Firewall allowing connection
 

With nothing on my machine trying to use the net I keep getting the following from Outpost Firewall:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 public4-bolt5-5-cust33.oldh.broadband.ntl.com port4431 Inbound TCP

Antiviral and Trojan killers see nothing unusual on my machine, so why is my machine allowing incomings from another NTL user?

I assume the other user is either in Bolton or Oldham? I'm miles away in Wales!

They're coming thick and fast now.. from all over the country...

pc3-bary1-6-cust209.cdif.cable.ntl.com 2285 Inbound TCP
shep3-4-cust125.nott.cable.ntl.com 3569 Inbound TCP
pc1-leic4-3-cust94.nott.cable.ntl.com 4864 Inbound TCP

it's probably due to this

http://securityresponse.symantec.com...ster.worm.html

I hope you have your firewall actually blocking these hits - although if you are using Win98se or ME you should be ok.

Do a search for a file called msblast.exe, just in case.

user edit - corrected filename

Im running McAfee firewall and I'm getting huge ammounts of activity on the 'network traffic' screen. The web seems very slow at the moment as well, I wonder if there is a connection:confused:

Hi Ramrod

my router log is full of a huge number of attempted hits on port 135, due the blaster worm, with all that extra traffic I reckon browsing will be slower.

- off topic, just noticed *.com has gone down.

<edit> it's back now:)

No sign of the msblaster file... not in the registry either (winXP).

The things continue:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc4-stap1-6-cust244.nott.cable.ntl.co port4958 Inbound

Fix found just in case

http://securityresponse.symantec.com...r/FixBlast.exe

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc2-rdng5-3-cust136.winn.cable.ntl.com port1145 Inbound

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc3-lisb1-4-cust178.blfs.cable.ntl.com port1486 Inbound TCP 60 bytes 72 bytes

Hi Taf, you may not have seen I edited my post - the file is msblast.exe, not msblaster - sorry:)

Yep thanks I caught the edit....

and still they come,...............

SVCHOST.EXE 12/08/2003 12:15:19 pc3-leic4-3-cust150.nott.cable.ntl.com 3357 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-darl2-3-cust40.midd.cable.ntl.com 4603 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc1-bary1-6-cust102.cdif.cable.ntl.com 3752 Inbound TCP 100 bytes 1776 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-stme1-6-cust93.cdif.cable.ntl.com 4265 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-staf2-4-cust101.brhm.cable.ntl.com 2278 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-rdng5-3-cust136.winn.cable.ntl.com 1145 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-lisb1-4-cust178.blfs.cable.ntl.com 1486 Inbound TCP 60 bytes 72 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-stme1-6-cust93.cdif.cable.ntl.com 3491 Inbound TCP 60 bytes 72 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc4-stap1-6-cust244.nott.cable.ntl.com 4958 Inbound TCP 0 bytes 0 bytes

Yep, I'm also getting a lot here. As soon as I put the firewall on 'block all' the network traffic screen lights up like a christmas tree:(
....and I can't get onto gibson corps 'shields up' site either wich probably means that the world is on there checking their ports.

But why JUST NTL sites?

mmmm... lots
Tue, 12 Aug 2003 17:50:41 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:50:44 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:50:50 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:51:38 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:51:41 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:51:47 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:54:10 GMT+0100 Unrecognized access from 200.43.179.142:1027 to UDP port 137
Tue, 12 Aug 2003 17:55:58 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:01 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:02 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:05 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:07 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:11 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:28 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:31 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:31 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:34 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:35 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:37 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:37 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:38 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:40 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:40 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:44 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:45 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:46 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:48 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:51 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:56:53 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:56:54 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:59 GMT+0100 Unrecognized access from 81.97.152.7:2718 to TCP port 135
Tue, 12 Aug 2003 17:56:59 GMT+0100 Unrecognized access from 81.96.238.126:4294 to TCP port 135
Tue, 12 Aug 2003 17:57:00 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:57:08 GMT+0100 Unrecognized access from 81.97.20.191:2100 to TCP port 135
Tue, 12 Aug 2003 17:58:08 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:11 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:17 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:19 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:22 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:25 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135
Tue, 12 Aug 2003 17:58:28 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135
Tue, 12 Aug 2003 17:58:28 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:34 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135

Apparently the virus attacks the same subnet 60% of the time and a random IP address 40% of the time. Thus once the NTL address space got infected, the virus concentrates on maxing it out.

This 60%/40% thing was on one of the virus advisory websites, but I've forgotton which one. It's one linked to on one of the threads here or on .com.

And of course NTL has no antiviral running on it's servers to protect it's users?

For the last couple of days my firewall has been reporting almost non-stop MSRPC TCP port probes, whereas this used to be a very rare type of probe - could this be for the same reason?

Any experts out there?

seems to be a bit of a pattern


12/08/03 17:58:13 TCP 80.4.* 135 80.4.75.226 3440 Block
12/08/03 17:58:15 TCP 80.4.* 135 80.4.196.113 2499 Block
12/08/03 17:58:18 TCP 80.4.* 135 80.4.101.122 3838 Block
12/08/03 17:58:48 TCP 80.4.* 135 80.4.198.225 1142 Block
12/08/03 18:00:23 TCP 80.4.* 135 80.4.195.121 2698 Block
12/08/03 18:03:32 TCP 80.4.* 135 80.4.165.105 4328 Block
as you can see the scans are coming from the same IP segment as my addy. I wouldn't mind betting Altis's IP begins with 81.97.*

<edit> sorry Alan didn't see your post re 60/40 while I was typing

MSRPC = Microsoft Remote Procedure Call (which uses Port 135)

Thus yes, it is the msblast virus

http://www.ntl-isp.ntl.com/lookup/default.asp

They've put a warning up....

