Firewall allowing connection
 

With nothing on my machine trying to use the net I keep getting the following from Outpost Firewall:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 public4-bolt5-5-cust33.oldh.broadband.ntl.com port4431 Inbound TCP

Antiviral and Trojan killers see nothing unusual on my machine, so why is my machine allowing incomings from another NTL user?

I assume the other user is either in Bolton or Oldham? I'm miles away in Wales!

They're coming thick and fast now.. from all over the country...

pc3-bary1-6-cust209.cdif.cable.ntl.com 2285 Inbound TCP
shep3-4-cust125.nott.cable.ntl.com 3569 Inbound TCP
pc1-leic4-3-cust94.nott.cable.ntl.com 4864 Inbound TCP

it's probably due to this

http://securityresponse.symantec.com...ster.worm.html

I hope you have your firewall actually blocking these hits - although if you are using Win98se or ME you should be ok.

Do a search for a file called msblast.exe, just in case.

user edit - corrected filename

Im running McAfee firewall and I'm getting huge ammounts of activity on the 'network traffic' screen. The web seems very slow at the moment as well, I wonder if there is a connection:confused:

Hi Ramrod

my router log is full of a huge number of attempted hits on port 135, due the blaster worm, with all that extra traffic I reckon browsing will be slower.

- off topic, just noticed *.com has gone down.

<edit> it's back now:)

No sign of the msblaster file... not in the registry either (winXP).

The things continue:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc4-stap1-6-cust244.nott.cable.ntl.co port4958 Inbound

Fix found just in case

http://securityresponse.symantec.com...r/FixBlast.exe

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc2-rdng5-3-cust136.winn.cable.ntl.com port1145 Inbound

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc3-lisb1-4-cust178.blfs.cable.ntl.com port1486 Inbound TCP 60 bytes 72 bytes

Hi Taf, you may not have seen I edited my post - the file is msblast.exe, not msblaster - sorry:)

Yep thanks I caught the edit....

and still they come,...............

SVCHOST.EXE 12/08/2003 12:15:19 pc3-leic4-3-cust150.nott.cable.ntl.com 3357 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-darl2-3-cust40.midd.cable.ntl.com 4603 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc1-bary1-6-cust102.cdif.cable.ntl.com 3752 Inbound TCP 100 bytes 1776 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-stme1-6-cust93.cdif.cable.ntl.com 4265 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-staf2-4-cust101.brhm.cable.ntl.com 2278 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-rdng5-3-cust136.winn.cable.ntl.com 1145 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-lisb1-4-cust178.blfs.cable.ntl.com 1486 Inbound TCP 60 bytes 72 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-stme1-6-cust93.cdif.cable.ntl.com 3491 Inbound TCP 60 bytes 72 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc4-stap1-6-cust244.nott.cable.ntl.com 4958 Inbound TCP 0 bytes 0 bytes

Yep, I'm also getting a lot here. As soon as I put the firewall on 'block all' the network traffic screen lights up like a christmas tree:(
....and I can't get onto gibson corps 'shields up' site either wich probably means that the world is on there checking their ports.

But why JUST NTL sites?

mmmm... lots
Tue, 12 Aug 2003 17:50:41 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:50:44 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:50:50 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:51:38 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:51:41 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:51:47 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:54:10 GMT+0100 Unrecognized access from 200.43.179.142:1027 to UDP port 137
Tue, 12 Aug 2003 17:55:58 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:01 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:02 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:05 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:07 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:11 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:28 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:31 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:31 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:34 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:35 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:37 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:37 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:38 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:40 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:40 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:44 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:45 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:46 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:48 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:51 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:56:53 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:56:54 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:59 GMT+0100 Unrecognized access from 81.97.152.7:2718 to TCP port 135
Tue, 12 Aug 2003 17:56:59 GMT+0100 Unrecognized access from 81.96.238.126:4294 to TCP port 135
Tue, 12 Aug 2003 17:57:00 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:57:08 GMT+0100 Unrecognized access from 81.97.20.191:2100 to TCP port 135
Tue, 12 Aug 2003 17:58:08 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:11 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:17 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:19 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:22 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:25 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135
Tue, 12 Aug 2003 17:58:28 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135
Tue, 12 Aug 2003 17:58:28 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:34 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135

Apparently the virus attacks the same subnet 60% of the time and a random IP address 40% of the time. Thus once the NTL address space got infected, the virus concentrates on maxing it out.

This 60%/40% thing was on one of the virus advisory websites, but I've forgotton which one. It's one linked to on one of the threads here or on .com.

And of course NTL has no antiviral running on it's servers to protect it's users?