Look 'n' stop tells me my PC's a zombie :/

Discussion in 'LnS English Forum' started by ivanovan88, Mar 14, 2007.

Thread Status:
Not open for further replies.
  1. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    ***loads of optional junk you don't need to read to understand my problem***

    So. Not so long ago I had no firewall, and had disabled my routeur's firewall as it was to complicated to forward specific ports with the junk. I knew the risks but was willing to take it because 1) I'm a stupid gamer that wants to play without having to bother about which ports to know for each games 2) I have a strong anti-virus ( or so I think ) that gives me a feeling of being secure.

    Now when i got my first trojan attack and saw that Avast Pro was not capable of stopping it in time before it did *plenty* of damage, i bought Look'n'stop, after reading plenty of test from various sources and I decided Look'n'stop was the best as it is one of those who leaks the less while having a simple rule table and low memory usage.

    Got my computer cleaned and then I continued on with my routine and downloaded plenty of rules from this site to make my firewall perfect. Unfortunately, I'm not good enough to make my rules myself and I didn't get some of my most used games (as Dawn of war) working online. So i sometime exit the firewall for short periods of time. I know that's stupid and you guys will probably tell me it's my fault and that I need to go drown somewhere but well, I'll ask anyway cos maybe that'll interest you to help me out.

    ***end of the optional junk***

    When I look at the LnS log, (and I'm sure it didn't do that before), I have loads and loads of attempt to connect that appears , nearly 5 per seconds, to plenty of different adresses. This is a screenshot of what I can see globally: ( the list always scroll and scroll very fast )

    http://img291.imageshack.us/img291/2044/loglnsbz5.th.jpg

    when I look specifically at some, it says I'm the source most times, and that I'm the direction sometimes. As I have heard, this kind of behaviour could be from a p2p software, problem is: I don't use any, and I tried killing all the programs that I use to access internet in different means like Skype, Firefox, msn, hamachi, but it's of no use, i can still see all those adresses scrolling.

    So, question is: is my PC really a zombie ? Or do you have another explanation ?
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi ivanovan88,

    This log is effectively a bit complex.
    I think some entries are created because of IP name resolution for some other alerts (Netbios and ICMP, for instance).

    Could you remove in the options tab the checkbox to solve IP name ?
    I think it will clarify, and we will then see the real entries to be investigated.

    Thanks,

    Frederic
     
  3. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    Last edited: Mar 15, 2007
  4. danieleb

    danieleb Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    111
    This is not what you specifically asked about (L'nS), but I'm just trying to help :)
    If you suspect that you're still infected, have you run a scan with other programs than Avast? Like Superantispyware, AVG AS, or some of the online anti virus scanners?
     
  5. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    Yes, I ran everything I had yesterday, and that includes Avast Pro normal scan and boot-scan and Ad-Aware (those are my regular protections), Spybot, Ewido, and Kapersky ( stuff that I sometimes downloads just for the occasion ).
    And Hijackthis.

    (the antiviruses didn't find anything, Hijackthis showed a neat, clean list of programs, and the antispywares both found a junk of those highly-destructive very dangerous baby-killers, tracking cookies)

    Fact is: I don't have nasty effects yet, no virus symptoms.

    But this log is concerning me. If I had some kind of bot, or trojan, Avast or at least one of those anti-spyware would tell me, wouldn t it ? I had my share of virus, malware and co since I have this laptop, the most destructive being a virus that was infecting all my .exe at an alarming rate, but each time Avast told me and sometimes destroyed them, or didn't and then I had to seek for more specific instructions.

    So: what does this log mean ?
     
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi ivanovan88 :)

    There is nothing abnormal in this log. The only question I have is about the blocked ICMP type 3 code 3. This ICMP signal happens when a destination port is unaccessible. I your log there is many of these entries for different IP addresses...

    Is these entries comes from a p2p programs ? May be.

