|
Posted by Steven L Umbach on July 26, 2006, 1:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
mean that the attempt to connect to your computer were either dropped or
rejected. My guess is that most likely the traffic you saw was initiated by
your computer regardless of what McAfee firewall said. If your router is
port forwarding any of the ports you listed the firewall scans would have
warned about those ports being available right away if you had any of those
services enabled on your computer. If in doubt reset your firewall to
default state but make sure it can not be managed remotely.
If your router/firewall is configured correctly then it should simply reject
any TCP packet that has the syn flag set or does not have a matching
sequence number. Syn means that another host is trying to establish a
connection to your computer on a server service. To really find out if
traffic is getting past your firewall you would have to run a packet sniffer
like Ethereal on it without any software firewall enabled. To make it easier
to find such traffic you could create an Ethereal capture filter to capture
only TCP packets with the syn flag enabled. Ethereal is free and if you are
interested the link below shows how to configure some popular Ethereal
capture filters or you could simply fire up Ethereal when you are done using
your computer to see what traffic is coming and going which should be
minimal when you are not using the computer but still logged on.
Steve
http://home.insight.rr.com/procana/ --- Ethereal capture filters
> Hi. I appreciate any advice you can give me. I just reinitialized the
> router
> again and cleared the McAfee firewall's log, and I'll wait a bit and see
> if
> more shows up.
>
> About port forwarding: I have not explicitely instructed the router or
> adapter do that. In my router menu it says under Port Fw. : Well known
> ports
> : 7(Echo) 21(FTP) 23(Telnet) 25(SMTP) 79(Finger) 80(HTTP) 110(POP3). I
> believe that the router stealths at least the SMTP, the HTTP, Netbios and
> a
> few others, according to several tests.
> But these ports did not show up in my logs.
> From the look of the menu it seems that (any other) ports and IP adresses
> won't be forwarded if you do not explicitely configure the router that
> way.
>
> All the incoming "probes" were TCP, one UDP. Maybe something called
> eventlog, but I'm unsure about that.
>
> Also, aside from some probes that were clearly hacking or scanning for
> hackable systems attempts, last night before I went to bed I received a
> large
> volume of incoming traffic, as recorded in the McAfee firewall's log, that
> seemed to originate from my ISP, or something that seemed to be associated
> with my ISP. (cable company)
>
> Well, I contacted McAfee again, and after much conversation and waiting
> their message was that it must be a router issue, and they instructed me
> to
> contact the manufacturer of the router.
>
> I contacted the manufacturer of the router, Sitecom, and what they said
> basically seemed nonsense. Please correct me if I'm wrong. But they have
> made
> statements in the past that turned out to be false. They said that I could
> receive data because that was necessary to be able to connect to the
> internet. I'm not quite sure if that statement even means that the router
> has
> a firewall or not. I did receive "probes" in the event log of my McAfee
> firewall that I had not asked for. One had even the name TROJAN in it.
> Nothing showed up in that log when performing some of the port tests
> mentioned below.
>
> The router SEEMS to have a firewall, although this is not explicitely
> mentioned in the manual. I vaguely remember them saying in the past that
> the
> router has a firewall, although the word "firewall" is not shown in the
> software.
>
> I then decided to turn off the McAfee firewall, and voila: the test
> shieldsup at www.grc.com showed that most ports were closed, a few were
> stealth. So, that must mean there is a firewall in the router ! Then how
> the
> hell did those probes get to my McAfee firewall ???
>
> The advanced port scanner at PCFLANK.COM showed some ports as stealth,
> others as closed. A simple probe scan at hackerwatch.org showed some ports
> such as SMTP and HTTP as secure, "this port is completely invisible to the
> outside world". Other ports were described as: closed but unsecure, "This
> port is not being blocked, but there is no program currently accepting
> connections on this port"
>
> I'm basically writing this approximately chronologically, while trying to
> find an answer. Sorry for not writing a nice article.
>
> I also tried a chat session with McAfee, but what could have been done in
> 2
> minutes, took more than 20 minutes ! They can be so dense ! I asked a
> simple
> question: does the McAfee firewall have the ability to be "stealth" ?
> (almost
> certainly not), the other person often started making all kinds of
> assumptions about what my "real" question was, he contradicted himself,
> and
> at the end he gave totally incorrect information, then I was out of
> patience
> and ended the session.
>
> I'm trying to make sense of all this. I'm fairly certain that the
> stealthed
> ports are safe. Or am I wrong ???
>
> But what about the other ports ? Simple probe scan at hackerwatch said:
> not
> being blocked, but currently no program is accepting connections at this
> port. Would that mean (in what way??) that data can penetrate my router's
> (existing or non-existing) firewall ? Some things certainly showed up in
> McAfee firewall's log.
>
> I turned my McAfee firewall on again, and tried the firewall test at
> auditmypc.com. Nothing reached the log of McAfee's firewall. What does it
> take to bypass my router's existing or not existing firewall ?? Maybe my
> concept of blocked, stealth, closed, and ??? is too limited. My router
> seems
> to have something called NAT, of the NAT services I turned off the VoIP
> passs
> through, thinking that might make a difference.
>
> Do I have the worst router in the world ? it certainly wasn't cheap.
>
> Please help !
>
> "Steven L Umbach" schreef:
>
>> If your internet router is not configured to port forward any traffic to
>> your computer's IP I really doubt that traffic not initiated by your
>> computer is going through it particularly if it is supposed to do
>> stateful
>> inspection. Were the "alerts" for TCP, UDP or both??
>>
>> Steve
>>
>>
>> in
>> > Hi. I apologize for the length of this, but I want this to be complete.
