Weird conenction? (Again)

Discussion in 'other firewalls' started by Comp01, Sep 28, 2003.

Thread Status:
Not open for further replies.
  1. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Another weird connection request 9I blocked it, but saved the request details to a text file)
    Here are the details (From Sygate):
    Connection origin :
    File Version :      4.10.2222
    File Description :   Windows 32-bit VxD Message Server
    File Path :      C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    Process ID :      FFFF314F (Heximal) 4294914383 (Decimal)

       local initiated
    Protocol :      ICMP
    Local Address :    ***.***.**.**
    ICMP Type :      10 (Router Solicitation)
    ICMP Code :       0
    Remote Name :         
    Remote Address :   224.0.0.2

    Ethernet packet details:
    Ethernet II (Packet Length: 44)
       Destination:    01-00-5e-00-00-02
       Source:    00-00-f8-77-39-d7
    Type: IP (0x0800)
    Internet Protocol
       Version: 4
       Header Length: 20 bytes
       Flags:
          .0.. = Don't fragment: Not set
          ..0. = More fragments: Not set
       Fragment offset:0
       Time to live: 128
       Protocol: 0x1 (ICMP - Internet Control Message Protocol)
       Header checksum: 0xc66 (Correct)
       Source: 209.165.23.45
       Destination: 224.0.0.2
    Internet Control Message Protocol
       Type: 10 (Router Solicitation)
       Code: 0
       Data (4 bytes)

    Binary dump of the packet:
    0000: 01 00 5E 00 00 02 00 00 : F8 77 39 D7 08 00 45 00 | ..^......w9...E.
    0010: 00 1C 0C 00 00 00 80 01 : 66 0C D1 A5 17 2D E0 00 | ........f....-..
    0020: 00 02 0A 00 F5 FF 00 00 : 00 00 42 00 | ..........B.

    Edit: removed Comp01's IP address
     
  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    ICMP 10 is normal to be sent outbound during dhcp, but you don't need to allow it outbound.
     
  3. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
  4. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Okay, I got another weird request when I open a email in my email client (Its a certain one, its official, from a Nintendo; Yes, I am a gamer, also, lol) here are the details:
    Connection origin :   local initiated
    Protocol :      TCP
    Local Address :    ***.***.**.**
    Local Port :      1052
    Remote Name :      www.4at2.com
    Remote Address :   207.189.106.243
    Remote Port :      80 (HTTP - World Wide Web)

    Ethernet packet details:
    Ethernet II (Packet Length: 64)
       Destination:    20-53-52-43-00-00
       Source:    44-45-53-54-00-00
    Type: IP (0x0800)
    Internet Protocol
       Version: 4
       Header Length: 20 bytes
       Flags:
          .1.. = Don't fragment: Set
          ..0. = More fragments: Not set
       Fragment offset:0
       Time to live: 128
       Protocol: 0x6 (TCP - Transmission Control Protocol)
       Header checksum: 0xc3e3 (Correct)
       Source: 165.247.64.87
       Destination: 207.189.106.243
    Transmission Control Protocol (TCP)
       Source port: 1052
       Destination port: 80
       Sequence number: 323990
       Acknowledgment number: 0
       Header length: 28
     
  5. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Its trying to contact a web server, and if you have a html enabled client this will happen. Many mail clients are just like browsers now, and carry many of their security exploits.

    Either read all your e-mail as plain text, or block your mail program from any outbound http connection. If you want to go farther restrict it to the communications it requires like localhost, and your mail servers only.

    You won't see images that must downloaded in e-mail, but it also prevents the dowloading of web bugs which confirm your e-mail address.
     
  6. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    What is your email client? I'm using a Pegasus which uses its own html viewer that is immune to web-bugs, but I was suprised the other day,when I saw a note saying that IE was trying to access port 80.

    Very strange, I'm trying to see why it works.
     
Thread Status:
Not open for further replies.