Firewall getting hammered by Chinese

Discussion in 'other firewalls' started by Ailric, Sep 7, 2005.

Thread Status:
Not open for further replies.
  1. Ailric

    Ailric Guest

    Hi folks, I wonder if anyone can tell me what's up with this? I used to use just Windows Firewall but I have been trying out more lately. After installing McAfee Plus 7.5 on my brothers' computer I noticed that a certain IP was being blocked over and over. It was traced back to China.
    I recently tried Outpost Pro on my computer and I kept getting requests from the same IP. I now installed the new ZoneAlarm Free (probably for good... but who knows?) Still getting hammered but at least I know it is blocked and I don't get bothered by constant popups.
    My question - who is doing this and why? Just wondering.
    Thanks. :)
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I'd be willing to bet it's a worm infected machine somewhere.. worms are far more prevalant than live attacks these days.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There are numerous possibilites:
    • a spammer using a Chinese ISP trying to bombard you with Windows Messenger adverts;
    • someone is using a Chinese ISP to scan for open ports;
    • the connection attempts are due to a P2P client having been run from your IP address (though you would normally see lots of connections from different addresses).
    If you provided more details about the traffic blocked (port numbers specifically), it would be possible, in many cases, to identify the reason (e.g. Windows Messenger popups tend to be port 135/TCP or 1025-1026/UDP). However what is important is that the traffic is blocked.

    You did mention trialling Outpost with an implication that this traffic was causing unwanted prompts. This can, as with other firewalls, be stopped by simply having proper rules set up to block unwanted traffic - the exact details will again depend on the traffic in question but there are quite comprehensive guidelines on producing a secure configuration at the Outpost forum.
     
  4. Ailric

    Ailric Guest

    Thanks for the info!
     
  5. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    What do you mean by hammered? I receive messenger spam traffic constantly, once every few minutes. I have messenger service disabled and Window ICF drops the packet.

    My question is, if the messenger service were enabled would Windows ICF - configured to disallow all services - still drop the packets? I think it would.
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    As long as you do not put in an exception exposing it to the Internet it would.

    Regards,

    CrazyM
     
  7. Ailric

    Ailric Guest

    I have had 120+ blocked intrusions since installing ZoneAlarm. I have only used dial-up and been connected for about 2 hours since installing ZA. I have tried various firewalls before and am used to getting the odd port scan but I an getting repeated hits from the same IP range. I too have Windows Messenger service disabled.

    What happened?



    --------------------------------------------------------------------------------
    ZoneAlarm blocked traffic to port 1026 on your machine from port 43683 on a remote computer whose IP address is 222.136.251.118. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.

    inetnum: 222.136.0.0 - 222.143.255.255
    netname: CNCGROUP-HA
    descr: CNCGROUP Henan province network
    descr: China Network Communications Group Corporation
    descr: No.156,Fu-Xing-Men-Nei Street,
    descr: Beijing 100031
    country: CN
    admin-c: CH455-AP
    tech-c: LZ33-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CNCGROUP-HA
    mnt-routes: MAINT-CNCGROUP-HA
    changed: hm-changed@apnic.net 20031209
    status: ALLOCATED PORTABLE
    source: APNIC

    role: CNCGroup Hostmaster
    e-mail: abuse@cnc-noc.net
    address: No.156,Fu-Xing-Men-Nei Street,
    address: Beijing,100031,P.R.China
    nic-hdl: CH455-AP
    phone: +86-10-82993155
    fax-no: +86-10-82993102
    country: CN
    admin-c: CH444-AP
    tech-c: CH444-AP
    changed: abuse@cnc-noc.net 20041119
    mnt-by: MAINT-CNCGROUP
    source: APNIC

    person: Liping Zhong
    address: Henan Multimedia Information Bureau
    address: 70, Nong Ye Road
    address: ZhengZhou, Henan 450002
    address: CN
    country: CN
    phone: +86-371-3962276
    fax-no: +86-371-3962068
    e-mail: antispam@public.zz.ha.cn
    nic-hdl: LZ33-AP
    mnt-by: MAINT-NULL
    changed: zhail@email.online.ha.cn 20001124
    source: APNIC
     
  8. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I've set up my IPCop to block most of China/Korea IPs. But still, some get through. Here are the some.

