Firewall allowing connection

Taf · 12-08-2003, 16:52

With nothing on my machine trying to use the net I keep getting the following from Outpost Firewall:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 public4-bolt5-5-cust33.oldh.broadband.ntl.com port4431 Inbound TCP

Antiviral and Trojan killers see nothing unusual on my machine, so why is my machine allowing incomings from another NTL user?

I assume the other user is either in Bolton or Oldham? I'm miles away in Wales!

Taf · 12-08-2003, 17:11

They're coming thick and fast now.. from all over the country...

pc3-bary1-6-cust209.cdif.cable.ntl.com 2285 Inbound TCP
shep3-4-cust125.nott.cable.ntl.com 3569 Inbound TCP
pc1-leic4-3-cust94.nott.cable.ntl.com 4864 Inbound TCP

12-08-2003, 17:22

it's probably due to this

http://securityresponse.symantec.com...ster.worm.html

I hope you have your firewall actually blocking these hits - although if you are using Win98se or ME you should be ok.

Do a search for a file called msblast.exe, just in case.

user edit - corrected filename

Ramrod · 12-08-2003, 17:32

Im running McAfee firewall and I'm getting huge ammounts of activity on the 'network traffic' screen. The web seems very slow at the moment as well, I wonder if there is a connection

12-08-2003, 17:39

Quote:

Originally posted by Ramrod
Im running McAfee firewall and I'm getting huge ammounts of activity on the 'network traffic' screen. The web seems very slow at the moment as well, I wonder if there is a connection

Hi Ramrod

my router log is full of a huge number of attempted hits on port 135, due the blaster worm, with all that extra traffic I reckon browsing will be slower.

- off topic, just noticed *.com has gone down.

<edit> it's back now

Taf · 12-08-2003, 18:11

No sign of the msblaster file... not in the registry either (winXP).

The things continue:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc4-stap1-6-cust244.nott.cable.ntl.co port4958 Inbound

Taf · 12-08-2003, 18:12

Fix found just in case

http://securityresponse.symantec.com...r/FixBlast.exe

Taf · 12-08-2003, 18:13

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc2-rdng5-3-cust136.winn.cable.ntl.com port1145 Inbound

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc3-lisb1-4-cust178.blfs.cable.ntl.com port1486 Inbound TCP 60 bytes 72 bytes

12-08-2003, 18:13

Quote:

Originally posted by Taf
No sign of the msblaster file... not in the registry either (winXP).

The things continue:

Allow activity for application SVCHOST.EXE SVCHOST.EXE 12/08/2003 12:15:19 pc4-stap1-6-cust244.nott.cable.ntl.co port4958 Inbound

Hi Taf, you may not have seen I edited my post - the file is msblast.exe, not msblaster - sorry

Taf · 12-08-2003, 18:21

Yep thanks I caught the edit....

and still they come,...............

SVCHOST.EXE 12/08/2003 12:15:19 pc3-leic4-3-cust150.nott.cable.ntl.com 3357 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-darl2-3-cust40.midd.cable.ntl.com 4603 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc1-bary1-6-cust102.cdif.cable.ntl.com 3752 Inbound TCP 100 bytes 1776 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-stme1-6-cust93.cdif.cable.ntl.com 4265 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-staf2-4-cust101.brhm.cable.ntl.com 2278 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-rdng5-3-cust136.winn.cable.ntl.com 1145 Inbound TCP 0 bytes 0 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc3-lisb1-4-cust178.blfs.cable.ntl.com 1486 Inbound TCP 60 bytes 72 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc2-stme1-6-cust93.cdif.cable.ntl.com 3491 Inbound TCP 60 bytes 72 bytes
SVCHOST.EXE 12/08/2003 12:15:19 pc4-stap1-6-cust244.nott.cable.ntl.com 4958 Inbound TCP 0 bytes 0 bytes

Ramrod · 12-08-2003, 18:26

Yep, I'm also getting a lot here. As soon as I put the firewall on 'block all' the network traffic screen lights up like a christmas tree

....and I can't get onto gibson corps 'shields up' site either wich probably means that the world is on there checking their ports.

Taf · 12-08-2003, 18:56

But why JUST NTL sites?

altis · 12-08-2003, 19:01

mmmm... lots
Tue, 12 Aug 2003 17:50:41 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:50:44 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:50:50 GMT+0100 Unrecognized access from 81.97.180.183:3341 to TCP port 135
Tue, 12 Aug 2003 17:51:38 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:51:41 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:51:47 GMT+0100 Unrecognized access from 81.97.181.113:1336 to TCP port 135
Tue, 12 Aug 2003 17:54:10 GMT+0100 Unrecognized access from 200.43.179.142:1027 to UDP port 137
Tue, 12 Aug 2003 17:55:58 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:01 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:02 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:05 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:07 GMT+0100 Unrecognized access from 81.97.184.71:1601 to TCP port 135
Tue, 12 Aug 2003 17:56:11 GMT+0100 Unrecognized access from 81.97.183.166:1886 to TCP port 135
Tue, 12 Aug 2003 17:56:28 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:31 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:31 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:34 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:35 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:37 GMT+0100 Unrecognized access from 81.97.31.167:4834 to TCP port 135
Tue, 12 Aug 2003 17:56:37 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:38 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:40 GMT+0100 Unrecognized access from 81.97.68.187:3158 to TCP port 135
Tue, 12 Aug 2003 17:56:40 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:44 GMT+0100 Unrecognized access from 81.96.148.73:4586 to TCP port 135
Tue, 12 Aug 2003 17:56:45 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:46 GMT+0100 Unrecognized access from 81.96.139.241:3464 to TCP port 135
Tue, 12 Aug 2003 17:56:48 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:51 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:56:53 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:56:54 GMT+0100 Unrecognized access from 81.96.150.65:1176 to TCP port 135
Tue, 12 Aug 2003 17:56:59 GMT+0100 Unrecognized access from 81.97.152.7:2718 to TCP port 135
Tue, 12 Aug 2003 17:56:59 GMT+0100 Unrecognized access from 81.96.238.126:4294 to TCP port 135
Tue, 12 Aug 2003 17:57:00 GMT+0100 Unrecognized access from 81.97.145.148:2643 to TCP port 135
Tue, 12 Aug 2003 17:57:08 GMT+0100 Unrecognized access from 81.97.20.191:2100 to TCP port 135
Tue, 12 Aug 2003 17:58:08 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:11 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:17 GMT+0100 Unrecognized access from 81.97.181.168:1609 to TCP port 135
Tue, 12 Aug 2003 17:58:19 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:22 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:25 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135
Tue, 12 Aug 2003 17:58:28 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135
Tue, 12 Aug 2003 17:58:28 GMT+0100 Unrecognized access from 81.97.72.228:4787 to TCP port 135
Tue, 12 Aug 2003 17:58:34 GMT+0100 Unrecognized access from 81.97.181.56:3800 to TCP port 135

Alan Waddington · 12-08-2003, 19:09

Quote:

Originally posted by Taf
But why JUST NTL sites?

Apparently the virus attacks the same subnet 60% of the time and a random IP address 40% of the time. Thus once the NTL address space got infected, the virus concentrates on maxing it out.

This 60%/40% thing was on one of the virus advisory websites, but I've forgotton which one. It's one linked to on one of the threads here or on .com.

Taf · 12-08-2003, 19:13

And of course NTL has no antiviral running on it's servers to protect it's users?