What is broken:McAfeee firewall or my router ????? Urgent, please

Discussion in 'Security Software' started by unstablemicrosoft, Jul 26, 2006.

  1. Hi. I apologize for the length of this, but I want this to be complete.

    I am very annoyed. I recently bought McAfee's firewall 7.x and antivirus
    10.x. Home version, not corporate. Dutch (The Netherlands) version.

    My configuration: ISP is cable company, from cable (wall) socket connection
    by cable/wire to my cable modem, from there a connection by a cable/wire to
    my router, from there a wireless connection to the adapter on my computer,
    which is in a different room. No other computers in network. Encryption
    WPA-PSK, long random key.

    I have a Sitecom router with the adapter that goes along with it. For
    security reasons I will not mention the precise model (am i too paranoid ?
    better too paranoid, than not enough) I bought this one early this year or
    late last year. All tests that I have used, including the advanced port
    scanner at pcflank.com, the port scan at hackerwatch.org, shieldsup at
    www.grc.com, the sygate test, the test at auditmypc.com, indicate that the
    router has a perfectly working firewall. It stealths some ports, while for as
    far as I know McAfee does NOT do tthat. After using these tests, the probes
    of these tests did not show up in the events log of the McAfee firewall 7.x
    That means they did not get past the firewall of my router (Please keep my
    configuration in mind !).

    Shortly after installing the firewall 7.x (I had 6.x) for the first time I
    examined the events log, and noticed at least one event. I wondered how that
    was possible. McAfee said it was a router issue. I decided to disconnect the
    router from power/electricity from a short moment, reconnect it and when it
    was ready I reinitialized the router by pressing a "button" on the router. I
    reestablished the wireless connection, gave everything the proper settings,
    for security reasons I disabled the VOIP option, UPNP etc. I have disabled
    the option to control the router from over the internet.

    I also configured the firewall for a home network, and configured it to not
    to trust the home network. But that was not something new.

    Yet, mysteriously in my events log (maybe it's called a bit different in
    English) it shows over the past three days that at least 8 times the McAfee
    firewall met a probe, an attempt to establish a connection. Hackerwatch.org
    says that most these are probably hacking attempts. One "event" even had the
    name trojan in it. And using a WHOIS on one other probe clearly indicated
    that it was a hacking attempt.

    How is that possible ? I HAVE NO CLUE.

    My networking gear notices one other wireless network sometimes, but there
    is very little wireless traffic around here. And seeing the IP numbers, the
    names that go with the IP numbers, I find it hard to believe that this was
    done wirelessly. But Maybe I'm wrong ? For as far as I know, they'd still
    have to deal with a long (random) WPA-PSK key.

    SO, BASICS: WERE THE ATTACKS DONE WIRELESSLY ? (UNLIKELY, SINCE I HAVE
    TRACKED/TRACED SOME OF THEM INTO THE USA) IF NOT, THEN, SINCE THE ONLY OTHER
    WAY TO CONNECT TO MY COMPUTER AND THE MCAFEE FIREWALL IS TO GO THROUGH THE
    FIREWALL OF MY ROUTER FIRST, AND ACCORDING TO TESTS THE HARDWARE FIREWALL
    WORKS FINE, AND WHEN TESTING MY COMPUTER THE TEST-PROBES NEVER REACH MY
    MCAFEE FIREWALL.

    I contacted McAfee, they said it was a router issue, but that contradicts
    with what I have stated before. They started blabbering about that I was safe
    because the McAfee firewall blocked these attempts, probes, that I was safe
    because I reported to hackerwatch.org. They just seem to have no clue.

    About contacting the manufacturor of my router: by email it takes ages, and
    on at least two occasions when I had sent an email they made statements that
    were nonsense. Calling on the telephone is very expensive. What can they do ?
    Especially because the tests indicated that the firewall in the router was
    all right, nothing. They won't give me my money back. And I don't think it's
    router issue.

    A not properly working router firewall (cannot be turned off!, at least not
    by the instructions I once received) with just a McAfee firewall is just not
    good enough. I want both. What's going on with the firewall and the router ?

    Just switching to a different firewall would usually not work, I'd probably
    have to remove all McAfee software, and deinstalling and reinstalling that
    would be problematic. You need (sometimes?) all sorts of tools to completely
    remove all traces from the previous installation. A Zonealarm/Zonealert
    firewall with McAfee antivirus is impossible, at least McAfee antivirus or
    the security center would object.

    Also, I have the Spy Sweeper from Webroot, and the Spyware Doctor from
    Pctools, updated, windows xp service pack 2 fully updated. For as far as I
    know, these programs did not detect the probes.

