Bekijk de volledige versie : WL-500g hijacked?
Hi everybody,
I just got a warning message from Norton Internet Security installed on my PC saying
Trojan attempt detected from address 192.168.1.1 by rule "Default Block Bla Trojan horse".
This IP is my WL-500g :confused: and it is the first time I have seen this message in the many weeks I am running WL-500g.
I can also see repeated attempts to connect to unused port 2869 on my PC, apparently also coming from WL-500g.
How can I tell if someone has hacked my AP? Or does this behavior have something to do with normal functioning of WL-500g?
Thanks in advance for any useful info,
Petrs
Antiloop
07-10-2004, 10:05
Hi everybody,
I just got a warning message from Norton Internet Security installed on my PC saying
Trojan attempt detected from address 192.168.1.1 by rule "Default Block Bla Trojan horse".
This IP is my WL-500g :confused: and it is the first time I have seen this message in the many weeks I am running WL-500g.
I can also see repeated attempts to connect to unused port 2869 on my PC, apparently also coming from WL-500g.
How can I tell if someone has hacked my AP? Or does this behavior have something to do with normal functioning of WL-500g?
Thanks in advance for any useful info,
Petrs
which version are you running of NIS ?
Sorry, forgot to post - I am running firmware v. 1.8.1.9 - downloaded from Asus, unmodified. My PC is Windows XP SP2.
Jeroen Vonk
07-10-2004, 12:24
Trojan attempt detected from address 192.168.1.1 by rule "Default Block Bla Trojan horse".
I can also see repeated attempts to connect to unused port 2869 on my PC, apparently also coming from WL-500g.
I assume you are using WinXP SP2? Because with SP1 port 5000 is used by SSDP (Simple Service Discovery Protocol). WinXP SP2 and future releases should use port 2869 for SSDP.
I think there is no need to worry, port 2869 is used by UPnP. So I think your computer is scanned for UPnP services. If you don't want to use UPnP try to disable UPnP on your AP, I think you won't see those messages anymore.
I assume you are using WinXP SP2? Because with SP1 port 5000 is used by SSDP (Simple Service Discovery Protocol). WinXP SP2 and future releases should use port 2869 for SSDP.
I think there is no need to worry, port 2869 is used by UPnP. So I think your computer is scanned for UPnP services. If you don't want to use UPnP try to disable UPnP on your AP, I think you won't see those messages anymore.
Thanks Jeroen, that makes sense for the "unused port" part.
But the Trojan alert doesn't seem to be related; while attempts to connect to port 2869 have a certain pattern and appear in clusters, the Trojan warning appeared once (Norton Internet Security blocked all communication for the next 30 minutes so I can't tell if there were more attempts right after that) and at another time, by several hours.
This is an excerpt from the firewall log. I don't know if the first message is related but it appeared right before the event. Note that FERDA2 is my PC.
6.10.2004 23:22:16 Rule "Block Windows File Sharing" blocked communication.
Local address: FERDA2(192.168.1.4)(netbios-ssn(139)).
Process name is "System"
6.10.2004 23:22:17 Rule "Default Block Bla Trojan horse" blocked (192.168.1.1,1042).
Inbound UDP packet
Local address,service is (FERDA2(192.168.1.4),1042)
Remote address,service is (192.168.1.1,ssdp(1900))
Process name is "N/A"
Jeroen Vonk
07-10-2004, 13:32
6.10.2004 23:22:16 Rule "Block Windows File Sharing" blocked communication.
Local address: FERDA2(192.168.1.4)(netbios-ssn(139)).
Process name is "System"
6.10.2004 23:22:17 Rule "Default Block Bla Trojan horse" blocked (192.168.1.1,1042).
Inbound UDP packet
Local address,service is (FERDA2(192.168.1.4),1042)
Remote address,service is (192.168.1.1,ssdp(1900))
Process name is "N/A"
The first log entry is caused by "File and Printer sharing." 139 is used by the computer browser service running on your computer. It propably just wants to scan your network for other computers. As far as I know it's not related to the second log entry.
It is possible that your PC is infected by the "Bla Trojan" but I wouldn't bet on it. Unfortunately some Windows services use port 1024 to 5000 for dynamic port allocation. (according to the RFC only very high port numbers should be used, but we all know Microsoft :) ) So if something is using port 1042 you don't have te be alarmed.
I think, based on your information, that Windows is using port 1042 for UPnP/SSDP. (you can see that the UDP packet is coming from port 1900 which is used by SSDP)
I still think there's is nothing to worry, but scanning your PC for virusses/trojans is always a good idea. If you use a scanner with recent virus definitions I wouldn't give it a second thought.
Besides from this, I don't really like third party firewall's like Norton Internet Security because those firewall give just too many false alarms. Personally I prefer the built-in XP SP2 firewall.
Thanks, you guys are great :)