Server tracking my PC Through England!

Discussion in 'other firewalls' started by Mudd, Oct 18, 2003.

Thread Status:
Not open for further replies.
  1. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    Being an amateur I'm questioning what my Server is doing when I open my OE and IE. I have it blocked by ZA but have traced on NeoTrace. If I may, I'd like to explain what it's doing and hopefully someone can tell me if this is proper.

    The Trace show this order: My PC to Dallas/FtWorth area, bouncing around from Plano to Richardson to FtWorth again, then to England, that's the Country of England, back to the Dallas/Ft Worth area and finally to the Server itself.

    Each time I open OE or IE it logs a trace in the order above. Why would My Server want to do this and especially, why through England? I've not mention DNS numbers as I'm not sure this would be proper on the Forum.

    Does this sound right? Am I being overly protective by blocking this action?
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I am assuming you are describing what happens to you when you come to or at this forum....the servers for this forum if i am not mistaken are now in Texas...i am sure that there are some graphic that could be loading from other members that maybe on servers in the UK...this forum at one time was on freesever network in the UK..and it is possible that the portal or some other items that must load could be there..so could you be more specific..I see you are using Neotace to map the route..what version is it? Is it uptodate...Is it a new version or an older one from Neoworx...does it also have a map...and then how is it resolved for the DNS. Most of them are only as good as the data base they access..

    Do you have logs you can post that will show all of thiso_O then I could help you more.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, you can never know what route your ISP is going to use to get you where you need to get, but, Texas to England and back doesn't some quite right.

    How about opening a CMD window (or DOS, depending upon what version of Windows you are running) and doing a "tracert" to www.google.com and telling us what it does. (As for not posting IP addresses or whatever, the only one you need to worry about is you own personal IP address. See my image below. I blocked out only my IP address.)

    From Start menu > select "Run..." > enter "command" and press okay. This should bring up either a CMD or DOS window. From there use a command like this:

    tracert www.google.com

    Output should look something like image below. I'm in CT, USA. Notice my route to Google passes through CT, NY and into VA.

    This at least is a place to start looking at this.
     

    Attached Files:

  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Ah, I see Primrose's response there and between that and re-reading the original post again... I see this may not be a network route issue but simply just what DNS server is being used by either Neotrace or your system in general.

    You could traceroute to those specific DNS servers that you didn't post above and see if they really are in UK.
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    But i will also tell you this..when I load the main page portal...I am also still finding that my system goes to this server...I can not tell you why...but that was the old server if i am not mistaken..Host name: server0026.www.freedom2surf.net


    TraceRoute to [server0026.www.freedom2surf.net]

    Hop (ms) (ms) (ms) IP Address Host name

    Trace complete

    Domain registry query for freedom2surf.net:

    Whois Server Version 1.3

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    Domain Name: FREEDOM2SURF.NET
    Registrar: TUCOWS, INC.
    Whois Server: whois.opensrs.net
    Referral URL: http://www.opensrs.org
    Name Server: SERVER0004.FREEDOM2SURF.NET
    Name Server: SERVER0001.FREEDOM2SURF.NET
    Status: REGISTRAR-LOCK
    Updated Date: 04-may-2003
    Creation Date: 04-jun-1997
    Expiration Date: 03-jun-2004


    >>> Last update of whois database: Sat, 18 Oct 2003 06:25:21 EDT <<<

    NOTICE: The expiration date displayed in this record is the date the
    registrar's sponsorship of the domain name registration in the registry is
    currently set to expire. This date does not necessarily reflect the expiration
    date of the domain name registrant's agreement with the sponsoring
    registrar. Users may consult the sponsoring registrar's Whois database to
    view the registrar's reported date of expiration for this registration.

    TERMS OF USE: You are not authorized to access or query our Whois
    database through the use of electronic processes that are high-volume and
    automated except as reasonably necessary to register domain names or
    modify existing registrations; the Data in VeriSign Global Registry
    Services' ("VeriSign") Whois database is provided by VeriSign for
    information purposes only, and to assist persons in obtaining information
    about or related to a domain name registration record. VeriSign does not
    guarantee its accuracy. By submitting a Whois query, you agree to abide
    by the following terms of use: You agree that you may use this Data only
    for lawful purposes and that under no circumstances will you use this Data
    to: (1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via e-mail, telephone,
    or facsimile; or (2) enable high volume, automated, electronic processes
    that apply to VeriSign (or its computer systems). The compilation,
    repackaging, dissemination or other use of this Data is expressly
    prohibited without the prior written consent of VeriSign. You agree not to
    use electronic processes that are automated and high-volume to access or
    query the Whois database except as reasonably necessary to register
    domain names or modify existing registrations. VeriSign reserves the right
    to restrict your access to the Whois database in its sole discretion to ensure
    operational stability. VeriSign may restrict or terminate your access to the
    Whois database for failure to abide by these terms of use. VeriSign
    reserves the right to modify these terms at any time.