    1- to have a complete picture of the situation, all rules must be logged
    2- the best is to upload the log here instead of giving us a picture.
    (in the additional options of this forum, manage attachments)

    :)
     
  7. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    Errh, while I was seeking for the log to send i noticed I didn't produce any
    (must be the default setting) so I checked the option and applied ( shouldn't take long before I have a 200 lines log... with the rate at which lns blocks connections...)

    As I said before, I don't use p2p client, except when I really only find a dl that is on .torrent format. In those case I use Utorrent. I just tried launching it, and the log didn't seem to change from the usual junk I receive 5 times per seconds.

    But anyway each time I made those screenshots it was not loaded, and the PC had booted without it.

    I just put all the "block" rules to be logged ( I don't suppose I have to log the "accept" rules, except if you tell me otherwise ).

    Here, by the time I made this post I got my 200 lines log :/ yay.

    ( if I might ask, why do you consider this log normal ? I had to disable the sound lns makes when it blocks a connection, it was nearly becoming a constant bibibibibibibibbibibibibibibibibibiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiip !! )
     

    Attached Files:

  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi ivanovan88 :)

    In the options unchecked the "sound option"...
    (same in the internet filtering: this option drive crazy all people)

    Yes all rules must be logged because this is the best way to see what's happen.

    I'll check your log.
    See you later (and stop all these stOOpid sounds !) ;)

    :)
     
  9. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi ivanovan88 :)

    A)

    1- incoming UDP packets blocked by LNS.
    No problem here: your firewall do his job.


    03-15-07,11:33:15 D-3659 'UDP : Any other UDP pack' 59.189.210.34 UDP Ports Dest:22969 Src:18335
    03-15-07,11:33:27 D-3660 'UDP : Any other UDP pack' 81.220.101.18 UDP Ports Dest:13300 Src:59372
    03-15-07,11:33:29 D-3661 'UDP : Any other UDP pack' 81.220.101.18 UDP Ports Dest:13300 Src:59372
    03-15-07,11:33:33 D-3662 'UDP : Any other UDP pack' 81.220.101.18 UDP Ports Dest:13300 Src:59372
    03-15-07,11:33:49 D-3663 'UDP : Any other UDP pack' 83.13.187.18 UDP Ports Dest:47958 Src:47958
    03-15-07,11:33:51 D-3664 'UDP : Any other UDP pack' 71.184.34.105 UDP Ports Dest:50001 Src:50001
    03-15-07,11:33:52 D-3665 'UDP : Any other UDP pack' 71.184.34.105 UDP Ports Dest:50001 Src:50001
    03-15-07,11:33:52 D-3666 'UDP : Any other UDP pack' 71.184.34.105 UDP Ports Dest:50001 Src:50001
    03-15-07,11:33:53 D-3667 'UDP : Any other UDP pack' 71.184.34.105 UDP Ports Dest:50001 Src:50001

    2- Incoming connection to port 80 (HTTP), 443(HTTPS), 13300 (?)
    in TCP + flag syn : blocked by LNS.
    No problem here: your firewall do his job

    03-15-07,11:34:02 D-3669 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:https Src:1704
    03-15-07,11:34:03 D-3670 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:13300 Src:1703
    03-15-07,11:34:04 D-3671 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:www-http Src:1706
    03-15-07,11:34:05 D-3672 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:https Src:1704
    03-15-07,11:34:06 D-3673 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:www-http Src:1706
    03-15-07,11:34:09 D-3674 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:13300 Src:1703
    03-15-07,11:34:11 D-3675 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:https Src:1704
    03-15-07,11:34:13 D-3676 'TCP : Block incoming con' 69.153.227.152 TCP Ports Dest:www-http Src:1706

    3- Incoming connection to port 135 (RPC-DCom), 445(MS-DS),
    in TCP + flag syn : blocked by LNS.
    No problem here: your firewall do his job