    If you have any idea about what's going on, please inform me. I'd also
    apreciate it if someone could offer me a fix. Your help would be greatly
    appreciated.
     
    unstablemicrosoft, Jul 26, 2006
    #1
    1. Advertisements

  2. If your internet router is not configured to port forward any traffic to
    your computer's IP I really doubt that traffic not initiated by your
    computer is going through it particularly if it is supposed to do stateful
    inspection. Were the "alerts" for TCP, UDP or both??

    Steve
     
    Steven L Umbach, Jul 26, 2006
    #2
    1. Advertisements

  3. We'd need more information on these log entries. Source and destination
    port numbers, protocol, remote IP address would be helpful.
     
    karl levinson, mvp, Jul 26, 2006
    #3
  4. Hi. I appreciate any advice you can give me. I just reinitialized the router
    again and cleared the McAfee firewall's log, and I'll wait a bit and see if
    more shows up.

    About port forwarding: I have not explicitely instructed the router or
    adapter do that. In my router menu it says under Port Fw. : Well known ports
    : 7(Echo) 21(FTP) 23(Telnet) 25(SMTP) 79(Finger) 80(HTTP) 110(POP3). I
    believe that the router stealths at least the SMTP, the HTTP, Netbios and a
    few others, according to several tests.
    But these ports did not show up in my logs.
    From the look of the menu it seems that (any other) ports and IP adresses
    won't be forwarded if you do not explicitely configure the router that way.

    All the incoming "probes" were TCP, one UDP. Maybe something called
    eventlog, but I'm unsure about that.

    Also, aside from some probes that were clearly hacking or scanning for
    hackable systems attempts, last night before I went to bed I received a large
    volume of incoming traffic, as recorded in the McAfee firewall's log, that
    seemed to originate from my ISP, or something that seemed to be associated
    with my ISP. (cable company)

    Well, I contacted McAfee again, and after much conversation and waiting
    their message was that it must be a router issue, and they instructed me to
    contact the manufacturer of the router.

    I contacted the manufacturer of the router, Sitecom, and what they said
    basically seemed nonsense. Please correct me if I'm wrong. But they have made
    statements in the past that turned out to be false. They said that I could
    receive data because that was necessary to be able to connect to the
    internet. I'm not quite sure if that statement even means that the router has
    a firewall or not. I did receive "probes" in the event log of my McAfee
    firewall that I had not asked for. One had even the name TROJAN in it.
    Nothing showed up in that log when performing some of the port tests
    mentioned below.

    The router SEEMS to have a firewall, although this is not explicitely
    mentioned in the manual. I vaguely remember them saying in the past that the
    router has a firewall, although the word "firewall" is not shown in the
    software.

    I then decided to turn off the McAfee firewall, and voila: the test
    shieldsup at www.grc.com showed that most ports were closed, a few were
    stealth. So, that must mean there is a firewall in the router ! Then how the
    hell did those probes get to my McAfee firewall ???

    The advanced port scanner at PCFLANK.COM showed some ports as stealth,
    others as closed. A simple probe scan at hackerwatch.org showed some ports
    such as SMTP and HTTP as secure, "this port is completely invisible to the
    outside world". Other ports were described as: closed but unsecure, "This
    port is not being blocked, but there is no program currently accepting
    connections on this port"

    I'm basically writing this approximately chronologically, while trying to
    find an answer. Sorry for not writing a nice article.

    I also tried a chat session with McAfee, but what could have been done in 2
    minutes, took more than 20 minutes ! They can be so dense ! I asked a simple
    question: does the McAfee firewall have the ability to be "stealth" ? (almost
    certainly not), the other person often started making all kinds of
    assumptions about what my "real" question was, he contradicted himself, and
    at the end he gave totally incorrect information, then I was out of patience
    and ended the session.

    I'm trying to make sense of all this. I'm fairly certain that the stealthed
    ports are safe. Or am I wrong ???

    But what about the other ports ? Simple probe scan at hackerwatch said: not
    being blocked, but currently no program is accepting connections at this
    port. Would that mean (in what way??) that data can penetrate my router's
    (existing or non-existing) firewall ? Some things certainly showed up in
    McAfee firewall's log.

    I turned my McAfee firewall on again, and tried the firewall test at
    auditmypc.com. Nothing reached the log of McAfee's firewall. What does it
    take to bypass my router's existing or not existing firewall ?? Maybe my
    concept of blocked, stealth, closed, and ??? is too limited. My router seems
    to have something called NAT, of the NAT services I turned off the VoIP passs
    through, thinking that might make a difference.

    Do I have the worst router in the world ? it certainly wasn't cheap.

    Please help !

    "Steven L Umbach" schreef:
     
    unstablemicrosoft, Jul 26, 2006
    #4
  5. One more thing to add: I used the option of testing my firewall in the
    security center of McAfee.

