security help badly needed -I'm stumped!!

[dbarton]

We have two laptops both using wireless on our home network behind a router. XP home.

Both have Zonealarm installed.

I can see one machine is working all the time and writing files almost constantly so I looked at ZoneAlarm and I can see that about once a second there is an invasion being blocked, always for port 17004. In an hour, there are 18,000 attempts!!

The other machne has had just 200 in a years time, so this one machine is somehow vulnerable.

First, I don't understand how *any* attacks get thru the router, which is a firewall as well.
Second, what could make this ONE machine so vulnerable and the other not getting any. I've run AVG and Norton, and search and destroy to look for trojans or virus but none are reported.

I tried everything I can think of and wonder if it's time to reformat and install Windows.

 

[mechBgon]

Maybe something is trying to connect directly to the computer in question. Not via the router, but directly. Or perhaps the other computer is the culprit; the router's firewall will not stop your own systems from talking to each other.

 

[dbarton]

If the internet only comes thru the router which is the wireless source, how can something be trying to connect to it?

I shut all the other PCs, and it still seems to be getting attacked.

Every machine that's on the network is behind this same router, so I don't understand how any machines get attacked. Can the router be leaking? If so, why to just one laptop?

Shouldn't router be blocking all of this traffic so software firewall hardly sees anything?
I just checked the Zonealarm logs on all machines, and they are seeing virtually no traffiic. Just this one is.

UPDATE:
Is it possible that it's getting thru via DNS? I just noticed I'm using a different DNS server on that one machine? I am also using an automatically assigned IP address. If I change to OpenDNS and fix an IP address, it seems to stop!?!?

 

[mechBgon]

Originally posted by: dbarton
If the internet only comes thru the router which is the wireless source, how can something be trying to connect to it?

I shut all the other PCs, and it still seems to be getting attacked.

Every machine that's on the network is behind this same router, so I don't understand how any machines get attacked. Can the router be leaking? If so, why to just one laptop?

Shouldn't router be blocking all of this traffic so software firewall hardly sees anything?
I just checked the Zonealarm logs on all machines, and they are seeing virtually no traffiic. Just this one is.

Imagine that the laptop in question were "visible" to a wireless-equipped computer in your neighbor's house. The router could not jam that direct ad hoc connection attempt. That's what I was driving at: your computer's wireless can talk to more than just your wireless equipment.

UPDATE:
Is it possible that it's getting thru via DNS? I just noticed I'm using a different DNS server on that one machine? I am also using an automatically assigned IP address. If I change to OpenDNS and fix an IP address, it seems to stop!?!?

What DNS server was the afflicted machine using?

 

[dbarton]

If that laptop was using the neigbors wireless I'd agree, but since it's only connected to our network, I'm not sure I see the connection.

The affected machine was using the default DNS that yahoo DSL provides.

 

[mechBgon]

Originally posted by: dbarton

If that laptop was using the neigbors wireless I'd agree, but since it's only connected to our network, I'm not sure I see the connection.

Ok, imagine you have two wireless computers. The computers can network directly via wireless, without the router's help. Now imagine you have never seen the other wireless computer, because it's in someone else's house, not yours. Make sense? I'm not saying that was the issue in your case, but remember that wireless doesn't stop at the walls of your house.

Also, is your router's wireless secured so that neighbors cannot connect to it? You want to use encryption at a minimum (WPA2 being preferable), and the MAC-address filter couldn't hurt either.

 

[dbarton]

How can another machine connect to this one without me setting that up? I can't see any machine that isn't in my domain.

We are running WAP.
Have not set a mac address. Not quite sure how to..

 

[mechBgon]

Originally posted by: dbarton

How can another machine connect to this one without me setting that up?

Google for "ad hoc networking." I'm not saying that was the cause of the issue you were seeing, but this sort of thing is a primary reason you run a firewall.

