Hi David,
Thanks for the kind reply. According to the logs, the attempted
outbound violations have stopped, at least for now.
I have scanned this computer with just about everything that I can find
and nothing shows up. For a long time, someone in San Marcus, TX pinged
my computer a hundred times a day. I finally reported it to the "abuse"
address for the ISP, but, as usual, never heard anything and I still,
occasionally, get pinged by the San Marcus address.
This is a dialup machine and a slow one at that; most of the time less
than 28.8.
Loy
David Gillett wrote:
> ICMP is a protocol used for network diagnostics and error messages. The
> "ping" program (usually) sends ICMP "echo request" messages, and receives
> ICMP "esho response" messages back, for instance. There are arguments for
> blocking ICMP as a confidentiality issue, and for leaving it unblocked as an
> availability issue. [Security folks refer to the CIA triad --
> Confidentiality, Integrity, and Availability -- as encompassing "security",
> so both arguments are in favour of different aspects of security.]
> It would be quite normal for your machine to respond to an unexpected TCP
> or UDP (these are the protocols most commonly used for actual user traffic)
> message with an ICMP "port unreachable" message. But in the normal case,
> that message would have the IP address of your machine as its source.
>
> So my suspicion is that the "policy violation" isn't that the message type
> is "ICMP port unreachable", but that the source address is a lie, claiming
> that the message is coming from somewhere else.
> That's not a useful thing for a "phone home" function to do, so I don't
> think that's what this is. [It would be possible, though a bit odd, for an
> ICMP message to include a "payload" of information.]
>
> ICMP messages are usually quite small. But there have occasionally been
> Internet attacks that used large ICMP messages to try to flood a destination
> computer or network as a "Denial of Service" attack, and these are harder to
> defend against if the recipient can't tell where they're coming from.
> So it's *possible* that some bit of malware on your machine is one of
> hundreds or even thousands all sending junk messages to USLEC at once. [A
> dialup machine would not be the attacker's first choice for this purpose,
> but checking for this is hard to do and rather pointless.]
>
> So yes, this could be a symptom of a virus. There have been several
> viruses over the years that have spread infectiously, with a "detonation"
> date at which they would unleash some sort of attack. There is other
> malware that makes an infected PC a "zombie", awaiting commands from the
> Internet -- these are more commonly used to forward spam, but certainly
> *can* be used to launch attacks as well.
>
> So bottom line is that if the source address had been yours, I wouldn't
> worry, but since it doesn't appear to be then yes, you may be infected with
> something.
>
> David Gillett
>
>
>
> On 19 Feb 2007 at 12:22, Loy Pressley wrote:
>
>
>> My Comodo Firewall security log says
>>
>> "Outbond policy violation (Access Denied, IP =..."
>>
>> When I look under details, the log says:
>>
>> "DESCRIPTION: Outbound Policy Violation (Access Denied, ICMP = PORT
>> UNREACHABLE)
>> PROTOCOL: ICMP Outgoing
>> SOURCE: 66.19.112.129
>> DESTINATION: 216.126.128.40
>> MESSAGE: PORT UNREACHABLE"
>>
>> WhoIs says that 66.19.112.129 as above is the USLEC Corp., 6801 Morrison
>> Blvd., Charlotte, NC 28211 and that 216.127.128.40 is the same place.
>>
>> Does the above indicate that I've got a virus or something on this thing
>> and it is trying to "phone home?" I've scanned this computer with
>> everything I can find and nothing has shown up. Could it be a "rootkit"
>> or something like that?
>>
>> WinXP Pro SP2 using a dialup modem.
>>
>> Thanks...
>>
>> PCSOFT maintains many useful files for download
>> visit our download web page at:
>> http://freepctech.com/downloads.shtml
>>
>
> The NOSPIN Group Promotions is now offering
> our special coffee cups and mouse pads
> with the PCSOFT logo... at a great price!!!
> http://freepctech.com/goodies/promotions.shtml
>
>
"Hold No Punches.." Rode brings you great shareware/freeware
programs with his honest opinions in this weekly column.
http://freepctech.com/rode
|