    03-15-07,11:34:46 D-3680 'TCP : Block incoming con' 82.235.21.47 TCP Ports Dest:microsoft-d Src:4096
    03-15-07,11:34:54 D-3681 'TCP : Block incoming con' 82.235.21.47 TCP Ports Dest:microsoft-d Src:1400
    03-15-07,11:34:54 D-3682 'TCP : Block incoming con' 82.235.21.47 TCP Ports Dest:loc-srv Src:1600
    03-15-07,11:35:27 D-3683 'TCP : Block incoming con' 82.235.88.24 TCP Ports Dest:loc-srv Src:1738
    03-15-07,11:35:31 D-3684 'TCP : Block incoming con' 82.235.127.130 TCP Ports Dest:loc-srv Src:3977
    03-15-07,11:35:38 D-3685 'TCP : Block incoming con' 82.235.48.247 TCP Ports Dest:microsoft-d Src:3828
    03-15-07,11:35:44 D-3686 'TCP : Block incoming con' 82.235.85.178 TCP Ports Dest:loc-srv Src:2623
    03-15-07,11:35:46 D-3687 'TCP : Block incoming con' 82.235.31.105 TCP Ports Dest:loc-srv Src:4277
    03-15-07,11:35:46 D-3688 'TCP : Block incoming con' 82.235.31.105 TCP Ports Dest:loc-srv Src:4287



    $- This is some NetBios packets in UDP uploaded from your PC ...

    Did LNS is correctly configured ?
    Did you have a local network using the Microsoft NetBios?
    Check this:
    http://www.looknstop.com/En/faq_configuration.htm
    ETc.

    03-15-07,11:40:17 U-3835 'UDP : Stop NetBIOS. ' 221.197.142.92 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:18 U-3836 'UDP : Stop NetBIOS. ' 221.197.142.92 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:20 U-3837 'UDP : Stop NetBIOS. ' 221.197.142.92 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:22 U-3838 'UDP : Stop NetBIOS. ' 59.34.138.182 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:24 U-3839 'UDP : Stop NetBIOS. ' 59.34.138.182 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:25 U-3840 'UDP : Stop NetBIOS. ' 59.34.138.182 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:29 U-3841 'UDP : Stop NetBIOS. ' 58.40.44.3 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:30 U-3842 'UDP : Stop NetBIOS. ' 58.40.44.3 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:32 U-3843 'UDP : Stop NetBIOS. ' 58.40.44.3 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:34 U-3844 'UDP : Stop NetBIOS. ' 218.2.220.197 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:35 U-3845 'UDP : Stop NetBIOS. ' 218.2.220.197 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:37 U-3846 'UDP : Stop NetBIOS. ' 218.2.220.197 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:39 U-3850 'UDP : Stop NetBIOS. ' 222.179.55.2 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:41 U-3852 'UDP : Stop NetBIOS. ' 222.179.55.2 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:42 U-3853 'UDP : Stop NetBIOS. ' 222.179.55.2 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:44 U-3854 'UDP : Stop NetBIOS. ' 219.138.134.4 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:46 U-3855 'UDP : Stop NetBIOS. ' 219.138.134.4 UDP Ports Dest:netbios-ns Src:netbios-ns
    03-15-07,11:40:47 U-3856 'UDP : Stop NetBIOS. ' 219.138.134.4 UDP Ports Dest:netbios-ns Src:netbios-ns

    B)

    You say : "I don't use p2p client, except when I really only find a dl that is on .torrent format"

    :rolleyes:

    Utorrent IS a p2p program...

    Remember that a p2p program is a "client" and a "server".

    When you launch a p2p client then stopped it, the incoming packets from the other p2p clients still try to reach your PC ... This is normal and all these incoming packets are blocked by your firewall.

    :)
     
    Last edited: Mar 15, 2007
  10. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    Then the other clients seems to not forget me very easily !!! so if I correctly understood, when Utorrent is off, which it is most of the time, Look n stop stops the old clients to connect because nothing on my computer is requesting those packets, is that it ?

