hi it's me again.
i'm using outpost firewall and the traffic is quiet is now. but i noticed that when i start up my computer it is trying to send packets to something labelled as FBI :
ips 63.240.15.211 63.240.15.153 etc.. in this range
anyone knows what is the problem? further when i tried to look in my logfile i noticed that it the log stopped at 9/3 but the status is logging all? any help would be appreciated!
greetz pruttel
Full Version: outgoing packets
as far as the logging stopping at 6/3 Im not sure, check your preferences, maximize the "Log-O-Meter" to "Max" and make sure log granted and log blocked are checked/enabled. I know there is a delay in the Protowall logging, in that its not CONSTANTLY dumping logs to to log file i dont think....theres a delay i think, but cant remember the numbers hehe.
for starters which logs are you talkin about here , outpost or protowall 
ok its a bit hard to tell why youre computer is wanting to connect to this place with out knowing whats also running on your comp, you said you removed the msn messenger , do you have any record of what ports this connection was using to make outbound connection, tcp or udp ?
if you have setup outposts apllication rules , nothing should now get out unless you either have rules wizard running or have set rules for your internet applications, and once you have got your rules set , only run outpost oin block most mode, use rules wizard just for setting up new rules and troubleshooting connection problems.
then if you have these rules setup, whenever anything wants access its going to be recorded in either outposts allowed or blocked windows,
do you know which process is making the outbound connections, now that you have outpost it should show u which application is wanting to access the net in allowed or blocked connections tab, then we can work out if it was a normal conection or whether youve been hijacked ....
you could always do a quick hijack this and cws shredder scan and then post a hijack log here, just to be sure you havent got some spyware embedded somewhere:
if you decide yes, download and just do a quick scan , dont fix anything at all with hijack this just save your log to file and post it ..
http://www.merijn.org/files/cwshredder.zip
http://www.merijn.org/files/HijackThis.exe
if you think that youve already got that side of things covered then just worry about finding out what wanted to access then net.. do you have the windows messaging service turned off , this is being exploited by viruses at them moment , as well as a few other ports targeted..
ok you said youre back to outpost now , so make sure in outpost you go into view > layout and select everything, so you have all the logs showing, and then also view > columns and add make sure remote port , remote address and process are selected to show u these details in the log window.
heres a bit of info on the FBI range , i think its a bit dodgy whatever it is and i have it blocked:
http://www.dslreports.com/forum/remark,914...43520~mode=flat
i also found this little bit of peerguardian
~ history~ when this FBI range was discussed last year at pg,net , thanks to google cache... , i have only had this range blocked once before and that was using bittorent, whatever it is..
spammers
another CERFnet range:
http://www.broadbandreports.com/r0/downloa...a29/svchost.JPG
www.cerf.net - 192.215.8.15
OrgName: CERFnet
OrgID: CERF
Address: 5738 Pacific Center Blvd
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 192.215.0.0 - 192.215.255.255
CIDR: 192.215.0.0/16
NetName: NETBLK-CERFNET
NetHandle: NET-192-215-0-0-1
Parent: NET-192-0-0-0-0
NetType: Direct Allocation
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
NetRange: 216.148.100.0 - 216.148.100.255
CIDR: 216.148.100.0/24
NetName: CERF-SPECTRALINK-A
sorry if this doesnt help , but need more info/ logs , [again yes]...
ok its a bit hard to tell why youre computer is wanting to connect to this place with out knowing whats also running on your comp, you said you removed the msn messenger , do you have any record of what ports this connection was using to make outbound connection, tcp or udp ?
if you have setup outposts apllication rules , nothing should now get out unless you either have rules wizard running or have set rules for your internet applications, and once you have got your rules set , only run outpost oin block most mode, use rules wizard just for setting up new rules and troubleshooting connection problems.
then if you have these rules setup, whenever anything wants access its going to be recorded in either outposts allowed or blocked windows,
do you know which process is making the outbound connections, now that you have outpost it should show u which application is wanting to access the net in allowed or blocked connections tab, then we can work out if it was a normal conection or whether youve been hijacked ....
you could always do a quick hijack this and cws shredder scan and then post a hijack log here, just to be sure you havent got some spyware embedded somewhere:
if you decide yes, download and just do a quick scan , dont fix anything at all with hijack this just save your log to file and post it ..
http://www.merijn.org/files/cwshredder.zip
http://www.merijn.org/files/HijackThis.exe
if you think that youve already got that side of things covered then just worry about finding out what wanted to access then net.. do you have the windows messaging service turned off , this is being exploited by viruses at them moment , as well as a few other ports targeted..
ok you said youre back to outpost now , so make sure in outpost you go into view > layout and select everything, so you have all the logs showing, and then also view > columns and add make sure remote port , remote address and process are selected to show u these details in the log window.
heres a bit of info on the FBI range , i think its a bit dodgy whatever it is and i have it blocked:
http://www.dslreports.com/forum/remark,914...43520~mode=flat
i also found this little bit of peerguardian
~ history~ when this FBI range was discussed last year at pg,net , thanks to google cache...
