For all you firewall gearheads, out there...

Discussion in 'other firewalls' started by SG1, Sep 10, 2007.

Thread Status:
Not open for further replies.
  1. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    ... and I say that with great respect/affection for you guys as I've learned a lot in these forums, & I want to ask more about this topic.

    a) Wallwatcher reporting tool for our Linksys router shows fair amount of traffic, from (a blacklisted China site), per whois info. There's mention of x11/CoSession that is or isn't in legit. use depending on who's using it, of course.

    Um... someone looking real hard at this, or any PC, that they come across? {This assumes I'm reading WW's many columns-wide format correctly, & I think that I am}.

    b) Am also thinking about a new firewall; have older ver. of Sygate, but you all know the fate of that one. Seems to work ok, as far as I can tell, but if I forget after allowing some app access through it, the firewall (on auto-pilot) lets all/any allowed app to have "act as server" status, which I don't think is a wise choice - IF I understand that correctly? Advice here, too, please?

    While I'm not a techie with diplomas or initials behind my name, by any means, I don't mind learning about a possibly better/newer firewall, or more about security in general.

    Things seem to be getting scarier by the day "out there" and the bad guys would rather steal than work for a living and seem to be always ahead, somehow.
     

    Attached Files:

    Last edited by a moderator: Sep 10, 2007
  2. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    As far as I know, x11/CoSession active on port 6000 is for the " X Windows system ".

    I've never came across that system before so I cannot tell you exactly what's going on exactly but according to how the system works, there's a connection on port 6000 that goes from the server to the client (you) so my guess is that it's normal.

    However, the server being located in china? i don't know about that really.

    Whats you OS ?
     
  3. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Gen;

    Running XP PRO SP2 on this PC.

    Here's two more screen shots, which may help you or someone, decipher this so I better understand.
     

    Attached Files:

    • WW1.gif
      WW1.gif
      File size:
      43.5 KB
      Views:
      704
    • WW2.gif
      WW2.gif
      File size:
      46.5 KB
      Views:
      10
  4. Nubiatech

    Nubiatech Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    50
    Location:
    IL, USA
    Hi SG1,
    While I am not a firewall gearhead, I think there are 2 possibilities for this connection: either a normal P2P traffic, or backdoor/trojan traffic. Looking at the different port numbers in the screenshot tells me that you either have a server of some kind (web, ftp, etc..) or a P2P software running.
    To find out, please check your connections by using this command line:

    netstat -b | findstr 6000

    and post the results here.

    Please note the following: the output of the command is something like this:
    TCP myComputerName:555 something.domain.com:6000 ESTABLISHED 5444

    when you post, please remove/or edit the equivalent of myComputerName for privacy purposes.
     
  5. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Thx for the second images.

    As i said im not an X Windows System user and I dont know anything about it but i still believe that it is a normal traffic although going to China and korea, maybe you are using it? or it is installed on your pc?

    Do as Nubiatech said, maybe we'll know more about it.
     
  6. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Nubiatech (& Gen);

    Thanks, for reply, and info but I must be doing something wrong here.

    If I open Cmd Prompt box, paste in your info, nothing seems to happen; also, tried it at Start/Run box and I do see a DOS box open/close quickly with info, but too fast to see. Ergh!

    * Was a time I knew/used a lot of DOS stuff; sadly, got away from it using WIN's pretty face, over the years. (Still have a copy of Norton Commander on this PC, too)! :)

    So, if there's further "idiot proof" info that I should know, please fire away.

    P.S. Only server anything that I know of, is I had to allow that status to Wallwatcher, (in the firewall), else it seems not to function. Don't know what/if any bearing this may have the matter. (?)
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    SG1,

    Router logs will routinely show intrusion attempts, regardless of your PC's setup so they should not be taken as any indication of a system compromise unless the traffic is outbound (coming from your machine) - in this case, you seem to have remarkably little incoming traffic so your ISP may be doing some filtering as well.

    While port numbers can give an indication of what legitimate traffic is being used for, all bets are off with malware which can (and often does) use ports allocated for other software. In other words, that port 6000 may be a misconfigured X-Windows server out there - or someone who's decided to use that port number for their new botnet. If you are seeing nothing from Nubiatech's suggestion, that simply means you have nothing using port 6000 on your system. Any decent software firewall should be able to provide a full list of what applications on your PC have ports allocated to them for network access and this is likely to be a better choice that netstat (which does not show application->port binding).

    Sygate was not an especially effective firewall even when supported due to its inability to filter localhost traffic (e.g. between your browser and a webfiltering local proxy - or an antivirus webscanner). I would suggest you check out the top 3 or 4 performers from a site like FirewallLeaktester and choose whichever performs best on your system, and whose UI you feel most comfortable with.
     
  8. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Paranoid2000;

    Thanks, to you also, for a most helpful reply; could be I got "my knickers in a bunch" from improper understanding of what I see/or think I see (which I want to correct), and learn more about this in general.

    I forgot that I have Trojan Hunter's Netstat Viewer, and Port Explorer (from DCS) which seems quite informative about what all goes on.

    And, for instance, what do the hidden sockets refer to in Port Explorer? Sounds scary, just from the name. :-(

    Will also look at the site, re better firewalls too, of course.

    * Did also recently give things a shot, looking much closer at apps in firewall and PG (from DCS), about permissions given to what and for what.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    These both should do the trick.
    This refers to ports allocated but hidden from netstat and similar utilities - only malware is likely to do this so any entries shown as hidden should be regarded with great suspicion.
     
  10. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Interesting information...

    o_O but do I need to google "gearhead" :D
     
Loading...
Thread Status:
Not open for further replies.