    I got: "Unable to Probe
    The IP address requesting this page is different from the IP address of your
    computer. This indicates that your computer is behind a proxy or NAT. These
    devices allow you to access the Internet by relaying traffic, typically from
    multiple computers, through a single IP address.

    We are unable to directly probe your computer, you should take comfort from
    this. You have that much more protection between your computer and the
    Internet."

    "Steven L Umbach" schreef:
     
    unstablemicrosoft, Jul 26, 2006
    #5
  6. Blocked or stealth does not make any difference in my opinion and they both
    mean that the attempt to connect to your computer were either dropped or
    rejected. My guess is that most likely the traffic you saw was initiated by
    your computer regardless of what McAfee firewall said. If your router is
    port forwarding any of the ports you listed the firewall scans would have
    warned about those ports being available right away if you had any of those
    services enabled on your computer. If in doubt reset your firewall to
    default state but make sure it can not be managed remotely.

    If your router/firewall is configured correctly then it should simply reject
    any TCP packet that has the syn flag set or does not have a matching
    sequence number. Syn means that another host is trying to establish a
    connection to your computer on a server service. To really find out if
    traffic is getting past your firewall you would have to run a packet sniffer
    like Ethereal on it without any software firewall enabled. To make it easier
    to find such traffic you could create an Ethereal capture filter to capture
    only TCP packets with the syn flag enabled. Ethereal is free and if you are
    interested the link below shows how to configure some popular Ethereal
    capture filters or you could simply fire up Ethereal when you are done using
    your computer to see what traffic is coming and going which should be
    minimal when you are not using the computer but still logged on.

    Steve

    http://home.insight.rr.com/procana/ --- Ethereal capture filters
     
    Steven L Umbach, Jul 26, 2006
    #6
  7. Ok, I just got something in.

    Three entries on Thursday, first one at 21:50:09 hours, probably CET time.
    Second one at 22:35:31 hours, third at 22:35:32 hours.

    I will describe these entries in the order mentioned above.
    First one: source-Ip (as it's called): 80.67.86.138 No hostname. A computer
    at this IP address has attempted to establish an unwanted connection at TCP
    Port 1799 on your computer. TCP Port 1799 is usually used by NETRISK (service
    of program). Eventinformation (literal translation from Dutch, I have Dutch
    Windows XP and McAfee programs): Netrisk

    When trying to get information from the McAfee firewall, by connection to
    hackerwatch.org, it said "TCP connection Attempted on Protected Port" and
    "This event may be linked to attempted Hacker activity. Reporting this event
    is recommended. Use the 'Report This Event' link in the firewall Log to
    report the event" I did report it.
    Whois information, using two different sources, is contradictory. A trace
    seems to indicate that the origin was in Boston, one WHOIS of the IP address
    gave Amsterdam (The Netherlands, where I live), the other WHOIS gave an
    american address/point of origin.

    The second intrusion: Source IP 69.59.175.210 Hostname
    customer-reverse-entry.69.59.175.210 Event Information Precise-VIP. I'll
    abbreviate some things here: attempt to make undesirable connection with port
    2924 on your computer.
    Seeking more information and I was advised to report this to
    hackerwatch.org. A trace was inconclusive, it leads to either the USA or a
    city in The Netherlands. Two different WHOIS services indicate that the IP is
    in the USA.

    Third intrusion: Source-IP: 69.59.175.208 Port 2925 attempted connection.
    Hostname: fusionquest.com Eventinformation: Firewall Redundancy Protocol.
    Hackerwatch.org didn't recognize it, and advised me to report it. A trace led
    me to this:
    Registrant:
    FusionQuest, Inc.
    4464 Acord Cir.
    West Valley City, UT 84120
    US

    Registrar: NAMESDIRECT
    Domain Name: FUSIONQUEST.COM
    Created on: 21-JUN-03
    Expires on: 22-JUN-07
    Last Updated on: 14-JUL-05

    Administrative, Technical Contact:
    Bowers, Joel
    FusionQuest, Inc.
    4464 Acord Cir.
    West Valley City, UT 84120
    US
    801-969-6010
    801-880-0420
    "
    For this one, I just performed one WHOIS, and it said:"
    69.59.175.208
    Record Type: IP Address


    OrgName: ServePath, LLC
    OrgID: SERVEP
    Address: 360 Spear Street.
    Address: Suite 200
    City: San Francisco
    StateProv: CA
    PostalCode: 94105
    Country: US

    ReferralServer: rwhois://rwhois.servepath.com:4321

    NetRange: 69.59.128.0 - 69.59.191.255
    CIDR: 69.59.128.0/18
    NetName: SERVEPATH-BLK2
    NetHandle: NET-69-59-128-0-1
    Parent: NET-69-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS.SERVEPATH.COM
    NameServer: NS1.SERVEPATH.COM
    Comment: http://www.servepath.com/
    RegDate: 2003-06-24
    Updated: 2003-10-06

    RNOCHandle: SN458-ARIN
    RNOCName: NOC, ServePath, ServePath
    RNOCPhone: +1-415-252-3600
    RNOCEmail:

    OrgTechHandle: SN458-ARIN
    OrgTechName: NOC, ServePath, ServePath
    OrgTechPhone: +1-415-252-3600
    OrgTechEmail:
    "

    All these three (attempted?) connections were TCP. As I had stated earlier,
    recently I had one UDP attempt.