, i have only had this range blocked once before and that was using bittorent, whatever it is..spammers
another CERFnet range:
http://www.broadbandreports.com/r0/downloa...a29/svchost.JPG
www.cerf.net - 192.215.8.15
OrgName: CERFnet
OrgID: CERF
Address: 5738 Pacific Center Blvd
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 192.215.0.0 - 192.215.255.255
CIDR: 192.215.0.0/16
NetName: NETBLK-CERFNET
NetHandle: NET-192-215-0-0-1
Parent: NET-192-0-0-0-0
NetType: Direct Allocation
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
NetRange: 216.148.100.0 - 216.148.100.255
CIDR: 216.148.100.0/24
NetName: CERF-SPECTRALINK-A
sorry if this doesnt help , but need more info/ logs , [again yes]...
more on this ip range :
QUOTE
Date: Tue, 17 Dec 2002 04:48:22 GMT
found the source for my last spyware Akamai technologies 65.215.129.200 or
contentWatch.com. It was an app under C:
windows\downloadedprogramfiles\contentauditcontrol.ocx. Found a ref in
the registry and removed. Then another spyware pops up at startup.
anyone any experience or provide help on this one?
thanks
RK
63.241.29.136 a63-241-29-136.deploy.akamaitechnologies.com
It has an association with CERfnet.
Whois brings:
CERFnet CERFNET-BLK-5 (NET-63-240-0-0-1)
63.240.0.0 - 63.242.255.255
Akamai Technologies, Inc. ATTENS-SAN2-007318 (NET-63-241-29-128-1)
63.241.29.128 - 63.241.29.255
# ARIN Whois database, last updated 2002-12-15 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
Any clues as to what this is and what it may be associated with?
thank you
found the source for my last spyware Akamai technologies 65.215.129.200 or
contentWatch.com. It was an app under C:
windows\downloadedprogramfiles\contentauditcontrol.ocx. Found a ref in
the registry and removed. Then another spyware pops up at startup.
anyone any experience or provide help on this one?
thanks
RK
63.241.29.136 a63-241-29-136.deploy.akamaitechnologies.com
It has an association with CERfnet.
Whois brings:
CERFnet CERFNET-BLK-5 (NET-63-240-0-0-1)
63.240.0.0 - 63.242.255.255
Akamai Technologies, Inc. ATTENS-SAN2-007318 (NET-63-241-29-128-1)
63.241.29.128 - 63.241.29.255
# ARIN Whois database, last updated 2002-12-15 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
Any clues as to what this is and what it may be associated with?
thank you
hi moore,it was in protowall i noticed those packages, i couldn't find an app trying to connect in outpost . i disabled the windows updater(is that the windows messaging system?) now on startup it's all quiet again. i'll keep my eye on it . i maxed the logfile so now the logs will be saved if this occurs again! ( ihope) i 'll keep you posted!
greetz pruttel
greetz pruttel
ps , connection to merijn.org is refused?
greetz pruteel
greetz pruteel
Im not sure what merjin is.....but I think its safer-computing.net for HiJackThis...try a googlesearch for it 
Yea, thats weird you are getting outgoing connections to FBI though....either some program is sending the packets to the range, or maybe a page you are visiting is showing links from FBI range.
