Need to figure out what is trying to get past my firewall…

Home Forums Security General Security Need to figure out what is trying to get past my firewall…

This topic contains 17 replies, has 6 voices, and was last updated by  allround 8 months ago.

Viewing 18 posts - 1 through 18 (of 18 total)
  • Author
    Posts

  • ES&P
    Member
    #142563

    Hi All,

    I’ve got a client running a single server (SBS2003) sitting behind a SonicWall TZ 180 Enhanced. The server got infected a while ago, and we removed the infections (I thought), but found that it was pushing data up to someplace on the internet. Disabling NetBIOS resolved that issue, but when I re-enable it, it starts back up.

    Now, the server has started the same type of thing, uploading mainly to two specific addresses:

    229.111.112.12 source port 1125, destination port 3071
    122.224.115.102 source port 3375 (but changes), destination port 8000

    I’ve got the SonicWall blocking everything except allowed traffic, but need help resolving this once and for all…I’ve included a HijackThis log in the next post. Hopefully it is useful.

    Thanks in advance for your help, Tony


    ES&P
    Member
    #361145

    Re: Need to figure out what is trying to get past my firewall…

    Here’s the HijackThis Log.

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSsystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSsystem32spoolsv.exe
    C:WINDOWSsystem32Dfssvc.exe
    C:WINDOWSSystem32dns.exe
    C:Program FilesIntelCLIdpcproxy.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSsystem32inetsrvinetinfo.exe
    C:WINDOWSsystem32IntelIPMIService.exe
    C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
    C:Program FilesMicrosoft SQL ServerMSSQL$SBSMONITORINGBinnsqlservr.exe
    C:Program FilesMicrosoft SQL ServerMSSQL$SHAREPOINTBinnsqlservr.exe
    C:Program FilesMicrosoft SQL ServerMSSQL$WSUSBinnsqlservr.exe
    D:MySqlbinmysqld-nt.exe
    C:WINDOWSsystem32ntfrs.exe
    D:Program FilesNOVAviaWARPWARP_SERVICE.exe
    C:WINDOWSSystem32wins.exe
    C:WINDOWSsystem32tcpsvcs.exe
    D:Program FilesExchsrvrbinexmgmt.exe
    D:Program FilesExchsrvrbinmad.exe
    C:Program FilesRAID Web Console 2FrameworkVivaldiFramework.exe
    C:WINDOWSsystem32cmd.exe
    C:Program FilesRAID Web Console 2JREbinjavaw.exe
    C:Program FilesCommon FilesSystemMSSearchBinmssearch.exe
    C:WINDOWSSystem32svchost.exe
    C:Program FilesRAID Web Console 2MegaMonitormrmonitor.exe
    D:Program FilesExchsrvrbinstore.exe
    C:WINDOWSsystem32CAPM3RSK.EXE
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32rdpclip.exe
    C:WINDOWSExplorer.EXE
    C:Program FilesRAID Web Console 2MegaPopupPopup.exe
    C:WINDOWSsystem32ctfmon.exe
    C:Program FilesCommon FilesIntuitQuickBooksQBServerUtilityMgr.exe
    C:Program FilesCommon FilesIntuitQuickBooksQBUpdateqbupdate.exe
    D:Program FilesProcessExplorerprocexp.exe
    C:WINDOWSsystem32mmc.exe
    C:Program FilesCommon FilesIntuitQuickBooksQBCFMonitorService.exe
    C:Program FilesMozilla Firefoxfirefox.exe
    C:Program FilesTrend MicroHijackThisHijackThis.exe
    R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [URL=”http://companyweb/”]http://companyweb[/URL]
    R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.mayisf.com/
    R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
    O2 – BHO: Java(tm) Plug-In 2 SSV Helper – {DBC80044-A445-435b-BC74-9C25C1C588A9} – C:Program FilesJavajre6binjp2ssv.dll
    O2 – BHO: JQSIEStartDetectorImpl – {E7E6F031-17CE-4C07-BC86-EABFE594F69C} – C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
    O4 – HKLM..Run: [Popup] “C:Program FilesRAID Web Console 2MegaPopupPopup.exe”
    O4 – HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
    O4 – HKUSS-1-5-19..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User ‘LOCAL SERVICE’)
    O4 – HKUSS-1-5-20..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User ‘NETWORK SERVICE’)
    O4 – HKUSS-1-5-21-53483358-1335387254-2927318537-1161..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User ‘QBDataServiceUser17’)
    O4 – HKUSS-1-5-18..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User ‘SYSTEM’)
    O4 – HKUS.DEFAULT..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User ‘Default user’)
    O4 – Startup: RAID Web Console 2.lnk = C:WINDOWSsystem32cmd.exe
    O4 – Startup: Server Management.lnk = ?
    O4 – Startup: Shortcut to procexp.exe.lnk = D:Program FilesProcessExplorerprocexp.exe
    O4 – Global Startup: QuickBooks Database Server Manager.lnk = C:Program FilesCommon FilesIntuitQuickBooksQBServerUtilityMgr.exe