    The Registry database contains ONLY .COM, .NET, .EDU domains and
    Registrars.


    --------------------------------------------------------------------------------

    WHOIS whois.opensrs.net freedom2surf.net:

    Registrant:
    Freedom To Surf plc
    PO Box 483
    St Albans
    St Albans, AL1 1ZL
    UK

    Domain name: FREEDOM2SURF.NET

    Administrative Contact:
    Tidey, Dionne nick@freedom2surf.net
    1 Pudding Lane
    off Market Place
    ST. ALBANS
    Herts, AL3 5SQ
    UK
    +44 (0)1727 811530 Fax: +44 (0)1727 867301

    Technical Contact:
    Panayis, Nicholas nick@freedom2surf.net
    1 Pudding Lane
    off Market Place
    ST ALBANS
    Herts, AL3 5SQ
    UK
    +44 (0)1727 811530 Fax: +44 (0)1727 867301



    Registration Service Provider:
    Freedom To Surf, nick@freedom2surf.net
    +44.1727811530
    http://www.freedom2surf.net/
    This company may be contacted for general domain support questions.


    Registrar of Record: TUCOWS, INC.
    Record last updated on 04-May-2003.
    Record expires on 03-Jun-2004.
    Record Created on 04-Jun-1997.

    Domain servers in listed order:
    SERVER0004.FREEDOM2SURF.NET 194.106.56.34
    SERVER0001.FREEDOM2SURF.NET 194.106.56.46
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    BTW...it is this main portal page that I am speaking of LWM...when I get that link to the sever in the UK...

    http://www.wilders.org/

    if it helps it appears to be called...
    server0026.www.freedom2surf.net.http and possibly 194.106.56.38.

    is that all part of the old server address doing this??
     
  7. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    I must apologize as I don't really understand some of the questions and answers given. I'm not at all familiar with computers or computer talk.
    I have posted below the Trace suggested. I am using XP Home. The Neo Trace Pro is an outdated program. Don't think it is supported anymore as McAfee bought it out. It does trace to a map or to place it is relayed. The "Location Print" is no longer supported.

    I'll try again to explain. On the ZA program control, there is a Access and Server column. On my IE and OE I have all entries "X" or blocked on the Server Column which all the Access Comumns are Check with a yes.

    Each time I open a page in IE, whether it be Google, ABC, NBC, or anything else the Alert and Log Sections shows that a entry was show as blocked from my Server, that routed through the route in my original post. The page opens just fine. The same things happens each time I click send or receive in my Email, a trace is blocked from 65.208.29.10. So if I check my mail and go to the Internet with IE 20 times each day, I have 20 blocks shown for the 65...........

    Will try to copy the trace below.

    Well that didn't work. So maybe I'm just not qualified to even be using this Forum knowing as little as I do.

    So I"ll just keep doing as I have been and forget it. Thanks anyway for the help.
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    No problem... We can work through all of this, it's just a matter of us all getting on the same page and knowing what's going on. Let's keep at it. :)

    Ah, this is good to know. I also use ZA, so perhaps we can figure this out by focusing on exactly what is shown in the Log Viewer panel, or in the log file itself. (You know the log files in ZA can be opened in Notepad (or Wordpad if too big) since they are just text files. They are located in a folder just under your windows folder called "Internet Logs". The current log is usually here: "c:\Windows\Internet Logs\ZALog.txt")

    It'd be really great to see either the log entries from these blocks or an image of the sections of the Log Viewer window. (Just FYI, if you want to attach images here, there are a couple FAQs that explain how. It is often a problem, so don't feel bad. See this: screen shots & image posting and image posting errors.)

    Hmm, so there is only 1 block alert per session of IE or OE, not literally for every page you view or message you (which would be hundreds of blocks) correct? It's one error just when you first open IE or OE, but if you go to page after page, such as here reading posts and index pages and so on, it's still just that first block until you open a new IE session?

    If this is the case, it may be a problem between how ZA is set and how your browser first accesses the network. Perhaps a Hosts issue. Maybe a proxy setting issue. Maybe a DNS access issue. Hard to say...

    There's a lot of different approaches to take here to try to find the problem. If you'd like to try, please let us know and we can work through it. It may take several posts and some return visits over the next day or two, but, it can be fun tracking down these types of things and figuring them out, especially if they turn out to be potential problems.

    Either way let us know. (In the meantime, I'm about to step out for a few hours, dinner out, but I'll be back later.)

    If you want to continue, can you give us some extra info. What version of Windows, IE, ZA (Free, Plus, Pro? version number?). Anything you can tell us about you ISP connection. If you can post some of the logged block entries, too, that would be great (either in text form in a reply here, or an image).

    No, don't think that way. First, this forum software is very tricky, just look in the FAQ section and the General Topics and notice how many of them are about posting problems. This forum software is not very user friendly at times.

