Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
Norton Antivirus 2008, all updated on Vista Home Premium with Vista service pack 1
DSL connection on 24/7 Run on acoount user rather than admin user
At about 1:43am there was an unsolicited inbound connection to my machine via port 3389 ms-wbt-server (3389)
I do not use remote desk top and I do not have remote assistance box checked on. I get Microsoft updates about that time, but they would not come in unsolicited, I have a check for updates request scheduled for that and that is an outbound, not inbound request
643 bytes sent 1135 bytes received
From IP address {removed} which is some server out of the Chicago area
In the past I have had connections inbound via this port, but with no bytes sent or received, so I was getting comfortable that there was not a security issue. HOWEVER this is WAY different than before as bytes have been sent and received
Internet Worm Protection history shows no intrusion blocking on or around that time.
So now I'm VERY WORRIED that we have a different situation. Whereas before we had the connection and then the move on, it looks like now we have a connection and a greeting and a data exchange
This happened 1:43am and I had a full system scan set to run at 4am which it did. Only tracking cookies were notes
Also I turned off my computer this am after discovering this. When I turned it back onabout 30 minutes later, Activity log showed MANY like 30+ attempts to connect from many different addresses that were blocked by unused port blocking.
example {removed}
{removed}
almost all attempted contact via port 10163
Could this be related to the connection and data exchange via the ms-wbt-server ?
The fact that data has been exchnage whereas it wasn't before has me very worried.
1. Does it appear that something may have gotten into my machine?
2. The fact that no intrusion prevention noted also mean that something has gotten past?
I know I have been annoying and appear to have been "crying wolf" but this is really scary now. Please help.
[edit: Removed IP addresses for privacy and security.]
Thanks Red
I know I will definately block port 3389. the other ports may be too many. I have had some IP Addresses that just run a list of many,many ports that all get blocked by unused port blocking. If they are being blocked, why would I need to block those ports?
What do you mean when you say restrict IP addresses?
Red asks -
Questions:
- Where these connection attempts In-bound or Out-bound via these Ports, especially Port 10163?
All the issues I'm reporting are inbound attempts at connection
I didn't note down all the addresses trying to attack via port 10163, but the two I did both seem to be from Verizon.
pool-71-XXX-222-XXX.sctnpa.east.verizon.net
static-66-XX-219-XXX.bdsl.verizon.net
usually in the unsued port blocking entries in the activity log it is 1 or 2 different addresses that just hammer away. But this seems to be 1 or 2 attempts by different addresses. I wonder if its part of a bot attack?
Restricting an I.P. Address(es) prevents those computer from having access to your’s.
Isn't that in effect by the unused port blocking?
NY1986 wrote:Isn't that in effect by the unused port blocking?
No. A Hacker could attempt to use a Port which one of your Programs use on your computer. If the Hacker has managed to do this and you have not Restricted this computer, for example, then the Hacker will be able to access your computer. For example, one of these Mis-leading Applications; these are most-likely being let in by the user. However, if you had Restricted the computer, then, that nasty Hacker will not have access to your computer.
Please let me know if I have mis-understood your question.
wow. that would be rather difficult since you'd have to look in the activity logs to see all the attempts to connect that were blocked by unused port blocking.
My understanding is that if a nasty gets by, the other layers of Norton protection could stop it, i.e. Intrusion prevention
This is why you need a good hardware firewall. I love mine which is built into my 2Wire Gateway DSL modem.
08 is also outdated. Maybe upgrading to 09 can help you identify and shut down this connection is needed.
Tech0utsider wrote:
08 is also outdated. Maybe upgrading to 09 can help you identify and shut down this connection is needed.
Have to dis-agree; 2008 can still be used, as can 2007, although, I would suggest Upgrading if you do have 2007.
NY1986 wrote:wow. that would be rather difficult since you'd have to look in the activity logs to see all the attempts to connect that were blocked by unused port blocking.
My understanding is that if a nasty gets by, the other layers of Norton protection could stop it, i.e. Intrusion prevention
Intrusion Prevention is your next line of Defense, should it get past the Firewall; it that Fails, then you have got the Restricted Access for that computer; if not, then you will get Infected.
I’m still getting connections via port 3389 but no bytes sent or received now
Does Symantec still issue updates for 07?
Block the port and see if you lose any functionality...
Also see if you get any error messages.......................
Best bet.
Suggestions:
- Run LiveUpdate and do a Full System Scan in Safe Mode.
- Block Port 3389, and any other Ports which have been Blocked by Un-used Port-Blocking.
- Restrict the I.P. Addresses; please break these up.
Questions:
- Where these connection attempts In-bound or Out-bound via these Ports, especially Port 10163?