Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Standard Activity vs Malicious Activity

  1. #1
    asrial Guest

    Default Standard Activity vs Malicious Activity

    What kind of activity does this look like to you all? Is this the standard stuff you encounter just being online or does it seem excessive?

    Be aware that I'm connected directly to the modem and not my router.

    The timeframe is ~ 2 hours and 45 minutes.

    .

    FWIN,2009/07/10,14:39:22 -5:00 GMT,190.174.133.246:1388,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,14:43:38 -5:00 GMT,190.140.215.47:49519,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,14:48:28 -5:00 GMT,81.192.215.161:56145,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,14:58:12 -5:00 GMT,61.143.52.26:5641,66.25.55.84:44070,TCP (flags:AS)
    FWIN,2009/07/10,14:59:36 -5:00 GMT,190.174.133.246:1909,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,15:03:30 -5:00 GMT,190.140.215.47:49958,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,15:09:20 -5:00 GMT,81.192.215.161:57516,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,15:12:00 -5:00 GMT,60.210.179.136:6000,66.25.55.84:4899,TCP (flags:S)
    FWIN,2009/07/10,15:12:36 -5:00 GMT,221.195.73.68:6000,66.25.55.84:7212,TCP (flags:S)
    FWIN,2009/07/10,15:12:36 -5:00 GMT,221.195.73.68:6000,66.25.55.84:8000,TCP (flags:S)
    FWIN,2009/07/10,15:16:44 -5:00 GMT,137.164.143.170:6000,66.25.55.84:2967,TCP (flags:S)
    FWIN,2009/07/10,15:17:12 -5:00 GMT,125.164.240.160:0,66.25.55.84:0,ICMP (type:8/subtype:0)
    FWIN,2009/07/10,15:23:42 -5:00 GMT,190.140.215.47:50410,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,15:24:40 -5:00 GMT,202.101.42.73:2163,66.25.55.84:5900,TCP (flags:S)
    FWIN,2009/07/10,15:27:44 -5:00 GMT,81.192.215.161:58419,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,15:52:36 -5:00 GMT,190.174.162.30:1455,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,15:55:18 -5:00 GMT,222.135.146.178:6000,66.25.55.84:80,TCP (flags:S)
    FWIN,2009/07/10,15:56:56 -5:00 GMT,200.31.152.189:61875,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,16:01:50 -5:00 GMT,77.74.197.87:21703,66.25.55.84:22,TCP (flags:S)
    FWIN,2009/07/10,16:03:26 -5:00 GMT,61.143.52.26:5641,66.25.55.84:44070,TCP (flags:AS)
    FWIN,2009/07/10,16:04:38 -5:00 GMT,202.180.99.162:0,66.25.55.84:0,ICMP (type:8/subtype:0)
    FWIN,2009/07/10,16:04:42 -5:00 GMT,222.133.11.98:6000,66.25.55.84:1433,TCP (flags:S)
    FWIN,2009/07/10,16:12:46 -5:00 GMT,190.174.162.30:1985,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,16:25:42 -5:00 GMT,60.190.223.76:6000,66.25.55.84:2967,TCP (flags:S)
    FWIN,2009/07/10,16:26:28 -5:00 GMT,201.248.227.15:0,66.25.55.84:0,ICMP (type:8/subtype:0)
    FWIN,2009/07/10,16:29:08 -5:00 GMT,74.63.225.44:12200,66.25.55.84:8000,TCP (flags:S)
    FWIN,2009/07/10,16:32:52 -5:00 GMT,190.174.162.30:2501,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,16:38:08 -5:00 GMT,121.15.245.215:12200,66.25.55.84:8000,TCP (flags:S)
    FWIN,2009/07/10,16:52:06 -5:00 GMT,118.165.64.131:2847,66.25.55.84:25,TCP (flags:S)
    FWIN,2009/07/10,16:53:02 -5:00 GMT,190.174.162.30:3048,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,17:06:54 -5:00 GMT,221.10.221.211:4150,66.25.55.84:1434,UDP
    FWIN,2009/07/10,17:07:10 -5:00 GMT,190.140.215.47:51634,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,17:08:42 -5:00 GMT,61.143.52.26:5641,66.25.55.84:44070,TCP (flags:AS)
    FWIN,2009/07/10,17:13:08 -5:00 GMT,190.174.162.30:3574,66.25.55.84:45735,TCP (flags:S)
    FWIN,2009/07/10,17:13:42 -5:00 GMT,189.106.26.52:0,66.25.55.84:0,ICMP (type:8/subtype:0)

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Pro

  2. #2
    zaswing Guest

    Default Re: Standard Activity vs Malicious Activity

    FWIN means ZA-Pro blocked it all as it's its normal habit

    Are you using NetView LAN manager?
    Do you run a web server?
    Do you/did you run p2p software or some sort of instant messaging?

