port 1032

Dont worry.

Leave the Nod32 firewall fully active. Whireshark is not a firewall, it is just a sniffer to capture packets. So you will use both.

After you install Wireshark, and have run it to capture packets, you can save the wireshark log file. (in wireshark, after you stop the capture, you can go to wireshark menu and select "file- save as"

Download the "windows installer"


- Stem

 

i have not yet download Wireshark

i have already checked my laptop logs ,
i found someting

3/2/2009 5:24:12 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1327 UDP
3/2/2009 5:24:08 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1327 UDP
3/2/2009 5:24:06 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1327 UDP
3/2/2009 5:24:05 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1327 UDP
3/2/2009 5:23:57 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:57 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:57 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:53 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:53 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:53 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:51 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:51 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:51 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:50 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:50 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:50 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1322 UDP
3/2/2009 5:23:42 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1316 UDP
3/2/2009 5:23:38 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1316 UDP
3/2/2009 5:23:36 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1316 UDP
3/2/2009 5:23:35 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1316 UDP
3/2/2009 3:31:31 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1351 UDP
3/2/2009 3:31:27 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1351 UDP
3/2/2009 3:31:25 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1351 UDP
3/2/2009 3:31:24 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1351 UDP
3/2/2009 3:31:16 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP
3/2/2009 3:31:16 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP
3/2/2009 3:31:16 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP
3/2/2009 3:31:12 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP
3/2/2009 3:31:12 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP
3/2/2009 3:31:12 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP
3/2/2009 3:31:10 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP
3/2/2009 3:31:10 AM Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.5:1348 UDP

 

Those may just be late DNS replies. although there are a lot

When you connect out, there is a DNS lookup, this is to get the IP of the site you are trying to connect to. If a reply is late, then it may go to a closed port and seen as a possible attack.

If you use wireshark, then we can check to see if that is what is happening.


- Stem

 

i have installed wireshark
but i don`t know how to work

i went to the option and selecred LAn Card
then Captior > Start

but page is empty and couldn`t find anything yet

 

DNS cache poisoning Does it come again the old 'Birthday Attack'? Can't believe it. Sorry but that's now beyond my knowledge. But i think you hace some kind of exploits

 

Start Wireshark, then go to "Capture- interfaces"



in the popup window select the interface with the IP of your PC



- Stem

 

Any update to the DNS cache could be seen as a possible attack.

I suppose I will have to install this firewall to see what it is up to.
I have seen before where a firewall will close ports too early and block replies, then give alerts to "attacks" or "floods".



- Stem

 

Was Googling a while regarding this, and there are many reports regarding this attack from user who use NOD32 Security Suite.

 

Hi , File has been atached

 

i think i can`t attach the file here , would you please send me your email address >
i`ll email the file

 

The cache poisoning attack alert will be a possible problem with the firewall. I just went to download the trial version, but it states "You need to have credentials to download ESET Smart Security." so it then asked for my e-mail address (not more spam I hope), so now waiting for an e-mail with a password to be able to download the trial.


- Stem

 

The file name will have an extension .pcap just change that to .txt, or compress the file to zip.

- Stem

 

ok , i am going to change it

 

i changed to txt

 

The capture you post is just showing outbound netbios broadcasts.
Did you see inbound blocked packets in the NOD firewall while wireshark was running and capturing those packets?


- Stem

 

) i don`t kno why computer does not ask for inbound now )
i think that it`s afraiding of the captior program

i have already asked a question but nobody answered me

i told : i bougth the Motherboard 2 days ago , unfortunately i found a trojan Virus in the Drver Cd ( of this motherboard - Gigabyte )

However i didn`t install any driver yet but i want to know this motherboard can have any trojan in ROM ?

 

Where did you buy the motherboard, if you got it from a reputable supplier then probably the trojan in the drivers was a false positive from your AV.


- Stem

 

Doesn`t matter ,
i am not using the CD and i`ll download all of the drivers

i want to know something about ROM of this motherboard
anytrojan can be there ?

if yes , let me know how to scan my ROM ,

 

Having a trojan in ROM as been talked about, but have not come across any.

If you are worried, then you could flash the motherboard rom, that is to over wright the rom with new info. The motherboard manufacturer website will have the utilities and instructions to do that.


- Stem

 

i want to know , antivirus can check the ROM ?
i am using nod32 ,

 

I do not know an AV with such an option.


- Stem

 

check the below link please :
http://www.virustotal.com/analisis/572f64640874c3a7110cb7668a82013d

this is report of Virustotal

i found this file in my moterboard`s CD that`s why i started to worry

 

You can get false positives on such a file.
Here is another report on that file


- Stem

 

so , what do you think ?

false or positives ?

 

I would think it a false positive.


- Stem