    From 61.129.115.99 - 8 packets to udp(1026,1027)
    From 61.132.74.85 - 6 packets to udp(1026,1027)
    From 61.138.137.9 - 30 packets to udp(1026,1027)
    From 61.152.158.105 - 2 packets to udp(1026,1027)
    From 61.152.158.109 - 54 packets to udp(1026,1027)
    From 61.152.158.123 - 13 packets to udp(1026,1027)
    From 61.152.158.124 - 1 packet to udp(1027)
    From 61.152.158.151 - 2 packets to udp(1026)
    From 61.152.158.152 - 9 packets to udp(1026,1027)
    From 61.152.158.157 - 84 packets to udp(1026,1027,1028,1029)
    From 61.152.160.63 - 11 packets to udp(1026,1027)
    From 61.233.40.85 - 11 packets to udp(1026,1027)
    From 61.233.40.215 - 2 packets to udp(1026)
    From 61.235.154.106 - 4 packets to udp(1026,1027)
    From 61.235.154.112 - 1 packet to udp(1027)
    From 194.43.187.100 - 1 packet to udp(1026)
    From 194.166.248.18 - 1 packet to udp(1026)
    From 194.217.77.186 - 1 packet to udp(1027)
    From 195.28.218.52 - 1 packet to udp(1027)
    From 205.13.235.5 - 1 packet to udp(1027)
    From 205.22.11.2 - 1 packet to udp(1027)
    From 205.33.2.30 - 1 packet to udp(1027)
    From 205.40.220.173 - 1 packet to udp(1027)
    From 205.46.125.143 - 1 packet to udp(1027)
    From 205.51.220.60 - 1 packet to udp(1026)
    From 205.92.180.244 - 1 packet to udp(1027)
    From 205.94.115.198 - 1 packet to udp(1026)
    From 205.122.65.19 - 1 packet to udp(1027)
    From 205.125.252.116 - 1 packet to udp(1026)
    From 205.146.219.232 - 1 packet to udp(1026)
    From 205.156.215.180 - 1 packet to udp(1027)
    From 205.181.68.1 - 1 packet to udp(1026)
    From 205.188.92.122 - 1 packet to udp(1026)
    From 205.190.53.87 - 1 packet to udp(1026)
    From 205.196.212.26 - 1 packet to tcp(1024)
    From 205.199.157.119 - 1 packet to udp(1026)
    From 205.228.121.192 - 1 packet to udp(1026)
    From 206.38.94.61 - 1 packet to udp(1027)
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    This is quite normal. My logs will vary from 800+ to 1000+ unsolicited inbound packets per day. In addition to infected systems being a potential source of these unsolicited packets, there is also quite a bit of messenger spam going around these days.

    One site you can check for trends, port info, etc. is Internet Storm Center.

    Regards,

    CrazyM
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Just messenger spam, as CrazyM mentioned.. Harmless..
     
  11. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I know, but it's annoying =P
     
  12. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Don't look at it... :D
     
  14. **Quote**
    Just messenger spam, as CrazyM mentioned.. Harmless..

    -----------------------------------------------------

    Well, its not just a messenger spam, I recognised some of the IP's, they are email spammers... Maybe you have an smtp server enabled if your using XP or Win Server 2003. You better check, if its enabled, you better disable it.. They might trying to use it to relay unsolicited emails.....
     
  15. Since i got a new ip i have the large numbers of portscans from these Chinese.
    Port UDP1027 and UDP1026
    How to get rid of them?
    I have scanned the pc with Antivir and A2- no virus.
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    As noted above it quite normal to see alot of these types of scans in your firewall logs and nothing to worry about.

