Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[mrtek]

DIR-655 Bypass

Hi

I just upgraded my router from a Dlink WBR-1310 to a DIR-655 hoping to have better firewall capabilities and I hope , I still do. What I am seeing on my pc is something somewhat disturbing. I have purchased a full license of MalwareBytes with IP protection and off and on I see pop-up on the bottom right side of my screen that tells that an IP address has been blocked. I have searched the internet about this issue and found this :
»secunia.com/advisories/38092/
After reading the article I have upgraded the firmware which fixes the problem , but actually has not solved mine.
Now my question is how this IP is bypassing the router firewall? These pop-ups are also showing even when I am not browsing the internet. Most of the offending IPs are from Moldovia and China. I could block every single one of them, but that kind of defeats the purpose of having this kind of firewall.
Any comments / help about this matter is appreciated.

Mrtek

[duffman]

Do you have any ports forwarded? Also is UPnP enabled?

[mrtek]

I do not have any port forwarded but I have UPnP enabled.

[duffman]

Having UPnP enabled would allow ports to be opened on the firewall by a program on your pc. Thus those open ports would be scanned.

[Cobra]

What does the log router show?

Incoming or outgoing

[mrtek]

My understanding is that if you enable UPnP is only for devices inside your firewall, internal network, and those ports are not on the WAN side.
As far as the log, there are a lot blocked incoming TCP and some UDP connections.I would have to edit the log to remove my IP Address and some security settings.
I will post them later.

[duffman]

UPnP has the ability to open ports to the internet facing side of the router. It's one of the main features of the protocol.

[mrtek]

if that is the case,for security reason, why is it on by default?

[Cobra]

UPnP opens only those ports that an UPnP device/application asks to open and when the application/device shuts down then the ports close again.

Better than port forwarding as with UPnP the ports open and close but with port forwarding the ports on the list are always open.

[war59312]

Sounds like you may have spyware on your system. What IP is MalwareBytes blocking?

And no MalwareBytes is not the end of the world when it comes to Malware, that is it does not detect everything. No product does!!

A quick test you can do is boot in safe mode with networking (hit f8 key when booting up and select the option).

Then only run MalwareBytes and see if it still blocks the same IP. Some how I doubt it!!

Which means its an application on your system that is trying to connect to the IP.

Anyways, also run http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx and it will show you which applications on your system are trying to connect to IP addresses.

Just look for the address that is being blocked by MalwareBytes in the remote address column.

If your seeing the block message in MalwareBytes and the connection never appears in TCPView then you might have Malware making use of a root kit on your system to hide its networking activity.

Anyways, I can help you with all of this when you reply.

[mrtek]

Well, thank you for your help...

I have done exactly what you said. I restarted in safe mode and I tried to start Malwarebyte protection but it fail. So I ran AVG antivirus, then I run SpyBot, Malwarebytes and Superspyware ( Free Version) , which I have read good things about and did not find anything. I did download TCPView , I ran it but it crashes all the time. I was able to look at the screen and compared at all the IP address that where stored in the blocked IP logs from Malwarebytes and none matched....
I disabled UPnP in the router and I am not getting as much warning as before, but I do get them sometimes.
These are some of the IP address that were blocked today.
09:13:09   xxxxx       IP-BLOCK   213.163.86.112
09:13:12   xxxxx       IP-BLOCK   213.163.86.112
09:13:18   xxxxx       IP-BLOCK   213.163.86.112
09:15:47   xxxxx       IP-BLOCK   213.163.86.112
09:15:50   xxxxx       IP-BLOCK   213.163.86.112
09:15:56   xxxxx       IP-BLOCK   213.163.86.112

I Just wanted to be sure that this connections are outgoing and not incoming and if they are , were are these malware/viruses hiding and how can I really clean them out.

 

[Cobra]

If you are going to be so paranoid you should just unplug your Internet.

But, companies bank on people like you to sell their software to.

Malwarebytes IP protection is.....pretty useless.

[mrtek]

Dear Cobra

with all do respect to your knowledge, Malwarebytes removed a lot of spyware and viruses from my pc that other software could not do, so there is a positive note from the use of it...but of course that is my opinion..and I just asked for some insight in the IP protection that this software is offering.

Thank you

[war59312]

Well, thank you for your help...

I have done exactly what you said. I restarted in safe mode and I tried to start Malwarebyte protection but it fail. So I ran AVG antivirus, then I run SpyBot, Malwarebytes and Superspyware ( Free Version) , which I have read good things about and did not find anything. I did download TCPView , I ran it but it crashes all the time. I was able to look at the screen and compared at all the IP address that where stored in the blocked IP logs from Malwarebytes and none matched....
I disabled UPnP in the router and I am not getting as much warning as before, but I do get them sometimes.
These are some of the IP address that were blocked today.
09:13:09   xxxxx       IP-BLOCK   213.163.86.112
09:13:12   xxxxx       IP-BLOCK   213.163.86.112
09:13:18   xxxxx       IP-BLOCK   213.163.86.112
09:15:47   xxxxx       IP-BLOCK   213.163.86.112
09:15:50   xxxxx       IP-BLOCK   213.163.86.112
09:15:56   xxxxx       IP-BLOCK   213.163.86.112

I Just wanted to be sure that this connections are outgoing and not incoming and if they are , were are these malware/viruses hiding and how can I really clean them out.

 

Hi,

That IP appears to be http://multiplayer.it/, visited that site lately?

OK since none of the addresses match the IP found in malwarebytes that tells me some sort of software on your PC is connecting to that address.

Since it's not happening in safe mode lets now try the same thing in regular mode. Only let the software you run on start and then run TCPView and see if you see the odd behavior. Yeah it does crash a lot on vista and 7. You can try running in XP compatibility mode, just right click on the exe and properties, then compatibility tab and set to XP.

You dont have to use TCPView, that was just really an example, feel free to use any tool that shows you all your connections. You can use command line tool if you confront able enough:

tcpvcon (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx)

If the ip is not listed then you know its not an application listed in mysconfig nor a windows service.

If you do see the odd behavior then run msconfig and disable all startup items and reboot and check for odd behavior once more. If still getting odd behavior then check in services.msc for anything specious:

http://www.blackviper.com/ listed default services for windows, see left side bar.

Take Care,

Will