Note that there is another thread on here covering the same topic
http://www.nthellworld.co.uk/forum/s...&threadid=1791

Time for Admin to merge the two together?

Before it gets merged can I change it slightly and ask how I can tell if I have had anything past the firewall?

I am running linklogger and see plenty of attacks (green icons) at port 135 from NTL addresses.

But how do I know that they have been stopped or if they got past?

Etc.

Are there any dummies guides to knowing whats what with a firewall available?

Yes, i was wondering about that but I've run my anti-virus, had my ports checked and checked my registry as well. All clear, so my firewall must be doing it's job. *fingers crossed*:D

Just think of the iriots out there with no antiviral or firewall......

Theres a thread on it on .com

OI!
As someone who used to build the NT servers for NTL I take objection to that insinuation!
It's not NTL's servers that are infected, it's customers who aren't bright enough to get patched.
None of my servers were ever infected/hacked while I was in charge of them.

Nice to know... is it still that way?

the 60/40 was on the symantec site

As it infects only windows OSs I doubt it would hit the NTL mailservers anyway.

It will however infect any Windows 2000, Windows NT, XP or Server 2003 system that has not yet been patched.

I'm still getting small packets from other NTL addresses this morning, so lets hope they start patching their PCs soon....

It's still happening:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-clif2-5-cust97.nott.cable.ntl.com 3500 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:44 cache1.ntli.net DNS Outbound UDP 5870 bytes 1061 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-clif2-5-cust97.nott.cable.ntl.com 3500 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-derb2-5-cust208.nott.cable.ntl.com 3800 Inbound TCP 60 bytes 72 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc3-bary1-6-cust113.cdif.cable.ntl.com 4758 Inbound TCP 60 bytes 72 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 81-86-170-247.dsl.pipex.com 1857 Inbound TCP 60 bytes 72 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-leic4-3-cust105.nott.cable.ntl.com 2284 Inbound TCP 60 bytes 72 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 81-86-228-6.dsl.pipex.com 2993 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-stme1-5-cust56.cdif.cable.ntl.com 3817 Inbound TCP 100 bytes 1776 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-ldry1-3-cust145.blfs.cable.ntl.com 2872 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-glfd2-6-cust226.glfd.cable.ntl.com 3182 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-bolt5-5-cust139.mant.cable.ntl.com 3370 Inbound TCP 60 bytes 72 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc4-bsfd2-4-cust103.cmbg.cable.ntl.com 1741 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-with1-4-cust109.bagu.cable.ntl.com 3878 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc1-darl2-6-cust19.midd.cable.ntl.com 3955 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc3-blfs2-6-cust208.blfs.cable.ntl.com 4658 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc3-bary1-6-cust113.cdif.cable.ntl.com 4501 Inbound TCP 0 bytes 0 bytes
Allow activity for application SVCHOST.EXE SVCHOST.EXE 14/08/2003 09:27:21 pc4-ely11-4-cust40.cdif.cable.ntl.com 1685 Inbound TCP 0 bytes 0 bytes

Right i have updated my virus definations and done an anti virus scan on my PC. I also used the msblaster tool to check weather i had been affected or not. is there anything else i should do to protect myself?

I use the Outpost firewall and have Windows 98 SE. When I recently tested my computer against the Shields Up testing at Steve Gibson's site I was told that all my ports were stealthed apart from 110 and 143, which were shown as 'closed'.

As I wanted all ports to be 'stealthed' I went to the outpost options, selected the application tab and removed all the trusted applications. When I retried the test all ports were 'stealthed'.

Though 'stealth mode' means that your ports do not respond and therefore do not show they exist, it also means that you cannot have any trusted applications and all applications have to have rules written for them.

I think you might find that doing this will solve your problems, Taf.

Actually, I use Sygate Pro and have trusted apps, all ports STILL show stealthed

svchost.exe is a windows system file targeted for attack by the msblast virus. Ensure your firewall is set to block absolutely everything (I'm assuming you're not running anything for which you would actually want anyone to be able to access your PC remotely) and that should keep you covered.

I noticed that the majority of hits stopped by my firewall in recent days were from other ntl customers. Interesting to find out why...

As to what they're doing about it, you should have had an email from them warning you about the msblast virus and explaining where to go to get a windows patch to protect yourself, and where to get a fix if you're infected.

Interesting. Maybe, with Outpost that would work too. I suppose it depends on which applications you trust, thus it might be possible to have stealthed ports and some trusted apps after all. Worth a little experimentation, methinks!!

Thanks for that!!

Re: Firewall allowing connection
 

I have Norton Antivirus installed it just gave me a warning "port 1027 attempting inbound blah blah" and i blocked it and it never came back.
I installed IDman with browser integration this doesnt have to do anything with that,does it?....if i am way off sorry i am a fool.

Re: Firewall allowing connection
 

Blimey, bit of an old thread to revive.

Welcome to the forum, by the way :welcome:

Re: Firewall allowing connection
 

Bump of the year award.

I am sure if you re-read the main of this thread you will get jist of it, generally the blaster worm tends to reboot your computer, by force by terminating a .exe system command process.

There is many patches on www.google.com if you search under msblast.exe patch.