    Few addresses are Latin America - Argentina telephone, Brazil, Marocco, China and others.
    Most of it sounds to me really like just internet noise you're picking up if you're just a normal user with normal applications (no web servers, p2p).
    Noise is from Argentina telephone, Brazil, Marocco, China and others.

    Get a router. It'll stop all this. You'll then see next to nothing in the ZA logs. Routers are cheap. And the government wants us to buy to improve economy

    You can't do worse than look here
    http://zonealarm.donhoover.net/PRIVO...E/logfile.html
    which is written by the Pioneer ZA Guru Hoov and titled "Using and understanding zalog.txt"

  3. #3
    asrial Guest

    Default Re: Standard Activity vs Malicious Activity

    Thank you for the reply ZASWING

    I'm not running anything out of the ordinary. I do my fair share of networking related habits (mIRC, file serving, sometimes setting my computer up as a server, P2P, Trillian) but it's basic average computer user (who knows computers) stuff.

    What got me even started on this 'paranoia' is that I was seeing my router log showing DOS attacks (nothing major, just every so often during the day it'd show up in the log). There was a repeated pattern of certain IP's, but it wasn't constant (as if it was an infected computer and the pattern was the owner having it on/off). The hits to the log also weren't indicative of a major attack (it'd show a few hits over the course of 10 minutes and then nothing for hours). Also, I never lost internet, even during periods where I was online (say in WoW where I'd notice loss of internet) and the log showed it blocking stuff.

    Further, every now and them, my internet seems a bit **bleep**py (speed was fine, but a ping to Google would be spiky (normal is 50ms; spiky is it jumping to 100+ a lot)).

    So yeah, just started to get paranoid so disconnected from the router and hooked straight to the modem. I just don't have a comparison with Zone Alarm to determine what's normal activity in the log and what's abnormal activity.

    I can't find ANY abnormal issues on the computer (nothing is triggering ZA, I can't find anything in services/processes/startup/etc, and I can't see any abnormal netstat (I think that's the one.. I use a program called TCP View) connections).

    PS - Thank you for the link. Unfortunately, it doesn't work

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Standard Activity vs Malicious Activity

    Yes normal connection attempts seen when a computer is directly facing the internet.

    To decipher the list....
    lets look at the very first entry in your presented list...
    first look at the attempts made on your IP's own ports (not the sending port or the foreign IPs port).
    Thus 66.25.55.84:45735 is the main interest and the port 45735 is the port to look at to decipher the events.

    Now look here for the associated service or daemon related to the at port:

    http://www.iana.org/assignments/port-numbers

    Note: copy and paste this list for later references.

    Well we now see 45735 is unassigned or in other words, a private or unknown use.
    Looking at the other ports attempted at your IP we can see things such as 22 (ftp data from servers) or 5900 (a vnc server access port) or port 80 (server connection using http) or 1434/1433 (ms msq or ms server ports) or port 25 (mail port) and so forth and so on.

    Nothing really unusual with these ports connection attempts as this is basically the normal internet traffic, where servers are often looking for related or associated servers. Nothing to really be concerned about in this sense.


    Another section of the log to look at and examine are the 'Flags'.
    Two examples seen in the looks are S and AS.
    "S" means "synchronize" (or initial incoming connection attempt)and "AS" means "acknowledge synchronize" (or rush this synchronizing attempt).
    The best explaination for the flags are by reading up on these:

    http://www.pccitizen.com/threewayhandshake.htm

    http://en.wikipedia.org/wiki/Transmi...ntrol_Protocol

    Again these flags are fairly normal.




    Besides the usual TCP and the one UDP protocols seen in your list, there is alos listed the ICMP ..namely 'type 8' which is officially called Echo or Echo Request and usually just referred to as 'ping'.
    Not unusual to see servers and computers pinging other servers and computers.
    In any case these too were dropped by the ZA firewall.

    http://www.iana.org/assignments/icmp-parameters

    last but not least, the actual IP of those incoming connection attempts can be quickly looked at.

    Just by looking as to where the IP fits into the IPv4 address spaces listing it does help to quickly determine if the IP is asian, south american or africian or us,etc.

    http://www.iana.org/assignments/ipv4-address-space/

    Note: copy and paste this list for later references.