    And some of the previous attempts clearly seemed to come from people with
    bad intentions, one had the name "trojan", and of one other either the trace
    or the WHOIS information clearly indicated an attempt to hack or a probe from
    hackable systems.

    I don't like hackers banging on my door. But even if it's "benign", I'd
    rather not have this stuff penetrate the firewall of the router.

    As I have said earlier, I don't understand how these got past the firewall
    of my router. My router seems to have at least something that LOOKS like a
    firewall.

    I could archive this stuff, but it's partly in Dutch, and I don't know if I
    could post such an archive/log here, and I doubt if you could read it.

    Undoubtedly, more examples will follow.

    "karl levinson, mvp" schreef:
     
    unstablemicrosoft, Jul 28, 2006
    #7
  8. Please see my "log" a bit further down.

    "Steven L Umbach" schreef:
     
    unstablemicrosoft, Jul 28, 2006
    #8
  9. Ok, please keep in mind my configuration (as described in my original post):
    (issue being how this got through my router, which SEEMS (at least
    sometimes) to have a firewall, and in my McAfee firewall log):

    Keep in mind that this is in the INCOMING events log. (not outbound)
    I had deleted my McAfee firewall log, but before I had done that I had
    apparently written some stuff down, which I uncovered today, data in my old
    McAfee firewall log: dedicated66.thehideout.net port 1026 UDP protocol
    wwwtktest3.microsoft.com 207.46.199.30 port 1929 TCP

    And today I got, all on 31 July:

    18:53:11 (CET?) thumbs.ebay.com Source IP 66.211.160.21 port 1872 Event
    information: Cano central 1
    18:53:11 thumbs.ebay.com Source IP 66.211.160.21 Port 1871 Event
    information: Cano Central 0
    one normal whois lookup seems to indicate that it's Ebay, according to a
    trace by my firewall, for the two events mentioned above, some data about the
    source:

    "Whois Server Version 2.0

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.


    EBAY.COM.IS.NOT.AS.1337.AS.GULLI.COM
    EBAY.COM.AU
    EBAY.COM
    To single out one record, look it up with xxx , where xxx is one of the
    of the records displayed above. If the records are the same, look them up
    with =xxx to receive a full display for each record.



    "
    18:53:11 Source IP 66.135.202.13 port 1873 host name i3.ebayimg.com Event
    information: fjmpjps
    data about source, as gathered by the firewall:
    "Registrant:
    eBay Inc
    2145 Hamilton Avenue
    San Jose, CA 95125
    US

    Domain Name: EBAYIMG.COM

    Administrative Contact:
    Hostmaster, Hostmaster
    2145 Hamilton Avenue
    San Jose, CA 95125
    US
    408-376-7400 fax: 408-376-7514

    Technical Contact:
    hostmaster, hostmaster
    2145 Hamilton Avenue
    San Jose, CA 95125
    US
    408-376-7400 fax: 408-376-7514

    Record expires on 23-May-2007.
    Record created on 23-May-2003.
    Database last updated on 31-Jul-2006 15:23:52 EDT.
    "
    For as far as I know, I have no software of Ebay on my computer, certainly
    not the Ebay toolbar. Also, these events are in the log of INCOMING events,
    and are considered by my firewall as attempts to make an
    "undesirable/unwanted" (attempted translation from Dutch) connection to the
    ports on my PC that I mentioned. These three events were TCP.
    Yes, I DID use Ebay ... (but I remember doing that at an earlier time.)

    Insight/help appreciated.

    "karl levinson, mvp" schreef:
     
    unstablemicrosoft, Jul 31, 2006
    #9
  10. I'll just add something: it SEEMS that the router and the McAfee firewall
    interpret probes/attempts to make a connection differently.

    How ? I don't have the technical expertise to answer that. I hope someone
    else can shed some light on this.
     
    unstablemicrosoft, Jul 31, 2006
    #10
  11. unstablemicrosoft

    Tom Willett Guest

    www.google.com

    Or, check support for McAfee and your router vendor.
     
    Tom Willett, Aug 1, 2006
    #11
  12. unstablemicrosoft

    joey0101 Guest

    Troll? Isn't that what your mother raised?

     
    joey0101, Nov 14, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.