Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

What is going on?


  • Please log in to reply

#16
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
Hi

This is going to be a long reply in two posts. Sorry in advance for this.

PART ONE

I stepped back from the Hijack this log to try and see what else could be happening. BlackIce may be reporting a lot of activity with its default settings. I couldn't see anything unusual in the Hijackthis log you posted that could be the cause of the increased activity. That's why I suggested posting to the other thread in case there was something I was missing.

Here is a comparison to what may be going on with BlackIce. I use Zone Alarm Pro so I don't know the defaults for BlackIce. When Zone alarm is first configured it will alert you on any & all things your router is doing. IT seems like a lot is going on. Even under my Norton 2005 my logs show a ton of activity from IP addresses I've never heard of. But later when I check them out on Whois Arnet I find they are well known programs. Like AOL IM, Zone Alarm, Firefox etc. All programs I recognize. The logs are just keeping track of the Ip addresses and not the DNS names like www.aol.com etc. Until I chaged the settings for Zone Alarm to only alert me on Hacker activity & added my Router(s) to the trusted zone did all the alerts stop. The activity was still high but I knew with the software I use & my configuration in the NETWORK: of this reply to secure my Network, That I was protected.

The software I use on a regular basis. Spywareblaster, Spybot Search & Destroy, Ad-Aware SE, Zone Alarm Pro, Norton Anti Virus 2005.


If I were experiencing the same thing? This is what I would do to be sure my PC(s) were not infected with Virus/Trojan/Worm, Adware/Spyware/Malware or Hijacked.

1) I would make sure the software I mentioned above is up to date with the latest definitions for each program.
2) I would disconnect my router(s) from my modem & from my PC(s).
3) I would boot in normal or safe mode & back up my most important data just for a precautionary measure. (I use Acronis True Image & Acronis Disk Director). Any program that will backup, make an image or copy partitions will be fine. If I didn't have a program like these I would attach a slave drive to my PC and just copy over my important files & disconnect that slave when the files were copied.
4) I would boot my PC into safe mode.
5) I would enable the all protections & immunizations of Spyware Blaster & Spybot Search & Destroy.
6) I would do a full scan of my PC in safe mode removing any items found as critical or problem using Ad-Aware SE & Spybot Search & Destroy.
7) I would do a complete Anti Virus system scan or use custom to select all my hard drives if there is more than one drive. I use Norton Antivirus.
8) If for some reason any of the above programs would not run in safe mode? I would start normally & go into msconfig start>run>msconfig and under the General Tab I would check Diagnostic Startup to load just the basic services & drivers & re-boot (remembering when I'm done to go back & uncheck diagnostic & use the selective or normal startup). I only do this if I suspect I have a virus/trojan/worm, adware/spyware/malware or have been hijacked. This will be sure none of these programs are running as a process or service if I am infected. If some of the programs still won't run properly I would start normally and CTRL+ALT+DEL to bring up task manager list window & just end the processes of things I did not recognize. Being careful not to end system processes, svchosts.exe etc.(I use The ultimate Troubleshooter from answersthatwork.com).
9) Run any of the programs that would not run before.
10) Shut down the PC(s).

From here you could:
1) Attach your router back to the PC(s) but not connect to your modem yet.
2) Power up the router & PC(s).
3) This one is optional. Reset or configure your router with the suggestions in the NETWORK: section below. I do this for myself and is not something you have to do but I just wanted you to see how I am set up.
4) Power everything down & reconnect your modem to the router.
5) Power up everything and monitor the activity.

FINALLY:
Of course I could suggest Un-installing BlackIce after all of this and when you do a Netstat you may not see what you were seeing before. But that doesn't help explain why all this activity started when Black ice was installed.

I'm not very familiar with BlackIce. I will probably install BlackIce in one of my test environments in the next week or so. This way I will have a better understanding if the activity you are seeing is normal & related to Black ice’s default settings or something else.
  • 0

Advertisements


#17
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
PART TWO:
MY NETWORK:
This section is completely optional. Actually it's more informational. I do this on my networks to secure them. Mainly because I use a combination of Wired & wireless routers. For just a wired environment it may be considered overkill.

192.168.1.1 is usually associated with Lynksys routes. It's the Lan IP address of your router. In one of my testing environments I have 1 wired Lynksys & 1 wireless D-Link. What I have done to secure my network is I assign a static IP address to each of my computers connected to my routers. Wired or wireless. Log onto your router to see what IP address ranges your router assigns. My Linksys wired router is set to assign 2-100. (192.168.1.2 - 192.168.1.100). My D-Link wireless 192.168.0.1 assigns 100 - 199 (192.168.0.100 - 192.168.0.100) and my Belkin Pre-N wireless 192.168.2.1 assigns 2-100 (192.168.2.2 - 192.168.2.100).