>> >
>> > I am very annoyed. I recently bought McAfee's firewall 7.x and
>> > antivirus
>> > 10.x. Home version, not corporate. Dutch (The Netherlands) version.
>> >
>> > My configuration: ISP is cable company, from cable (wall) socket
>> > connection
>> > by cable/wire to my cable modem, from there a connection by a
>> > cable/wire
>> > to
>> > my router, from there a wireless connection to the adapter on my
>> > computer,
>> > which is in a different room. No other computers in network. Encryption
>> > WPA-PSK, long random key.
>> >
>> > I have a Sitecom router with the adapter that goes along with it. For
>> > security reasons I will not mention the precise model (am i too
>> > paranoid ?
>> > better too paranoid, than not enough) I bought this one early this year
>> > or
>> > late last year. All tests that I have used, including the advanced port
>> > scanner at pcflank.com, the port scan at hackerwatch.org, shieldsup at
>> > www.grc.com, the sygate test, the test at auditmypc.com, indicate that
>> > the
>> > router has a perfectly working firewall. It stealths some ports, while
>> > for
>> > as
>> > far as I know McAfee does NOT do tthat. After using these tests, the
>> > probes
>> > of these tests did not show up in the events log of the McAfee firewall
>> > 7.x
>> > That means they did not get past the firewall of my router (Please keep
>> > my
>> > configuration in mind !).
>> >
>> > Shortly after installing the firewall 7.x (I had 6.x) for the first
>> > time I
>> > examined the events log, and noticed at least one event. I wondered how
>> > that
>> > was possible. McAfee said it was a router issue. I decided to
>> > disconnect
>> > the
>> > router from power/electricity from a short moment, reconnect it and
>> > when
>> > it
>> > was ready I reinitialized the router by pressing a "button" on the
>> > router.
>> > I
>> > reestablished the wireless connection, gave everything the proper
>> > settings,
>> > for security reasons I disabled the VOIP option, UPNP etc. I have
>> > disabled
>> > the option to control the router from over the internet.
>> >
>> > I also configured the firewall for a home network, and configured it to
>> > not
>> > to trust the home network. But that was not something new.
>> >
>> > Yet, mysteriously in my events log (maybe it's called a bit different
>> > in
>> > English) it shows over the past three days that at least 8 times the
>> > McAfee
>> > firewall met a probe, an attempt to establish a connection.
>> > Hackerwatch.org
>> > says that most these are probably hacking attempts. One "event" even
>> > had
>> > the
>> > name trojan in it. And using a WHOIS on one other probe clearly
>> > indicated
>> > that it was a hacking attempt.
>> >
>> > How is that possible ? I HAVE NO CLUE.
>> >
>> > My networking gear notices one other wireless network sometimes, but
>> > there
>> > is very little wireless traffic around here. And seeing the IP numbers,
>> > the
>> > names that go with the IP numbers, I find it hard to believe that this
>> > was
>> > done wirelessly. But Maybe I'm wrong ? For as far as I know, they'd
>> > still
>> > have to deal with a long (random) WPA-PSK key.
>> >
>> > SO, BASICS: WERE THE ATTACKS DONE WIRELESSLY ? (UNLIKELY, SINCE I HAVE
>> > TRACKED/TRACED SOME OF THEM INTO THE USA) IF NOT, THEN, SINCE THE ONLY
>> > OTHER
>> > WAY TO CONNECT TO MY COMPUTER AND THE MCAFEE FIREWALL IS TO GO THROUGH
>> > THE
>> > FIREWALL OF MY ROUTER FIRST, AND ACCORDING TO TESTS THE HARDWARE
>> > FIREWALL
>> > WORKS FINE, AND WHEN TESTING MY COMPUTER THE TEST-PROBES NEVER REACH MY
>> > MCAFEE FIREWALL.
>> >
>> > I contacted McAfee, they said it was a router issue, but that
>> > contradicts
>> > with what I have stated before. They started blabbering about that I
>> > was
>> > safe
>> > because the McAfee firewall blocked these attempts, probes, that I was
>> > safe
>> > because I reported to hackerwatch.org. They just seem to have no clue.
>> >
>> > About contacting the manufacturor of my router: by email it takes ages,
>> > and
>> > on at least two occasions when I had sent an email they made statements
>> > that
>> > were nonsense. Calling on the telephone is very expensive. What can
>> > they
>> > do ?
>> > Especially because the tests indicated that the firewall in the router
>> > was
>> > all right, nothing. They won't give me my money back. And I don't think
>> > it's
>> > router issue.
>> >
>> > A not properly working router firewall (cannot be turned off!, at least
>> > not
>> > by the instructions I once received) with just a McAfee firewall is
>> > just
>> > not
>> > good enough. I want both. What's going on with the firewall and the
>> > router
>> > ?
>> >
>> > Just switching to a different firewall would usually not work, I'd
>> > probably
>> > have to remove all McAfee software, and deinstalling and reinstalling
>> > that
>> > would be problematic. You need (sometimes?) all sorts of tools to
>> > completely
>> > remove all traces from the previous installation. A Zonealarm/Zonealert
>> > firewall with McAfee antivirus is impossible, at least McAfee antivirus
>> > or
>> > the security center would object.
>> >
>> > Also, I have the Spy Sweeper from Webroot, and the Spyware Doctor from
>> > Pctools, updated, windows xp service pack 2 fully updated. For as far
>> > as I
>> > know, these programs did not detect the probes.
>> >
>> > If you have any idea about what's going on, please inform me. I'd also
>> > apreciate it if someone could offer me a fix. Your help would be
>> > greatly
>> > appreciated.
>>
>>
>>
| 
XML site map