Yea, thats weird you are getting outgoing connections to FBI though....either some program is sending the packets to the range, or maybe a page you are visiting is showing links from FBI range.
ahh sorry wrong links , merijin is the programmer responsible for taking on the cws trojan developers, and his site along with spyware info others got DDos atacked and taken out not long ago , which is why the links are dead, but heres some working links , you can never be too careful, i didnt think i would get anything when i ran cws shredder the first time , but i did have something found and removed ...
direct downloads:
hijack this
http://www.majorgeeks.com/downloadget.php?...a8baee6434cfc13
cws shredder
http://www.majorgeeks.com/downloadget.php?...6c5901960cc6e24
direct downloads:
hijack this
http://www.majorgeeks.com/downloadget.php?...a8baee6434cfc13
cws shredder
http://www.majorgeeks.com/downloadget.php?...6c5901960cc6e24
okay, now the strangest i noticed it was when norton antivirus tried to update that the packages labelled fbi were sent but now i can't update no more because fbi is blocked can it be that symantec is on the same range?
this is what i saw:
63.240.15.209) [protocol: TCP / destport: 80]
2004/03/11 23:37:11 [<-] BLOCKED [!] - Destination is FBI (63.240.15.209) [protocol: TCP / destport: 80]
2004/03/11 23:37:23 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:37:26 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:37:32 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:37:45 [<-] BLOCKED [!] - Destination is FBI (63.240.15.210) [protocol: TCP / destport: 80]
2004/03/11 23:37:48 [<-] BLOCKED [!] - Destination is FBI (63.240.15.210) [protocol: TCP / destport: 80]
2004/03/11 23:37:54 [<-] BLOCKED [!] - Destination is FBI (63.240.15.210) [protocol: TCP / destport: 80]
2004/03/11 23:38:06 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:38:09 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:38:15 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:38:27 [<-] BLOCKED [!] - Destination is FBI (63.240.15.144) [protocol: TCP / destport: 80]
2004/03/11 23:38:30 [<-] BLOCKED [!] - Destination is FBI (63.240.15.144) [protocol: TCP / destport: 80]
2004/03/11 23:38:36 [<-] BLOCKED [!] - Destination is FBI (63.240.15.144) [protocol: TCP / destport: 80]
now i'm confused is protowall blocking a good range?
greetz pruttel
this is what i saw:
63.240.15.209) [protocol: TCP / destport: 80]
2004/03/11 23:37:11 [<-] BLOCKED [!] - Destination is FBI (63.240.15.209) [protocol: TCP / destport: 80]
2004/03/11 23:37:23 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:37:26 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:37:32 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:37:45 [<-] BLOCKED [!] - Destination is FBI (63.240.15.210) [protocol: TCP / destport: 80]
2004/03/11 23:37:48 [<-] BLOCKED [!] - Destination is FBI (63.240.15.210) [protocol: TCP / destport: 80]
2004/03/11 23:37:54 [<-] BLOCKED [!] - Destination is FBI (63.240.15.210) [protocol: TCP / destport: 80]
2004/03/11 23:38:06 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:38:09 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:38:15 [<-] BLOCKED [!] - Destination is FBI (63.240.15.211) [protocol: TCP / destport: 80]
2004/03/11 23:38:27 [<-] BLOCKED [!] - Destination is FBI (63.240.15.144) [protocol: TCP / destport: 80]
2004/03/11 23:38:30 [<-] BLOCKED [!] - Destination is FBI (63.240.15.144) [protocol: TCP / destport: 80]
2004/03/11 23:38:36 [<-] BLOCKED [!] - Destination is FBI (63.240.15.144) [protocol: TCP / destport: 80]
now i'm confused is protowall blocking a good range?
greetz pruttel
ive never seen norton updates using that address, i wouldnt allow it just yet...
heres a page you can update your anti-virus definitions , i absolutely refuse to use live update after symantec tried to FTP hack me and im using a paid version.
http://securityresponse.symantec.com/avcen...ges/US-N95.html
heres a page you can update your anti-virus definitions , i absolutely refuse to use live update after symantec tried to FTP hack me and im using a paid version.
http://securityresponse.symantec.com/avcen...ges/US-N95.html
QUOTE (pruttel @ Mar 12 2004, 06:47 AM)
hi moore,it was in protowall i noticed those packages, i couldn't find an app trying to connect in outpost . i disabled the windows updater(is that the windows messaging system?) now on startup it's all quiet again. i'll keep my eye on it . i maxed the logfile so now the logs will be saved if this occurs again! ( ihope) i 'll keep you posted!
greetz pruttel
greetz pruttel
ok sorry the windows messaging service can be disabled by going to
administrative tools > services > messenger service -> properties --> disable
QUOTE
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
i think the thing you disabled was windows update , and you dont really want to disable that , so please check if is windows update or its the messenger in administrative tools that you disabled first..
also your Hijack this log looks clean ..
Thanx master!
greetz pruttel
greetz pruttel
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.