    And as for leaving it as is and forgetting about it, certainly you can do that, but it might be good to find out what it is. Perhaps it'll make your web usage smoother or even faster? Or maybe fixing this will improve your overall security, or at the least we might all learn a thing or two.

    But either way let me wish you the best. :)
     
  9. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    LowWaterMark. If you can stand it, I can also!!!!
    OS Win XP Home
    ZA Version 3.7.211 (Free)
    Connection: I connect to a place called RayTech.net. They are not the POP3 people but I think a Proxy to MidTech in Denver City, Texas, near the NM Line.

    I don't keep a log as it just gets bigger and bigger. Should I?
    Hopefully you can see what I mean from the (hopefully) attachments below. Illl send another post with the second picture.
     
  10. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    LowWaterMark

    The ZA Log in Alerts. Hope this helps. Do you need for me to also put a copy of the NeoTrace Map on the Forum?

    Edit image to remove Mudd's IP
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Mudd

    Your traceroute to google looks normal...no hops out of the country.

    From your next screenshot of the ZA logs and the highlighted blocked entry from 65.208.29.10:53. Could you advise what the destination port was. This would be the number after your IP and the " : ". 65.67.xxx.xxx:xxxx

    Could you also go to the command prompt and do a "ipconfig /all", without the quotes, to determine the IP's of your ISP assigned DNS servers. No need to post them, just let us know if they match ones being blocked. You may need to add them to your trusted group in ZA.

    Regards,

    CrazyM
     
  12. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    I think you will see, if I understand you, that the destination DNS and Port are not listed on the entries I'm questioning. These are the one that NeoTrace went to the UK or came from there, not sure. I suppose with the server being blocked it never got here to be logged!!!!
     
  13. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    Contined to above post.
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    OK, those entries were blank to begin with and not edited by you, correct?
    Just a suggestion, you might want to edit out your public IP in posts/images. I have edited your screenshots.

    While what you are displaying indicates there are inbound packets being blocked with a source port of 53, I suspect it may just be late (slow) responses from your DNS servers, as apposed to actual inbound connection attempts. From your ipconfig those are your valid DNS servers. It would help to see the entrie log entry. Have you tried looking in the actual log file? The destination port would help clarify what you are seeing.

    Regards,

    CrazyM
     
  15. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    I have long disable the "log Entires" because in just one day there might be up to a hundred. It seemed to me that all the space used by the Log was wasted.

    Since my last post I have changed the DNS numbers in question to "accept" for bother Trusted and Internet. I can't see a thing any different. I'm on a very slow dialup connection because that is all that is available in my rural area.

    So if the DNS belong to my Server I suppose there is nothing to worry about. I'll just "accept" the connection and forget it.

    I had no idea those were my Server DNS numbers until you told me. Show what happens when people that...............!

    I thank everyone for helping me with this. But, I still don't understand why the NeoTrace Program showed it went from MidTech to Dallas to Plano to Ft Worth to England back to MidTech! Don't know why I should worry about it. There are many more things than that I don't understand.

    You are appreciated.
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Only a hundred...I wish ;)

    Having the log entries is handy when trouble shooting something like this. You could always limit the size.

    There should be no problem with adding your ISP's DNS servers to your trusted addresses.

    From the information you have posted, I do not think you have anything to worry about.

    One of the reasons we are all here, to learn how all this works :)

    As for the NeoTrace thing, who knows. Perhaps just a quirk in the way that program works.

    Regards,

    CrazyM
     
  17. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I have Neotrace from Neoworx..I have every version from the time they started to when they went with McAfee. I was explaining to you how this could appear to go to England..especially on the MAP you have.

    What version do you have?
     
  18. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  19. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    Primrose - I have NeoTrace Pro, Version 3.25, and yes I have that map. It's the one with options for Map View, List View, and Node View.

    I remember when it reached the final Node, one could go to the options and select "Show Location" and the origin of the trace would be a Red Square on a map of the area from which it came. That part doesn't work for me now.

    I can, or used to, enter email addresses and it will go to a map of the city and sometime the street showed. Not any more. That part left with McAffee coming in.
     
  20. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Mudd,

    I see you've got some good answers here...

    I agree about adding your DNS servers' IP addresses into the Trusted Zone Site List in ZA, I have my ISP's DNS servers in mine. I also have the Trusted Zone security set at Medium and the Internet Zone at High.

    I do get occasional pop-up alerts from ZA (usually when DNS resolves slowly for a new site I'm hitting in IE) asking if I want Internet Explorer to receive those connections in from DNS. I get a few a day, so not nearly as many as you get.

    Funny thing... I got one right here. The first route map that Primrose linked? Slow DNS response caused that alert to occur the first time I hit that link. ;)

    My log viewer looks like yours for these entries... Only the DNS server's address and the port number are there under source. The destination (my PC) is blank in that column when these occur.
     
  21. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    LowWaterMark. Sure thank you for the help earlier. :-*
     
Loading...
Thread Status:
Not open for further replies.