a Source: 00-20-e0-2d-07-a5 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 4 Protocol: 0x1 (ICMP - Internet Control Message Protocol) Header checksum: 0x891b (Correct) Source: 192.168.0.108 Destination: 202.232.13.185 Internet Control Message Protocol Type: 8 (Echo Request) Code: 0 Data (68 bytes)
Binary dump of the packet:
0000: 00 80 C8 B0 69 8A 00 20 : E0 8F 07 A5 08 00 45 00 | ....i.. ......E. 0010: 00 5C 01 6B 00 00 04 01 : 1B 89 C0 A8 00 64 CA E8 | .\\.k.........d.. 0020: 0D B9 08 00 E4 FF 03 00 : 10 00 00 00 00 00 00 00 | ................ 0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................ 0040: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................ 0050: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................ 0060: 00 00 00 00 00 00 00 00 : 00 00 4A 45 44 45 46 43 | ..........JEDEFC 0070: 41 43 41 43 41 43 41 43 : | ACACACAC
How about making a english language version?
Art
That's a KNOWN TROJAN. Kill it! DO NOT let it access your SYSTEM!
You have BIG PROBLEMS if that is occurring. I suggest you immediately run a full system scan by going to
While you're at it, scan for the trojan that initiated this request
Since your system was obviously compromised, request a full system audit
Yes, why not?
I think, you're making a joke, do you? This is only nonsens, what you're writing here.
Yours, VB.
Thanks Volker. I found that Sygate recorded the incident in its traffic log. So it wasn't oblivious to your POC. Yet, the point is well made that the average user would be oblivious IMO.
I think POCs of this kind do a lot of good. I hope you plan to polish it up. Give some thought on to how to impress average users with the fact their fw is indeed being bypassed without their knowledge.
Art
Here one of the logs:
************************************************* 9/20/2005 7:06:06 PM Allowed 10 Outgoing TCP
I still encourage you to design a more polished demo that will be be convincing to average users.
Art
Oh yes, it is. What's in the log is exactly, what there is, if the user just uses her/his browser.
Yes, I think so.
Alexander Bernauer wrote a remote control software for Windows based on this POC - the wwwsh. This is, what some people are calling a "Trojan".
You can find it here:
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.