For all you firewall gearheads, out there...

... and I say that with great respect/affection for you guys as I've learned a lot in these forums, & I want to ask more about this topic.

a) Wallwatcher reporting tool for our Linksys router shows fair amount of traffic, from (a blacklisted China site), per whois info. There's mention of x11/CoSession that is or isn't in legit. use depending on who's using it, of course.

Um... someone looking real hard at this, or any PC, that they come across? {This assumes I'm reading WW's many columns-wide format correctly, & I think that I am}.

b) Am also thinking about a new firewall; have older ver. of Sygate, but you all know the fate of that one. Seems to work ok, as far as I can tell, but if I forget after allowing some app access through it, the firewall (on auto-pilot) lets all/any allowed app to have "act as server" status, which I don't think is a wise choice - IF I understand that correctly? Advice here, too, please?

While I'm not a techie with diplomas or initials behind my name, by any means, I don't mind learning about a possibly better/newer firewall, or more about security in general.

Things seem to be getting scarier by the day "out there" and the bad guys would rather steal than work for a living and seem to be always ahead, somehow.

 

As far as I know, x11/CoSession active on port 6000 is for the " X Windows system ".

I've never came across that system before so I cannot tell you exactly what's going on exactly but according to how the system works, there's a connection on port 6000 that goes from the server to the client (you) so my guess is that it's normal.

However, the server being located in china? i don't know about that really.

Whats you OS ?

 

Gen;

Running XP PRO SP2 on this PC.

Here's two more screen shots, which may help you or someone, decipher this so I better understand.

 

Hi SG1,
While I am not a firewall gearhead, I think there are 2 possibilities for this connection: either a normal P2P traffic, or backdoor/trojan traffic. Looking at the different port numbers in the screenshot tells me that you either have a server of some kind (web, ftp, etc..) or a P2P software running.
To find out, please check your connections by using this command line:

netstat -b | findstr 6000

and post the results here.

Please note the following: the output of the command is something like this:
TCP myComputerName:555 something.domain.com:6000 ESTABLISHED 5444

when you post, please remove/or edit the equivalent of myComputerName for privacy purposes.

 

Thx for the second images.

As i said im not an X Windows System user and I dont know anything about it but i still believe that it is a normal traffic although going to China and korea, maybe you are using it? or it is installed on your pc?

Do as Nubiatech said, maybe we'll know more about it.

 

Nubiatech (& Gen);

Thanks, for reply, and info but I must be doing something wrong here.

If I open Cmd Prompt box, paste in your info, nothing seems to happen; also, tried it at Start/Run box and I do see a DOS box open/close quickly with info, but too fast to see. Ergh!

* Was a time I knew/used a lot of DOS stuff; sadly, got away from it using WIN's pretty face, over the years. (Still have a copy of Norton Commander on this PC, too)!

So, if there's further "idiot proof" info that I should know, please fire away.

P.S. Only server anything that I know of, is I had to allow that status to Wallwatcher, (in the firewall), else it seems not to function. Don't know what/if any bearing this may have the matter. (?)

 

SG1,

Router logs will routinely show intrusion attempts, regardless of your PC's setup so they should not be taken as any indication of a system compromise unless the traffic is outbound (coming from your machine) - in this case, you seem to have remarkably little incoming traffic so your ISP may be doing some filtering as well.

While port numbers can give an indication of what legitimate traffic is being used for, all bets are off with malware which can (and often does) use ports allocated for other software. In other words, that port 6000 may be a misconfigured X-Windows server out there - or someone who's decided to use that port number for their new botnet. If you are seeing nothing from Nubiatech's suggestion, that simply means you have nothing using port 6000 on your system. Any decent software firewall should be able to provide a full list of what applications on your PC have ports allocated to them for network access and this is likely to be a better choice that netstat (which does not show application->port binding).

Sygate was not an especially effective firewall even when supported due to its inability to filter localhost traffic (e.g. between your browser and a webfiltering local proxy - or an antivirus webscanner). I would suggest you check out the top 3 or 4 performers from a site like FirewallLeaktester and choose whichever performs best on your system, and whose UI you feel most comfortable with.

 

Paranoid2000;

Thanks, to you also, for a most helpful reply; could be I got "my knickers in a bunch" from improper understanding of what I see/or think I see (which I want to correct), and learn more about this in general.

I forgot that I have Trojan Hunter's Netstat Viewer, and Port Explorer (from DCS) which seems quite informative about what all goes on.

And, for instance, what do the hidden sockets refer to in Port Explorer? Sounds scary, just from the name. :-(

Will also look at the site, re better firewalls too, of course.

* Did also recently give things a shot, looking much closer at apps in firewall and PG (from DCS), about permissions given to what and for what.

 

These both should do the trick.

This refers to ports allocated but hidden from netstat and similar utilities - only malware is likely to do this so any entries shown as hidden should be regarded with great suspicion.

 

Interesting information...

but do I need to google "gearhead"