    Looking at the ipv4 address space list we can see where IP fall into the different regional registries:

    'IANA' are reserved address spaces (or non internet addresses)
    'AFRNIC' is Africa and other nearby regions.
    'ARIN" is Amercian rgistry.
    'RIPE' is the European registry.
    "APNIC" is Asia and Pacific registry.
    'LACNIC' is Latin America and Caribbean registry.


    and so forth and so on.


    The ipv4 address list gives only a general idea as to where the IP is listed, not a direct url or domain name.
    By using the nslookup.exe of windows we can usually quickly find the domain name associated with an IP.
    Open the command prompt and type in nslookup.
    Then leave a space and type in the IP.
    Now press the Enter Key of the keyboard.

    For example the first IP listed in your list goes this way:


    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SkyRider>nslookup 190.174.133.246
    *** Can't find server name for address 127.0.0.1: Non-existent domain
    *** Default servers are not available
    Server: UnKnown
    Address: 127.0.0.1

    Name: 190-174-133-246.speedy.com.ar
    Address: 190.174.133.246


    C:\Documents and Settings\SkyRider>


    Note: I used copy and paste instead of manually typing in the IP into the command - less work and it is more accurate.

    The ipv4 address space list shows that the 190.x.x.x addresses are in the Latin America and Caribbean.
    The speedy.com.ar result obtained from the command' nslookup shows the site is a provider/host server in South America and the ".ar" following the .com in the url indicates the TLD is Argentina.
    Thus it is an IP based from an argentinain host/provider.

    see http://www.iana.org/domains/root/db/ for listings of the TLDs.

    -------------------------------------------------------------------------------------------------------------------------

    The quick answer to your question is yes these are normal incoming attempts and these unwanted attempts are all blocked by the ZA firewall to keep your computer safe.


    Oldsod.
    Best regards.
    oldsod

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Standard Activity vs Malicious Activity

    Try this link instead:

    http://zonealarm.donhoover.net/logfile.html

    Oldsod.
    Best regards.
    oldsod

  6. #6
    zaswing Guest

    Default Re: Standard Activity vs Malicious Activity

    Sorry, I've filtered myself bit much
    The place is
    http://zonealarm.donhoover.net/logfile.html

  7. #7
    zaswing Guest

    Default Re: Standard Activity vs Malicious Activity

    Hi Oldsod,
    Sorry for being late here to fix the link and then not see you already did it!

    I thought Hoov's ICMP list is nice to look at so is a good reference.
    What caught my attention were local ports 80 and 6000. No concern, eh? I know ZA blocked. So these also just look like fishing expeditions by those other IPs?

    I like those 'direct to the internet, no router' experiments. They kinda tell you the firewall is working. Otherwise the logs are quite blank

  8. #8
    asrial Guest

    Default Re: Standard Activity vs Malicious Activity

    Yeah, I agree about the 'direct to the internet' peace of mind

    I really appreciate your input guys. It's hard to get out of that 'you're making yourself paranoid' mode.

    I suppose the biggest reason for it is that my router log (Netgear) is extremely basic so you have to dig deeper on your own and start wondering about every little thing.

    I also fix computers so this is good info to know, looking forward to going through those links

  9. #9
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Standard Activity vs Malicious Activity

    To zaswing:

    The connections attempts to the computer's port 80 would not be strange or unusual for normal connection attempts to a server of the 'web.
    Every home computer almost always connects to the remote port 80 of a server.
    The port 6000 is not unusual either - some computers will 'network' using the x windows systems and this is the required port for those networking events.

    To Asrial:

    Perhaps a better breakdown can be seen here:

    Firewall Forensics

    (note to zaswing ...there is a little blurb about one of your fav topics, the 'route packets' seen in the firewall foresics page.}


    and there is a brief description of "various Attacks" seen here:

    Internet Firewalls:Frequently Asked Questions

    and DDOS attacks along with other server/internet security issues described here:

    The World Wide Web Security FAQ

    and some basic allow and deny 'general' rules for firewalls seen here:

    http://www.commontology.de/security/...lls/fire0.html


    --------------------------------------------------------------------------------------------

    A Networking tutorial seen here:

    Networking Tutorial

    --------------------------------------------------------------------------------------------


    Oldsod.

    Message Edited by Oldsod on 07-11-2009 12:14 AM
    Best regards.
    oldsod

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Standard Activity vs Malicious Activity

    I use a 'basic' netgear router at home.
    Works fine to keep the 'intrusions' out and block off some unwanted port ranges or ports, and of course the reply to pings.

    Oldsod.
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •