Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)

I am quite sure that uPNP features may be disabled using add/remove windows components.

Stay calm. You are likely far better protected than you realize.

I personally would not do such a thing. This may create more difficulties than it solves.

I would certainly not mess with system files. You are playing with fire.

Thanks. But the deeper I dig, the more problems I find. For example, while fixing port 1900 vulnerabilities, I accidentally found I have the so-called MICE WMF vulnerability described by Microsoft at

I found this by running the free KB912919 MICE tester at I hope I fixed that with the Microsoft MICE WMF update at I wonder why it was there (I automatically update WinXP SP2 with

I do understand you here. I really do not know what I am doing. But if nobody has eacfilt.sys running, then why should I have it running? I suspect it's a vestige of a nortel vpn installation of years ago. Worse case I can put it back. My only problem is keeping a log of all the changes I've been making (like turning off dozens of services) in case the cake batter falls on the floor.

I DO thank you for all your expert advice. I'm learning by the minute here and I hope others can follow to their benefit.

Sorry to be a pain. Should I close these sockets? Or are they normal? If I were to close them, how does one close a socket? Do I find the related service and disable it?

I didn't at first know what a DMZ was but googling for it tells me it's a "server" of web pages, ftp, telnet, etc.

Now, after reading those web pages, I can say definitively: My PC is decidedly NOT a server of anything (at least not on purpose)!

Why do you ask?

Oh my. This is amazing detective work! Is this the basic procedure for a reverse DNS for me and others to follow?

STEP 1.

(reverse DNS 196.206.235.196) Answer: Casablanca, Morocco

STEP 2.

(Submit Query for 196.206.235.196) Answer: RIPE Network Coordination Centre

STEP 3.

(Search for 196.206.235.196) Answer: ORG-AFNC1-RIPE

STEP 4.

(Search for 196.206.235.196) Answer: ADSL subscriber - Rabat and north morocoo

Do I understand this correctly? Some DSL subscriber in Morocco is attacking me on port 15744 (which isn't even a registered port).

Oh my. What on earth is going on here?

Just filter away any incoming TCP SYN on your router. And forget Sygate. As an alternative, you could use the Windows-Firewall. It filters away anything, which tries to connect as a default.

Or you could stop your computer offering services to the Internet, then you don't need to filter away anything anymore:

Yours, VB.

Yes. You should not have anything, which listens on 0.0.0.0 or 192.168.0.110. The listeners on 127.0.0.1 are harmless.

Yours, VB.

You should shutdown any service, which you don't want to offer. Then you don't need filtering for them.

Please read Torsten's site on

Yours, VB.

No. Usually it's a zone in a security zone concept.

Yours, VB.

Yes. So what? As an estimation, 100% of the computers in the Internet are under constant attack today, because of the botnets which drive such automated attacks.

Just ignore that, when your box is secure.

No, why should someone?

Yes.

The concept of flashing popups to the user for every "attack" is b0rken anyway. Just secure your box and ignore such dumb-ass attacks.

Yours, VB.

You're measuring the usual automated attacks. Usually, you're measuring which boxes already are 0wned.

Yours, VB.

These are listening on localhost. No problem. However, you'll probably want to find out what opens them anyway. Use TCPView [1] from Sysinternals or - if you have XP - "netstat -ano" or "netstat -anb".

These are for Windows File and Printer Sharing.

[...]

The latter are normal, the former don't pose a problem since they are listening on localhost. And yes, you should close every listening socket you don't need.

In most cases yes, but for File and Printer Sharing things are a little more complicated. A good description can be found under the link Volker already gave [2].

[1] cu 59cobalt

Sure, close them with a firewall.

It is extremely unlikely that this traffic would reach a privately addressed host behind a NAT. I suspect uPNP is the culprit. I recommend disabling uPNP features of the router and observing changes.

It's about 56,000 lines, but you can download the OUI list that translates the first six digits of a MAC address into a manufacturer from the IEEE at

It's normally of no use to users.

Sorry - I got rid of w>> Using an IBM box? The FF:FF:FF:FF:FF:FF address is the Ethernet

Seeming gibberish. For a lot of us, it's just another language that we use every day.

Yes - it's normally used as a 'hailing' device - "everyone on the wire, listen up because this packet might be for you". It's most common use is to find the hardware address of another computer given the IP address (called ARP), and to find unknown servers (one use of PnP). This usage is _local_ only, and is harmless. All data communication takes place using explicit MAC addresses as source and destination.

