Odd situation: Port 80 open

That only show a connection attempt. There would be a need to see more of the sniffer log to know if it was a successful connection.

Which firewall, or should I ask, which version of windows.
Check you have windows firewall log fully enabled.


- Stem

 

I think I saved a capture log, after noticing those connections. I'll check it out.

Windows 7 firewall. I enabled audit events for both success and failure attempts. So, unless I'm wrong, there should be a log regarding such IPs, whether or not the connection(s) were successful?

 

You stated that you did not see the connection in the windows logs, so I presume that means you did not see a connection failure or connection success (for that IP). That would make me think there is a problem with the auditing.

I would enable the actual logging on the profile(s), in the firewalls advanced settings, to have a comparison.


- Stem

 

I thought that I had it done, but apparently not. I'll report back what I find.

By the way, which part of the sniffer log would you like me to provide?

 

-edit-

Windows firewall logs also do not report any of the IPs that I'm seeing connecting to local port 445.

-edit2-

Windows firewall has no issues logging dropped/blocked traffic to local port 445, when running GRC test. But, it fails to log the other comms.

 

You do not need to provide the log. You can check yourself to see if the connection was successful.

For a connection to be successful, there needs to first be a 3 way handshake to set up the (standard) connection. So if we say that the inbound IP is "A" and your IP is "B", you would see 3 packets in the log showing the connection.

(source)A: -> (destination)B: (info) [SYN]
(source)B: -> (destination)A: (info) [SYN, ACK]
(source)A: -> (destination)B: (info) [ACK]

That would establish a connection.

If you only see an inbound SYN, then the packet (connection attempt) as been dropped, it was unsuccessful.


Does that help, or would you prefer to see an example from WS?



- Stem

 

Yes, I only found an inbound SYN.

You provided all the info I needed. Thanks!

I must say it was freaking me out the fact I couldn't see nothing in Windows audit events, regarding those comms.

Still, I do not like how slow the Internet connection is. Just after my relative brought the laptop from the computer shop, Internet speed was OK. Previously, it also was slow, due to infections (that antimalware apps could find.).

I just find it too much of a coincidence for everything else to be OK. There's no explanation for the speed loss. I can't find any explanation, that is. I'll have to check what the true speed is like. I just find this situation much of a coincidence, having under consideration recent events.

Anyway, I appreciate your help with analyzing Wireshark.

I'm going to delve a lot more into it. Really great tool!
I've always been wanting to use it, but I could never use it with my own device. But, CloneRanger managed to get it to work, after your guidance, so I'll try it as well.

Again, thanks!

 

Do you have, or have you had any 3rd party security applications installed?(on that setup)

There can be low level driver conflicts that can cause problems, such as incorrect logs/slow Internet speeds.


- Stem

 

For what I could see, the apps are about the same as before. And, only recently such problems started to happen. Considering that none of the apps got upgrades as of yet, if that was the problem, then it would happen right after my relative took the laptop from the computer shop.

Other relatives also use the same apps, and no problems with the Internet connection. I know that each system reacts differently, but considering what I mentioned above, I don't think this would be what's causing it.

I'll have to monitor this situation and see what I come up with.

But, I fear it could be related to the rootkit previously found, and whatever malware it was concealing. The guys at the computer shop didn't securely erased the hard drive, they just formatted it/installed on top. This doesn't suffice against rootkits. A secure erase is required to be sure it's really gone.

It can all be a coincidence... But, as said, I'll have to dig further.