Computer security/firewall question for Gurus

I'm running the free version of Kerio Firewall 4.0 on my Win 98 PC. I recently turned on the logging function and noticed messages in my log indicating Microsoft File and Printer Sharing was attempting to send outbound UDP packets to various IP address which whois searches show as belonging to various telcos and communication companies (I'm assuming ISPs) scattered all over the globe, e.g. US, Brazil, Turkey etc. This happens about 2 or 3 times per minute. Currently I have this traffic blocked by the firewall so it is not getting out, although when I first noticed it in the logs it was being allowed out.

I have no unusual or unidentified tasks or programs showing up in the task monitor. I've run spybot and ad-aware 6.0 to see if that made a difference. When I ran ad-aware and removed some tracking cookies I thought it had fixed the problem because the messages seemed to stop for a while, but then they started up again a few hours later and yet ad-aware shows no more objects found when I run it.

I installed Kazaa just over a year ago, but I haven't used it in ages and I have it configured NOT to start automatically at startup (confirmed by the Task List that Kazaa.exe is not running). I've only got one TCP/IP connection on the computer, i.e. my DSL connection to my ISP. Also Micrsoft file and print sharing is NOT bound to the PPPOE protocol or to the NIC.

Anyone have any idea what could on earth could be causing this (spyware, trojan etc) and/or how to get it to stop? Here's a couple sample lines from the firewall log. (E1H3E0 is my PC)

Microsoft file and printer sharing -> Out E1HE3E0:nbname 209.222.187.39:nbname UDP denied

Microsoft file and printer sharing -> Out E1HE3E0:nbname 209.161.238.255:nbname UDP denied

Am I correct in assuming that the packet to 209.161.238.255 would be a multicast to any computers within the 209.161.238.xxx subnet?

Any suggestions or helpful comments would be much appreciated.

You can have a x.x.x.255 IP adress.

Not sure why your PC is trying to broadcast UDP packets... can you get the outbound port?

Unfortunately the Port #s don't show up in the log file. I've looked through the help info from Kerio but haven't yet seen anything that would tell me how to get that info to show up.

you can't use it for an IP address though.

UDP is a connectionless protocol so I doubt this is anything suspicious. Windows 98 is very chatty and it uses broadcast traffic wayyyyy too much.

I'll have to check on that

Unless I'm severly mistaken they have options in some of their IOS versions that let you use 255 in the last octet.

And another 'switch' that makes 0 an allowable host address.

255 can absolutely be used in the last octet...just depends on the mask. 0 is just as valid...

TheProdigal

it could be a valid IP address, but it is highly unlikely that it refers to a single station and is more likely intended for a group of machines...

TheProdigal

go to http://www.foundstone.com and download their portscanner. Run it and see what ports are open and then open a DOS window and type NETSTAT.

n/t

Click on "Intrusion Detection" and then download FPort

but when I do the netstat command the current connections show up as:

Active Connections

Proto Local Address Foreign Address State
TCP e1h3e0:1025 localhost.look.ca:44334 ESTABLISHED
TCP e1h3e0:1027 localhost.look.ca:1029 ESTABLISHED
TCP e1h3e0:1029 localhost.look.ca:1027 ESTABLISHED
TCP e1h3e0:44334 localhost.look.ca:1025 ESTABLISHED

TCP e1h3e0:1025 localhost.look.ca:44334 ESTABLISHED

This is the only one I wonder about.

Kazaa is installed on my system but configured not to start at bootup (ie not in the startup list in msconfig) and when I do the ctrl alt delete thing and check the task list kazaa.exe is not running. I went through every task in the task list and if I didn't know what it was I checked the name in Google and all tasks appear to be legitimate windows tasks or firewall, antivirus etc. programs. I don't have any other P2P software installed that I am aware of (other than kazaa) and I am the only user on this PC.

I tried to remove Kazaa altogether using the add/remove programs in Ctrl panel but got an error indicating a dll file was missing and the remove failed at that point.

Go here and download TCP View

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Run it and see if you can find the program that has that port open. Also tell me the status (listening etc.)

Sorry Nightlen1, but in Win98 the tcpview program doesn't show the programs holding open the ports. However according to another poster on this thread these TCP connections are legit including the one with the high port # and the UDP stuff is probably just microsoft junk.

I guess I'll just say to hell with it for now and keep the UDP stuff blocked with the firewall. In the near future I plan to wipe the HD clean and install 2000 or XP so if by some chance it is something illegitimate that should take care of it.

Thanks for all your help.

almost all the time...just a nuisance listening port for inbound traffic for netbios browsing...used by microsoft networking and sharing

Port 44334 is an ephemeral port and is used temporarily while a connection is open...this is all referenced to localhost (which is your machine) and should be of little concern

TheProdigal

.
.

and I do the "update" thing on a regular(at least weekly) basis,

It makes a big difference, and its an "update", as opposed to the "upgrade" that alot of freeware tries to bug you with.

Now, I gotta find that Freeware, Kerio Firewall 4.0 you mentioned !

I'm off to aGooglin' :toast:

It is still a beta-quality type product, even though Kerio treats it as final. Also, you have to pay if you want active-content blocking. The free 2.x series has a very good reputation, but it's not for security novices.

is netbios traffic that windows uses for file and print sharing and since it is sent to a broadcast address it is not leaving your local network and certainly not crossing out onto the internet. Your ISP would be dropping this traffic if it were to make it that far. There is nothing to worry about here as these ports are maintained as open for the process of browsing in windows.

If you were to turn off file and print sharing these would go away. If you will check YOUR IP address I think it will probably be in the same range of numbers 209.161.238.xxx.

TheProdigal

What had me somewhat alarmed was when the whois lookups on the IP addresses I was trying to connect to showed them as belonging to Telcos and telecom companies all over the globe. I thought if it was just legitimate Microsoft traffic the IP addresses would show up as belonging to Microsoft. Some of the addresses are broadcast, ie the last octet being 255, but some are also individual IP addresses as well.

However I have them blocked with the firewall, so I guess I won't loose any sleep over it. I figure it's about time I upgrade to 2000 o XP anyway so sometime soon I'll probably reformat the HD and install a new OS anyway. Thanks for your input.

the IP addresses you are seeing are commonly allocated by ISPs and you would see nothing of Microsoft's addresses. The communications you are seeing are most likely internal microsoft browsing stuff and are little or nothing to be worried about. The IP addresses that are NOT broad/multicast in nature might be an issue though. Definitely run your spyware assassin of choice.

By the by, unless you have need of Win2000 (variant of the older NT tech) go with XP. I have it running here beside my Linux station and have been fairly pleased with it!

Good luck!
TheProdigal