It sometimes seems that over half the computers in the world are connected to the Internet and being used by drug crazed hampsters - with absolutely no effort made to secure them. "The Bad Guys"(tm) find these systems and use them to exploit other systems, send spam, viruses, trojans and other nefarious tasks. You are running a firewall - and only have a few things flapping in the breeze, so you are _RELATIVELY_ immune. See below.

The whole _world_ is under attack. For many of us, it's just normal background noise.

s/hack>C:\\Documents and Settings\\Administrator>netstat -a -n

THAT ONE RIGHT THERE should not be allowed in or out of your network. You need it for _local_ sharing, but I rather doubt you want to share your system with the world, or let anyone in the world print to your printer. You think 'fax' spam is bad...

127.0.0.1 is "me" and "me alone". This is your computer talking to itself (which sounds as if it should see a psychiatrist, but is actually normal).

That's another [whois search]

It's part experience (I've been doing this for around 20 years), it's part having the right tools.

Something is probing your ports to see if anything is exploitable. As for registered ports, you need remember that malware authors don't register what ports they are using with IANA. An application author is free to use whatever port they wish. The deal about 'well-known' and 'registered' ports is that they give a standard place to look for a service. Assuming TCP, there are 65535 ports available. Which one should you look on to find a specific service like DNS, FTP, or some web page? This doesn't prevent anyone from using any _other_ port that happens to catch their fancy, but using non-standard port numbers for a service makes it harder to find.

Now, why should someone be looking for your port ? Many people wind up like those zombies - running services they never knew about, only because things were set up that way by default. Microsoft is notorious for doing this, and the result is 0wn3d boxes. So you are running a firewall, and to prove that it's doing a good job, it gives very shrill warnings every time anything happens - whether an attack, or pure random chance. Their main use is telling the ones who use it that some host in Korea or Kenya attempted to connect to a trojan that they don't have installed.

Normal noise on the Internet. The last time I bothered logging connection attempts to my home address, I was averaging about 1200 attempts a day. I actually do have two servers running, but they are meant for my own use, and are located on "unusual" ports well above the 1024 mark. They also only accept connections from a certain limited number of IP addresses. This doesn't stop the skript kiddiez from looking. As I know they can't get in, there is no need of me wasting disk space or CPU cycles logging the noise.

Old guy

Oh my! Two new things to learn. :) TCP port 445 and IP address 0.0.0.0

Googling, I find TCP port 445 (microsoft-ds SMB over IP) appears to be related to basic Windows file sharing according to

which is often exploited by the Sasser and Nimda worms worms so it should be shut down ASAP it seems to some

So, I disabled TCP port 445 using instructions at

's_port_445_in_w2k_xp_2003.htmwhich basically said to blank out a certain cryptic registry entry.

1. C:\> netstat -an ... If port 445 is 'listening', then ...
2. Locate the Windows XP registry key: HKLM\System\CurrentControlSet\Services\NetBT\Parameters\
3. Change the key value pair from TransportBindName = \Device\ to TransportBindName = (blank it out totally)

But I'm confused about what it means to "listen on IP address 0.0.0.0"?

Even after googling, I am still confused as to the meanin of "0.0.0.0".

?scid=kb;en-us;822123 Guessing, does that mean 0.0.0.0 is listening to the whole world?

Can someone clarify what it means to be listengin on TCP port 445 with a "foreign address" of 0.0.0.0:0?

Thanks for helping me and anyone who reads this thread, Susan

It means that the computer is listening on port 445 on all IPs configured on the machine.

A foreign address of 0.0.0.0:0 is interpreted as none (no foreign host).

If there is a Internet connection, yes.

The point is the local adress, on which the daemon/service is bound to.

0.0.0.0 means here, it listens on every network interface the host has.

Yours, VB.

Hi Guys, I do very much appreciate the expert advice & admonishments!

I don't know how to block a specific port with the hardware NAT or software firewall (I'm still looking that up) but the good news is deleting the stated registry key and rebooting eliminated the port 445 listening threat altogether! This should work for everyone reading this thread!

I'm sorry for being dense but I still have problems understanding this

0.0.0.0:0 local address reference. I hear what you say above. If I may try to clarify what you kindly said, does this interpretation of your words seem correct to you?

The host listens "on every network interface the host has" on port 445.

• Given a wireless NIC, the host listens on port 445 wirelessly?

• Given a 10/100 ethernet NIC, the host listens on port 445 wired?

• Given a fireware card, the host listens on port 445 firewired?

• Given a usb slot, the host listens on port 445 USB flash rams?

• Given a bluetooth card, the host listens on port 445 bluetoothed?

• Given an IDE card, the host listens on port 445 hard disk attempts?

• Given an IR card, the host listens on port 445 in infrared?

Is that what it means for the host "to listen "on every network interface"?