    O4 – Global Startup: QuickBooks Update Agent.lnk = C:Program FilesCommon FilesIntuitQuickBooksQBUpdateqbupdate.exe
    O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
    O9 – Extra button: (no name) – {85d1f590-48f4-11d9-9669-0800200c9a66} – C:WINDOWSbdoscandel.exe
    O9 – Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590-48f4-11d9-9669-0800200c9a66} – C:WINDOWSbdoscandel.exe
    O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
    O14 – IERESET.INF: START_PAGE_URL=http://companyweb
    O15 – ESC Trusted Zone: http://download.bitdefender.com
    O15 – ESC Trusted Zone: http://www.bitdefender.com
    O15 – ESC Trusted Zone: http://reviews.usa.canon.com
    O15 – ESC Trusted Zone: http://www.canon.com
    O15 – ESC Trusted Zone: http://www.usa.canon.com
    O15 – ESC Trusted Zone: http://mozilla.isc.org
    O15 – ESC Trusted Zone: http://download.mozilla.org
    O15 – ESC Trusted Zone: http://blstc.msn.com
    O15 – ESC Trusted Zone: http://blstj.msn.com
    O15 – ESC Trusted Zone: http://help.mysonicwall.com
    O15 – ESC Trusted Zone: http://mozmirror01.true.nl
    O15 – ESC Trusted Zone: http://wwwwz.websearch.verizon.net
    O15 – ESC Trusted Zone: http://wwz.websearch.verizon.net
    O15 – ESC Trusted Zone: http://m.webtrends.com
    O15 – ESC Trusted Zone: [URL=”http://*.windowsupdate.com/”]http://*.windowsupdate.com[/URL]
    O15 – ESC Trusted Zone: http://runonce.msn.com (HKLM)
    O15 – ESC Trusted Zone: [URL=”http://*.windowsupdate.com/”]http://*.windowsupdate.com[/URL] (HKLM)
    O15 – ESC Trusted IP range: http://192.168.39.1
    O15 – ESC Trusted IP range: 192.168.1.1
    O16 – DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) – https://192.168.1.1:4343/officescan/console/html/ClientInstall/WinNTChk.cab
    O16 – DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) – https://192.168.1.1:4343/officescan/console/html/ClientInstall/setup.cab
    O16 – DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) – https://192.168.1.1:4343/officescan/console/html/root/AtxEnc.cab
    O16 – DPF: {4F3DCE50-E8E7-40AC-AB8D-99F87F1F89BD} (Trend Micro OfficeScan Management Console) – https://192.168.1.1:4343/officescan/console/html/root/AtxConsole.cab
    O16 – DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) – http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 – DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) – https://192.168.1.1:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
    O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232402302894
    O16 – DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232402292769
    O16 – DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) – https://remote.esandp.com/Remote/msrdp.cab
    O16 – DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) – https://192.168.1.1:4343/officescan/console/html/root/AtxPie.cab
    O17 – HKLMSystemCCSServicesTcpipParameters: Domain = CNHKiwanis.local
    O17 – HKLMSoftware..Telephony: DomainName = CNHKiwanis.local
    O17 – HKLMSystemCCSServicesTcpip..{16A1B37A-AFFA-425B-A845-0B31B2450DA9}: NameServer = 192.168.1.1
    O17 – HKLMSystemCS1ServicesTcpipParameters: Domain = CNHKiwanis.local
    O17 – HKLMSystemCS1ServicesTcpip..{16A1B37A-AFFA-425B-A845-0B31B2450DA9}: NameServer = 192.168.1.1
    O17 – HKLMSystemCS2ServicesTcpipParameters: Domain = CNHKiwanis.local
    O17 – HKLMSystemCS2ServicesTcpip..{16A1B37A-AFFA-425B-A845-0B31B2450DA9}: NameServer = 192.168.1.1
    O23 – Service: DPCProxy – Unknown owner – C:Program FilesIntelCLIdpcproxy.exe
    O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
    O23 – Service: Intel IPMI Service – Unknown owner – C:WINDOWSsystem32IntelIPMIService.exe
    O23 – Service: Intel(R) RAID Monitoring Agent – Unknown owner – C:Program FilesIntelNGSMSRAIDSNMPTrapReceiverSNMPTrapReceiver.exe
    O23 – Service: MRMonitor (MegaMonitorSrv) – Unknown owner – C:Program FilesRAID Web Console 2MegaMonitormrmonitor.exe
    O23 – Service: RWCFramework (MSMFramework) – Unknown owner – C:Program FilesRAID Web Console 2FrameworkVivaldiFramework.exe
    O23 – Service: MySQL – Unknown owner – D:MySqlbinmysqld-nt (file missing)
    O23 – Service: QuickBooks Database Manager Service (QBCFMonitorService) – Intuit – C:Program FilesCommon FilesIntuitQuickBooksQBCFMonitorService.exe
    O23 – Service: Intuit QuickBooks FCS (QBFCService) – Intuit Inc. – C:Program FilesCommon FilesIntuitQuickBooksFCSIntuit.QuickBooks.FCS.exe
    O23 – Service: QuickBooksDB17 – iAnywhere Solutions, Inc. – D:PROGRA~1QUICKB~1QBDBMgrN.exe
    O23 – Service: WarpService – NOVA Information Systems, Inc. – D:Program FilesNOVAviaWARPWARP_SERVICE.exe