Example of my static IP address under TCPIP properties for a local connection on a desktop running Windows XP pro connected to the wired Lynksys router.

IP address 192.168.1.20
Subnet mask 255.255.255.0
Default Gateway 192.168.1.1

DNS Server 192.168.1.1

On the router I change the mac control or filter settings (It all depends how old your router is). To allow only the mac addresses of my computers to access the network. To find each computers mac address. Under Network Connections right click your local connection and click status. Then click support tab. Under internet/protocol [tcp/ip] click the detail button. On the very top is your physical address of that computers nic card.

Put this physical address in your mac control and use only allow the following mac addresses to access the network. If it's an older Lynksys then the options might be under IP filtering. So after changing your TCP/IP properties on each machine to a static IP address. Enable IP filtering to only allow IP addresses you have assigned. If it asks for a range and you have assigned 192.168.1.20 & 192.168.1.21 to two computers? Then only allow a range of 192.168.1.20 - 192.168.1.21. then each computer you add to the network you will have to give a static IP address to them and change the ip filter range to accommodate. This will ensure only your computers can access your network. You could also use your routers built in ability to act as a Firewall in addition to the Black Ice.

A few times I have had to reset my router to start with the defaults and set this up correctly. (When connecting a wired & wireless router there are certain settings that need to be configured other than just physically connecting the two together).


Sorry for the extremely long reply.

Thanks

Webxican
  • 0

#18
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi. Thanks for the post. The only thing which I hadn't done from your list was assign static ips, which i will do today. About the connections, I have also been doing a whois on weird connections, and most of the time they did say Microsoft, hotmail, symantec, etc. But there were some times when I thought that there shouldnt be any unidentifiable conenctions (at startup), and there were. At times on startup i've seen connections going to ips that i haven't been able to identify through a whois. There's one I see quite often to 'Net access corporation' which is an internet provider im assuming. This probably has something to do with an application checking for updates or something, but combined with other things happening, it made me kinda sketched. I still don't know why my router would be sending me 'BOOTP_Remote_Overflow' or doing a TCP port scan on my comp, but I'm gonna post in networking about this. I've found Norton is pretty good, but it does miss quite a few things. I've been using online scanners (Panda activescan, Trend micro housecall, Mcafee etc.) and they found quite a few things that Norton missed. Try it, you'll be surprised. 1 more thing that made me kinda worried was after I enabled my MAC filter, I saw that a MAC address had been denied (my router shows all the allowed MACs in green, refused ones in red. At one point in time, I remember seeing two MAC addresses in red, as well as my three in green. This led me to believe someone was trying to connect to my router, and combined with all the other weird things I saw, I was sure I'd been hijacked. Thanks for you help webxican, it's much appreciated. I'm gonna post in the networking section and see if anyone knows what the deal is with that remote overflow crap. Take it easy,
S.
  • 0

#19
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
Hi,

Definitely post a question to the network section of the forum to find out more about the BOOTP messages.

One more thing about assigning static IP addresses. I assign high numbers for my computers within the routers IP address range 192.168.1.120 & up. I may have mentioned 192.168.1.20 but I realize my Linksys starts at 100 with a range of 50 ip's. So 100 - 150. The reason I start at .120 & up is to be sure the routers DHCP doesn't assign the same IP address to 2 computers. The routers DHCP will start assigning low ip's from that range. Example: 192.168.1.103 etc. This way there is never a conflict with any new machines you add to your network. (Of course assigning static IP addresses to all your machines will also prevent any conflicts since they are forced to use the IP address of whatever you assign them).

There is more than one way to skin a cat so to speak. This link shows another way to assign static IP addresses.

http://www.portforwa...tic-xp-dhcp.htm

I also never determined what Router you are using? I assumed it was a Linksys due to the IP address you mentioned 192.168.1.1 If it is a Linksys make sure you have the latest Firmware installed. Here is another Link to some issues certain Linksys routers were having with BOOTP problems.

http://linksys.custh...li=&p_topview=1

http://linksys.custh...li=&p_topview=1

I'm not implying that this is what is going on with your Router. But it was just something I came across on the Linksys site.

Thanks for all of your patience.

Webxican
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP