Unsolicited inbound traffic through a Windows service ?

Discussion in 'privacy problems' started by Fly, Jun 19, 2016.

  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    On Windows XP, to be precise.

    It was a Microsoft thing, I don't recall the exact phrase being used. 'general host ...' ?? I'm not sure. I was just doing some regular browsing !
    Eset Smart Security (firewall at interactive) caught it. The IP was 185.35.62.135.
    WHOIS 'This IP network is used for Internet security research. Internet-scale port scanning activities are launched from this network.' 'Kudelski Security RnDOI'

    I don't see the point ... It's just a home machine ... Any thoughts ? It's not in the log.

    I think I should add that I had to remove the router and connect directly to the router because of ISP issues.

    Edit: second event, after I had rebooted the computer. I was just reading Wilders'.
    Unsolicited inbound connection from 185.128.40.122 (general host process for win32 services) 'Foster Banks', 'Panama'. Weird.
     
    Last edited: Jun 19, 2016
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    Probably just someone portscanning your ISP's IP range. Add router between your computer and ISP's modem and it should go away.
     
  3. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Quite possibly. I just hand't seen anything like that before I took out my router.

    The first event seemed somewhat sensible, though weird. Why would a foreign security company scan the ports of my ISP ?

    The other one, just weird.

    But shouldn't the firewall (set at interactive) just block all incoming unsolicited traffic ?
     
    Last edited: Jun 20, 2016
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The Eset firewall will do so in "automatic" mode. However, that mode will also allow all outbound activity. When you set the firewall to interactive mode, you will receive alerts for any inbound or outbound traffic for which no user rule exists to handle the traffic.
     
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    @itman, thanks for the clarification.
    It seems that the router issues may not persist and I can go back to the old configuration.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This IP, 185.128.40.122, shows up multiple times in this IPS honeypot database: http://global-threat.rmjconsulting.net/?op=prv_idstableLimit&limit=5000. Appears to be UDP connection attempts to ports 111, 123 and possibly DNS related.

    Going back to using your router would be a smart move as long as it has SPI i.e. stateful packet inspection. That feature will drop any unsolicited inbound connections at the router.

    -EDIT- Relating to the above port 123 reference:

    Security Concerns:

    It provides both information and possible avenue of attack for intruders. Info gathered can include system uptime, time since reset, time server pkt, I/O & memory statistics and ntp peer list. If a host is susceptible to time altering via ntp an attacker can possibly:

    1) Run replay attacks using captured OTP and Kerberos tickets before they expire.
    2) Stop security-related cron jobs from running or cause them to run at incorrect times.
    3) Make system and audit logs unreliable since time is alterable.


    Ref.: http://www.speedguide.net/port.php?port=123
     
    Last edited: Jun 21, 2016
  7. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,181
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I have used it in the past but in recent times, the site seems to be in a perpetual down state.

    Here is a good test but you have to register: https://secure1.securityspace.com/smysecure/basic_index.html

    Here are also some sites that will detect and give status on any installed proxy servers:

    http://www.lagado.com/proxy-test
    http://www.whatismyproxy.com/
    http://whatismyipaddress.com/proxy-check

    I was never a big fan of AdGuard. They advertise that they filter traffic at the network level but still install a local host proxy server. If they used WFP properly and installed a NDIS mini-port filter driver for the network adapter, they can examine all HTTP/S traffic w/o using a proxy server.
     
Loading...