    Nonapeptide
    Member
    #316867

    Re: Need to figure out what is trying to get past my firewall…

    There is one and only one way to take care of a stubborn malware infection: “format c: /FS:NTFS /V:nosoupforyou /X”

    Seriously. It’s ugly, but it can get even uglier if you start ripping things out with HijackThis. Chances are, things are unalterably damaged and you’ll continue to have problems until you reformat and reinstall. :(


    ES&P
    Member
    #361146

    Re: Need to figure out what is trying to get past my firewall…

    Yea, was just hoping to avoid that… :-?


    joeqwerty
    Moderator
    #302212

    Re: Need to figure out what is trying to get past my firewall…

    I’m not sure that you have an infection. The 229.111.112.12 ip address is a multicast address which is not external to your network and is not routable. This particular address appears to be tied to some MegaRaid controller software which coincides with your HiJackThis results.

    As for the second ip address, do you have a proxy server or ISA server in your network?

    Can you post the results of netstat -a -n?

    Also, if you run netstat -a -b -n -o you’ll see the processes and PID’s associated with each connection which might give you a clue as to what’s going on.


    ES&P
    Member
    #361147

    Re: Need to figure out what is trying to get past my firewall…

    What is the purpose/function of a multicast address (sorry, either don’t remember or haven’t gotten that far yet)? Why would the RAID management software need to be accessing it? If it’s not external to my network, and I don’t have anything of that IP scheme on my network, where is it? Hopefully this doesn’t come across as rude, I’m just trying to learn right now and this site has definitely helped a lot. I’ve attached the outputs of the ‘netstat’ commands, each command in their own .txt file.

    Thanks for your help.

    Tony


    ES&P
    Member
    #361148

    Re: Need to figure out what is trying to get past my firewall…

    Sorry, forgot to add that there is neither a proxy nor ISA server on the network.


    joeqwerty
    Moderator
    #302213

    Re: Need to figure out what is trying to get past my firewall…

    A multicast address is a class D address that is primarily used to communicate with members of multicast groups or to broadcast a service such as a router advertisement or query. All hosts listen for traffic sent to certain multicast addresses. The MegaRaid software may be sending these packets to communicate with a management console, management software, or to broadcast it’s existence to other servers. It seems pretty normal to me as you’ll normally see some multicast traffic in most modern networks.

    The two netstat files look fairly OK to me. I’m guessing that this server is:

    1. Domain controller
    2. DNS server
    3. RRAS server using PPTP
    4. Terminal Server

    Is that correct?


