Advice pls on what is happening on my system
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Advice pls on what is happening on my system

From: Alix <alix@alix.com>
Date: Fri Dec 09 2005 - 11:14:50 CET



BACKGROUND



I am on a cable connection in the UK with no other PCs or printers 


attached.  I use FILSECLAB's personal firewall.



I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro 


system.  As I am in the UK I also installed the "ORSC Slave-Root" 


package.  I have to say I am not particularly familiar with the 


technical details of DNS lookups.



OBSERVATIONS



Today I booted up.  Before I manually launched anything I saw the 


following entries shown below in my firewall monitor.  



These entries have worried me because for the  last week my PC has 


been hesitating for several seconds before connecting to servers such 


as (http://www.google.com or an NNTP news servrer) for the first 


time.  Subsequent connections seems as fast as usual.



Spybot (latest version with latest updates) reports nothing.



QUESTIONS FOR ANYONE



1:  Which entries below are expected and which are unusual?



2:  Have I got some subtle malware on my system?  



3:  How can I track back from these entries to find what programs 


invoked NAMED.EXE to make these network connections?



4:  Should I remove Treewalk or does it make no difference?



For the time being I have put these into my hosts file in order to 


restrain them from connecting.  



Thank you for any help.



--------  LIST OF SELECTED FIREWALL MONITOR ENTRIES --------



NOTES:



(1) There were often several entries for each IP address but I have 


listed only one.


(2) My IP address with port 1025 was always shown for each of these 


entries 


(3) The program associated with each entry was always Treewalk's 


NAMED.EXE.


(4) In most cases, 70 bytes were sent and none received but for 


192.5.6.30 (for which the IP lookup keeps failing) there was as much 


as 10 KB of traffic in each direction!


(5) Sadly I can't find out anything for 194.54.112.30/FLUETANO.



=====



38.113.2.100 :53               


    Jerky Network Services, Mass



199.166.26.100 :53             


    VRx Network Services  Inc.  server=JFWHOME.FUNHOUSE.COM


199.166.29.100 :53             


    VRx Network Services  Inc.  server=JFWHOME.FUNHOUSE.COM


199.166.31.100 :53             


    VRx Network Services  Inc.  server=JFWHOME.FUNHOUSE.COM



194.54.112.30 :53              


    FLUENTANO, Hostmaster Bergen Nett og Media, Norway



193.0.14.129 :53               


    Subnet for k.root-servers.net



192.5.6.30 :53


a.gtld-servers.net  [sent 10595 bytes & received 11369 bytes]



192.26.92.30 :53               


    VeriSign Global Registry


192.26.92.32 :53               


    VeriSign Global Registry


192.33.14.30 :53               


    Verisign


198.41.0.4 :53                 


    Verisign



202.12.29.59 :53               


    Asia Pacific Network Information Center, Australia



216.239.34.10 :53              


    Google  [I have Google Desktop Search]



------- END LIST OF SELECTED FIREWALL MONITOR ENTRIES --------


Received on Sun Dec 11 14:24:54 2005