Interpretation?

Discussion in 'Port Explorer' started by Bdiamond, Jul 12, 2003.

Thread Status:
Not open for further replies.
  1. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    I would appreciate some help/advice regarding the interpretation of some Port Explorer results. I hope it is appropriate here since it is not about PE itself.

    I was "experimenting" and decided to take a "closer look" at a couple of IP addresses which seemed to be connecting fairly often.

    One address was 207.46.134.62 connecting to my Local Port 1066 via a TCP protocol from a remote port of 443. There was no GUI indication of any connection suggesting an update or anything of that nature was taking place.

    It was hard to interpret the packet data which appeared mostly to be miscellaneous gibberish. I did notice a few lines which appeared to be from a weather forecast I had looked at earlier on the browser via the internet.
    Later on, however, I noticed one of my passwords being transmitted. (A password used for forums, etc).

    The WHOIS shows the IP address to belong to MS corporation. I do have WINXP which is legal and up to date-is this to be expected? I have given MS permission to do "autoimatic updates" but this wasnt associated with any update. It is also possible I have somehow misinterpreted what I was seeing but the PID recorded was clearly linked to the MS IP address in Redmond according to the WHOIS.

    I have a Sygate firewall which appears to be functioning and I am also behind an ADSL modem with a "private IP" address. There is never an indication of intrusion or an "attack". All AV (NOD32) and anti-trojan (TH3.5 and TDS3) scans have been negative forever. So what is happening here?

    Any help, advice or suggestions would be appreciated.

    Bdiamond
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Bdiamond, I suspect that it is Win update just checking for updates, may be you could run winupdate maually and see if the result is similar to your PE record, another possibility is that you have doe a search which can also stimulate a call to Redmond as does Media player, Help & support etc.
    I am sure that XP has many other ways of calling home, none of which have been proved to be spyware or anti-privacy.

    HTH Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Looks like MS is taking care of his customers. The password thing surprises me, i suppose you were not logging in to any site where you had to login that moment?
    XP is famous for the connections when on line, part of the "agreement" of using it.
    But i'm sure XP users can help you with interpreting and some settings to make it as comfortable (read: secure) as possible.
    Good that you have PE to look at the connections, quite a lot eh?
    Is all that MS traffic always about the same frequence or are there noticable tops in those?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Here is a nice little programme for controlling XP's extra-curricular activities: http://www.xp-antispy.org/ Which is a German site, if you require English click the Union Jack near the top of the page.
     
  5. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Thanks to both of you for the response!
    Pilli, I especially appreciate the antiXP app! I was not attempting any activity at all. In addition, whenever I receive updates there is a small icon in the notification tray while it is being received and it stays there until I accept or reject it. I am sure this is probably just as you say and represents some form of "housekeeping" by MS. I am not at all trying to be argumentative, but wonder what your analysis of this situation would have been if we didn't "know" the source? Is your analysis based primarily on the fact that MS is a "trusted" site or, perhaps,on other features of the information? Would there be reason for greater concern if we had the same information but didn't know the source?

    Jooske, thanks for your response! Nice to meet you! It is the password aspect of this that is most surprising to me. It is stored as a cookie and called by the weather channel I use-so I don't know of any other way it could have been obtained. I have turned on the PE log function-will that allow me to look at frequencies and lengths of time? It looks like it will "catch" all the PIDs?

    Temporarily I have blocked all TCP to that ISP address jst to see what happens. Should their be any problem with this?

    I realize I just lease the software and don't personally own it. Having said that, I also lease my car here but they don't come and drive it around without asking.

    Finally, I don't know how often they are connected but it last for well over an hour and I believe, is at least daily. I am not certain about the frequency.

    I am certainly no expert in this area but the port explorer is a magnificant tool for looking into whats going on. I do have reasons to be especially concerned about integrity of information though.

    Thank you both for the response and help!

    Regards,

    Bdiamond
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Bdiamond, Glad you like XPantispy.

    I think we would need to look much deeper into what was happening
     
  7. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Pilli, thanks again for your interesting note. This mornng, as soon as I logged on, my visitors were right back.