    ES&P
    Member
    #361149

    Re: Need to figure out what is trying to get past my firewall…

    Yup, you nailed it…so the multicast address may be ok. I’ll temporarily unblock it and see what happens. I’m still not sure of that other address though.

    Thanks for your help.

    Tony


    joeqwerty
    Moderator
    #302218

    Re: Need to figure out what is trying to get past my firewall…

    Keep us posted.


    ES&P
    Member
    #361150

    Re: Need to figure out what is trying to get past my firewall…

    Well I was doing the packet capture in the SonicWall, and according to it, the traffic to either address is ‘Interface’ traffic…I have no clue what they mean by that.

    The ‘(i)’ signifies ‘interface’ according to what I’ve seen, and if it was multicast it should be ‘(m)’

    06/23/2009 08:52:23.640 LAN*(i) — ‘{SourceIP}’ 192.168.1.1 ‘{DestIP}’ 229.111.112.12 ‘{protocol}’IPUDP ‘{SRC Port, Dest Port}’ 1125,3071 ‘{action}’ DROPPED60[60]

    The traffic to the other address is pretty much the same, except source port is now up to 14445 and destination is still 8000

    Just looking for thoughts.


    ES&P
    Member
    #361151

    Re: Need to figure out what is trying to get past my firewall…

    I enabled multicast on the SonicWall with access only to the address 229.111.112.12 and for right now it seems ok, when i put the address in, it forced me to select multicast for the zone…more comfort on my part. Now my only issue is the second address.

    Tony


    joeqwerty
    Moderator
    #302220

    Re: Need to figure out what is trying to get past my firewall…

    AFAIK, you don’t need to allow access to the multicast address in your firewall as the multicast address is for internal communication and not intended for external hosts. As such the traffic will “stay” on your LAN. The firewall will see the traffic because all hosts have to listen to multicast traffic to determine if it pertains to them or not. If it doesn’t pertain to them they drop the multicast traffic. Your firewall should simply drop or ignore the multicast traffic.

    Have you run a recent netstat to see if the other ip address is in the output?


    ES&P
    Member
    #361152

    Re: Need to figure out what is trying to get past my firewall…

    The weird thing is that the IP doesn’t show in netstat, and when I try to search for the port that it was using, it’s already been changed (changes every few seconds at most)…

    Tony


    joeqwerty
    Moderator
    #302221

    Re: Need to figure out what is trying to get past my firewall…

    If the ip address doesn’t show in netstat then there’s no connection to or from that ip address. I would keep an eye out by periodically running netstat and checking your firewall logs to see if you see anything funny.


    wullieb1
    Moderator
    #241796

    Re: Need to figure out what is trying to get past my firewall…

    Homesecurity;170215 wrote:
    Its very simple ! First of all check that for whether your ISP is using dynamic or static IP ? Secondly figure out that the encryption method for XP, Vista and the router should all be same. That means WPA or WPA-2 personal etc.
    Don’t forget to connect the LAN cable for the first use with XP otherwise your netwrok wil not work.

    Ehh!!!!!! What are you on about????


    fergie
    Member
    #364047

    Re: Need to figure out what is trying to get past my firewall…

    Homesecurity;170215 wrote:
    Its very simple ! First of all check that for whether your ISP is using dynamic or static IP ? Secondly figure out that the encryption method for XP, Vista and the router should all be same. That means WPA or WPA-2 personal etc.
    Don’t forget to connect the LAN cable for the first use with XP otherwise your netwrok wil not work.

    Have to agree, Is this for the same post?


    allround
    Member
    #392064

    A bit dated my reply, but since I just saw this same IP & port on my network in wireshark, I have that address associated with LSI_MEM_mcast_discovery. I.e. When you bring up the LSI Megaraid manager it looks out over the local net for cards that are broadcasting so they can be detected by other systems running the manager. It has a TTL == 1, so it shouldn’t ever be passed beyond any system directly connected to your system — so likely safe to unblock or block.

    Usage might be if you had another system with same card+software then either system might be able to manage the other..

    The above presumes no malfunctioning gateways that ignore network requirements….:-)

Viewing 18 posts - 1 through 18 (of 18 total)

You must be logged in to reply to this topic.