    You can't stop the scans, but depending on your firewall you may be able to do something about the log entries if you do not want them. If you are using a rule based firewall, create a rule to block unsolicited inbound UDP to those ports with no logging. You could block entire subnets with no logging, just be sure they do not contain IP's you may use.

    Regards,

    CrazyM
     
  17. Thank you for your quick reply Crazy M.
    Can i make such a rule with outpost (free)?
    Would it be sufficient to change the rule for the browser?
    Thanks for your help.
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You should be able to create such a block rule manually, but I have not looked at/used that version. You would only do so if you did not want these blocked packets showing up in your logs. You may see alot of them, but your fiewall is just doing what it is supposed to.

    If these are blocked unsolicited inbound UDP packets it would have nothing to do with your browser rule(s).

    Regards,

    CrazyM
     
  19. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    All this just shows hows critical firewalls are !!!

    If you don't want to see lots of intrusion attempts then get yourself a router (hardware firewall) and don't bother looking at the logs !! If you then run your software firewall behind it you won't (or shouldn't) see any alerts and you will feel comfortable that nothing is hitting your PC
     
  20. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    Exactly what I wanted to mention too. My sisters and brothers wanted ADSL connection and me to manage their systems. I simply stated... there cannot be always on connection without NAT router and me managing the whole thing. I also need my peace of mind.

    Ciao
    Itsme
     
  21. Hi Itsme and q1aqza,

    Can you recommend one?
     
  22. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    Let's have some more fun, why not start a new thread titled.... Best NAT (wifi?) / Adsl router.... and let's see what comes up as most popular.

    Ciao
    Itsme
     
  23. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    Since having Broadband I have only ever used one type of Wireless ADSL modem/router and it is made by Netgear. I found it dead easy to set up and it has been totally reliable. So I can recommend Netgear based on my experience of it but I can't compare it to other brands.
     
  24. oldBear

    oldBear Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    37
    Is this the case if you've turned off unnecessary services and aren't running anything that would handle the requests?

    What is the attempted access going to do? How will it gain access to your system?

    Just curious. As you can guess, I'm not a security expert.

    cheers

    Whoops - no firewall, but I am behind a wireless router - nevermind :)
     
    Last edited: Feb 1, 2006
  25. Thanks for you help!
    I will check this out if it would be something for me.
    My firewall warned me that someone wanted to connect to Outlook.
    That sounds nasty.


    inetnum: 221.216.0.0 - 221.223.255.255
    netname: CNCGROUP-BJ
    descr: CNCGROUP Beijing province network
    descr: China Network Communications Group Corporation
    descr: No.156,Fu-Xing-Men-Nei Street,
    descr: Beijing 100031
    country: CN
    admin-c: CH455-AP
    tech-c: SY21-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CNCGROUP-BJ
    changed: hm-changed@apnic.net 20031119
    status: ALLOCATED PORTABLE
    source: APNIC

    role: CNCGroup Hostmaster
    e-mail: abuse@cnc-noc.net
    address: No.156,Fu-Xing-Men-Nei Street,
    address: Beijing,100031,P.R.China
    nic-hdl: CH455-AP
    phone: +86-10-82993155
    fax-no: +86-10-82993102
    country: CN
    admin-c: CH444-AP
    tech-c: CH444-AP
    changed: abuse@cnc-noc.net 20041119
    mnt-by: MAINT-CNCGROUP
    source: APNIC

    person: sun ying
    address: Beijing Telecommunication Administration
    address: TaiPingHu DongLi 18, Xicheng District
    address: Beijing 100031
    country: CN
    phone: +86-10-66198941
    fax-no: +86-10-68511003
    e-mail: suny@publicf.bta.net.cn
    nic-hdl: SY21-AP
    mnt-by: MAINT-CHINANET-BJ
    changed: suny@publicf.bta.net.cn 19980824
    source: APNIC
     
Loading...
Thread Status:
Not open for further replies.