 

[mechBgon]

BTW if you post some of the logs from ZoneAlarm, that would probably help shed light on what's going on.

 

[dbarton]

Googled.

Doesn't adhoc networking require Internet Connection Sharing on a host computer AND the laptop to be on the same domain?

The laptop is not on a domain name anyone might have guessed.

Let's say I want to break into a laptop at my neighbors house. What possible way could I even see that laptop, since it's not on my domain?

I can see thier routers, but not individual machines.

 

[dbarton]

Here's an exceprt from the log. There were thousands of lines per day. As you can see WAS every few seconds.

Destination was always 192.168.2.3 port 17004.

ZoneAlarm Logging Client v7.0.483.000
Windows XP-5.1.2600-Service Pack 3-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
FWIN,2008/11/19,08:05:14 -8:00 GMT,220.245.6.162:1213,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:42:44 -8:00 GMT,71.167.124.24:60819,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,86.154.146.161:64182,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,202.75.39.112:64155,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,173.19.226.33:52903,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,67.197.49.73:2812,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,69.228.214.71:3992,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,124.168.62.228:3651,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,71.29.8.53:60046,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,70.67.157.243:4446,192.168.2.3:17004,TCP (flags:S)
FWIN,2008/11/19,20:43:16 -8:00 GMT,86.158.114.25:58047,192.168.2.3:17004,TCP (flags:S)



Now it's pretty much stopped, and this is todays log from the *whole* day so far:
FWIN,2008/11/23,20:42:04 -8:00 GMT,192.168.64.1:3168,192.168.2.4:139,TCP (flags:S)
FWIN,2008/11/23,20:42:08 -8:00 GMT,192.168.115.1:3167,192.168.2.4:139,TCP (flags:S)
FWIN,2008/11/23,21:14:06 -8:00 GMT,192.168.64.1:3180,192.168.2.4:139,TCP (flags:S)
FWIN,2008/11/23,21:14:10 -8:00 GMT,192.168.115.1:3179,192.168.2.4:139,TCP (flags:S)
FWIN,2008/11/23,21:46:08 -8:00 GMT,192.168.64.1:3192,192.168.2.4:139,TCP (flags:S)
FWIN,2008/11/23,21:46:10 -8:00 GMT,192.168.115.1:3191,192.168.2.4:139,TCP (flags:S)
FWIN,2008/11/23,22:18:10 -8:00 GMT,192.168.64.1:3282,192.168.2.4:139,TCP (flags:S)
FWIN,2008/11/23,22:18:12 -8:00 GMT,192.168.115.1:3281,192.168.2.4:139,TCP (flags:S)

Now these are all port 139, but are all listed as coming from 192.168.64.xx or 192.168.115.xx
All machines we have are 192.168.2.xx Is that still just safe traffic from this network??

 

[mechBgon]

What kind of router do you have, specifically?

Let's say I want to break into a laptop at my neighbors house. What possible way could I even see that laptop, since it's not on my domain?

Using a packet sniffer. And why would you need to "see" the laptop in order to try sending a network packet to its address, anyway?

 

[dbarton]

It's a Belkin 45, I think.

Are you guys saying that the laptop is "listening" to anyone who sends anything to it, even if it's only using my wireless, as far as I can tell?
The wired machines on the network should never be seeing any outside traffic because they are 100% blocked by router, but the wireless machines might?

Are these other (safe) machines on our network looking at port 139?: FWIN,2008/11/20,20:26:50 -8:00 GMT,192.168.153.1:1081,192.168.2.2:139,TCP (flags:S)

 

[mechBgon]

I wouldn't assume your router blocks 100% of unsolicited traffic to wired computers, especially a Belkin I can't find any specific info about a "Belkin 45" router, so I'm in the dark on its basic capabilities. Can you find a link to it?

 

[dbarton]

Looks like it's a Belkin F5D7230-4.

http://www.belkin.com/support/...pid=F5D7230-4&scid=221