    I do have, connected to a wireless modem/router, a network of 5 computers, (one that is not working very well, thanks to my poor admin skills, or to Windows taking the position of Saturn and Pluto as important data when determining if I should be able to connect to MsHome)

    I downloaded all the rules that were in the Look n stop site about having a network with sharing folders, and wireless ...etc ... shouldn't that be enough ?

    So if Look'n'stop blocks some netbios packets, what does it mean: that my network is sending me junk or that Lns blocks the network due to a poor configuration on my end ? Why would there be those strange ip-adresses then ?
     
  11. V_8

    V_8 Registered Member

    Joined:
    Mar 15, 2007
    Posts:
    7
    I belive thats normal, when u use p2p programs.
    U can close the program, and it will not stop, cuz other computers want to connect to ur computer. Thats why firewall exist, to ban this normal act.

    Disable auto-start of the p2p, and Reboot. Make sure that no p2p is runnin, check the logs, if the flood continues i can be a virus.

    Oh, by the way, Avast isnt that powerfull.
     
    Last edited: Mar 15, 2007
  12. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi ivanovan88 :)

    Yes. The other UTorrent will try to connect for a certain amount of time or until your IP address is changed...
    (The public IP address like "167.69.184.247", not the local IP address like "192.168.x.X" ...)


    Ok.

    I guess so. For the local network you have to check the FAQ to be sure that LNS is correctly configured .

    In your log the NetBios packets was comming from your computer.

    In the log U means Upload (from your PC) and D means Download (to your PC)
    the + sign means : authorised, the minus sign ; blocked.

    :)
     
  13. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    Ok, again, thank you for everything guys. But still something is strange.


    again, as I said before, the auto-boot of Utorrent is OFF, it's not loading with the computer, and I do reboot my computer sometimes, although my IP-adress never changes, cos of my particular ISP

    I just put all the rules to be logged. Everything, even my own rules about authorizing stuff.


    I already had a rule that was authorizing everything going through the Utorrent port. So know on my log I can see ( I open Utorrent and I begin a torrent ) a really big bunch of connection accepted because of that rule ( ok forget about the 5 log entry per seconds, now it s 50 logs entry per second )

    I uploaded my new log. OMG it's already 6 meg ! I've only set all rules to be logged since 5 min !! I'm cutting it to one meg.


    I looked the faq about local network, I already have all the nessessary rules for that, including the share rules, and the WiFi rule.

    Is there a mean to show you my rules somehow ? anyway I use the advanced set and some accepting rules of my own.

    My 2 question are: if all Utorrent traffic is accepted then why is there plenty of junk still being blocked that are not on Utorrent port ? ( plenty is nothing compared to the accepted Utorrent traffic but well it's still 5 logs entry per seconds ! )

    And why do I have strange netbios packets trying to be sent on some weird IP adresses ?
     

    Attached Files:

  14. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    The log is showing mainly "D+" or "U+" entries which are allowed packets.
    There is not so much "D-" "U-".
    You should remove the log attribute on allowing rules, to see what is remaining exactly.

    Frederic
     
  15. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    Oh, sorry for the delay ;)

    Well, I already joined a log on this topic with all the accept rules not logged in !

    As I have understood, Climenole explained that most of these blocked entries are normal, maybe due to Utorrent ( even if I have a rule that accept everything on the utorrent port o_O )

    but there are still some Netbios packets from me, sent to random adress ips that concern me.
     
  16. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    For me these NetBios entries are linked to IP resolution.
    Did you remove the IP Resolution in the option ?
    If you did, is there any other tool on the PC that would try to solve IP address ?

    Frederic
     
  17. ivanovan88

    ivanovan88 Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    8
    I'll try removing the IP resolution, see what happens, I shouldn't have anything else using that on my computer but lns.
     
Thread Status:
Not open for further replies.