    I noticed from the WHOIS that they have the range 207.46.0.0-207.46.255.255 reserved so I blocked the entire range.

    In addition, I also noticed they have a OrgAbuseEmail address listed so I think I will drop them a line and see if they have any ideas on how I can better protect my passwords.

    It will be interesting to see what they have to say.
    Again I would appreciate any suggestions or ideas.

    Thanks again to both you and Jooske.

    Regards,

    Bdiamond
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Looking forward to the reactions! The password part worried me the most, but maybe it was "normal". It should have gone over the line encrypted if it had to go at all, but not every site does so.
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Looks like that whole IP range belongs to MS.
    I am thinking about Messenger both the normal IM messenger & the Windows Messenger service . Do you use any of the MS messenger services? Media player also phones home if allowed.

    OrgName: Microsoft Corp
    OrgID: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US

    NetRange: 207.46.0.0 - 207.46.255.255
    CIDR: 207.46.0.0/16
    NetName: MICROSOFT-GLOBAL-NET
    NetHandle: NET-207-46-0-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Assignment
    NameServer: DNS1.CP.MSFT.NET
    NameServer: DNS2.CP.MSFT.NET
    NameServer: DNS1.TK.MSFT.NET
    NameServer: DNS1.DC.MSFT.NET
    NameServer: DNS1.SJ.MSFT.NET
    Comment:
    RegDate: 1997-03-31
    Updated: 2002-12-05

    TechHandle: ZM39-ARIN
    TechName: Microsoft
    TechPhone: +1-425-936-4200
    TechEmail: noc@microsoft.com
     
  10. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Thanks again for the notes. I don't the IM application, but I don't know about the other messehner service. Is that something I can either delete or turn off?

    They are really persistent. Since my last note they are back using the IP range 65.52.0.0-65.55.255.255. Its now blocked also.

    When I originally purchased PE it was mostly just a matter of wanting to learn more about ports and connections, etc. because I am so ignorant about them. In fact, it has been an incredibly useful tool in picking this up and in making it really easy to follow whats happening. The Log function is especially handy because all I have to do is review it looking for "visitors". It is then very easy to "follow up" when I have time.

    There was a thread here earlier involving a discussion about using a "debugging tool" to monitor connections in more detail. I didn't understand what that was all about-but would it be of any potential help to me in trying to look at this in more detail?

    Regards,

    Bdiamond
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Answer #9 here tells about disabling the windwows messenger service
    http://www.wilderssecurity.com/showthread.php?t=10921;start=msg72374#msg72374
    but that messenger gets spam via the NetBios ports most of time 135, 137-139 you had disabled anyway with your firewall.
    443 etc are for remote login.
    Thought normally when MS does it's online checking for illegal software it used 135, but.......
    dunno honestly said.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Win update usually tries to phone home on startup for cable & ADSL or on each connection when using dial up - I believe it only checks once a day providing the PC is not switched off but I have had XPantispy cleanse my system & all connections to the net are blocked or set to ask except for a couple of trusted programmes.
    I'm no techy so have no in depth knowledge of ports but the port list in TDS3 is quite useful sometimes.
     
  13. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Thank you both for all the information! I am really surprised to have received a very courteous reply from a Human in Redmond promising ithis will receive prompt attention. I was really surprised to hear anything at all (other than an auto response) on a Sunday afternoon.

    Additionally, with blocking of both the IP address ranges there have been no more connections. So, if nothing else, maybe we will learn something from this.

    Thanks again. I will keep you posted.

    Bdiamond.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wow! that is certainly worth a gold medal in the Security book of Records! If now the firewall logs show no more tries from them too you are certainly heard!
    It's really interesting, keep us updated!

    See the news? Port Explorer unveils Redmond activity!
    Seeing it, sniffing the packets and blocking their traces!
     
  15. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Jooske,

    Its great to hear from you again! I really do appreciate your help with all this. I am actually "crushed" because I have heard nothing so far today but it is only around noon on the west coast so--who knows? There is still a possibility they may respond. In any case, I will wait till the end of the week before I follow up.

    Meanwhile, things have really been quiet today. This Sygate really is effecrive (as well as easy to use). TDS may need to get a special license for Port Explorer. Its really an "addicting " program-Its hard to put it down once you get involved with it.

    In addition, it may really hit the "big times" when the news breaks! Meanwhile, I am thinking about maybe a degree in port exploring?

    You will be one of the first to know what I hear!

    Bdiamond
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Bdiamond, I really hope that you get a useful response :)
    I use Sygate Pro 5 and, for me, it is the best firewall around at the moment, works well with TDS, PE & KAV.
    DCS certainly gives us good tools to play with & with great added security!
    It is always a pleasure to help users, we also learn from each & every new post

    Keep in touch - Pilli
     
  17. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Well, I received an answer? The email I sent to MS was returned but not from MS but from Netsec. (www.netsec.net)

    In fact, I almost deleted the message because I thought it was probably just some advertising. However the note from from MS had apparently been forwarded to netsec for the response which was:

    "Most of these issues are false positives relating to web surfing, and can be quickly determined with the above information. If you have trouble determining this, please contact the manufacturer of the firewall/intrusion detection software you are using."

    I realize this thread may be inappropriate here and , perhaps, even for the forum-so just let me know if thats the case. Its certainly security related but not exactly a "pure" software issue.

    Their response would make sense to me if the password had not been one of the items transmitted. However, they are obviously unaware of the logging capability of Port Explorer which I intend to show them in my response.

    I also would like for them to clarify their sense of "false positive". How likely would it be that no one was intruding into my machine given the information I have shown? I suppose a valid question might be what is the likelihood that MS was not involved? Could someone be "masquerading" using the IP of MS? They would have had to have successfully done it on, at least, two separate occassions using first an IP address from a "range" of IP addresses belonging to MS and then do it a second time using a different IP address from a different range of IP addresses assigned to MS. I suppose this could happen-but wouldn't it be very very very unlikely?

    All of this may well have been quite "benign" in intent with no intended malice but thats something quite different from a "false positive" finding on my part.

    Finally they wished to know what software I am using. I intend to refer them to Port Explorer-what term would best characterize it? Also, I would appreciate hearing any way that you think these findings, as they have been presented, could be false. Netsec does raise a valid point and if there is a reasonable chance they may be correct then I need to acknowledge that. If the chance is very high then I probably owe them an apology. Right now, a "false positive" seems sufficiently unlikely as to be almost negligible.

    In any case, I don't think talking with Sygate will be of any use at all.

    As always I would appreciate additional thoughts and opinions here.

    Regards,

    Bdiamond
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Interesting, and more they are interested in discussion!
    Tell them it is Port Explorer, www.diamonds.com.au/portexplorer , send the link to this thread and i think it's a good idea to send a CC to support@diamondcs.com.au as there might come some contact between the developers.
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well Bdiamond, IMO it maybe better to wait for a response from DCs (Jason?) This would be useful as DCS hold the real technical PE knowledge.
    If you want, you could email jason@diamondcs.co.au with all the relevant information from this thread etc. that may help with an analysis. Jason could then respond directly to you via email.

    HTH. Pilli
     
  20. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Thanks very much for the advice. I did get a chance to meet Jason by mail and, additionally, respond to netsec.

    In any case, since the last intrusion, I havent seen any further connection attempts since blocking both of the address ranges belonging to MS.

    It will be interesting to hear from netsec now that they have the information.

    An unrelated question? What sort of information is transmitted by ICMP protocols? I thought it was mostly instructions regarding connections and of interest to the isp and providers? That must not be true?

    Thanks again

    Bdiamond
     
  21. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Here is some information on ICMP..

    Overview - http://www.freesoft.org/CIE/Topics/81.htm
    RFC - http://www.faqs.org/rfcs/rfc792.html

    It will be interesting to see NetSec's reply to your email. :)
    -Jason-
     
Thread Status:
Not open for further replies.