Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

frazser

99 Posts

161818

February 23rd, 2004 23:00

Network problem???

Have a network of six computers, Dell Diminsions, Windows XP,one computer does  the dialing to connect to the internet, 56k modem. After I disconnect from the Internet, the modem immediately dials out again. When I disconnect it stays that way until I redial. I disconnected the network and the problem stopped. I can not find out what program or computer is constantly dialing out to the Internet after shut down of # 1 computer. All automatic up-dates are off. Have Norton System works, SpyBot, and routinely run virus checks etc. Also I changed the modem twice. Same problem.

Any ideas what may be the problem.

jwatt

4.4K Posts

March 7th, 2004 16:00

"do you want generic host process for win32 services to acept connection from the internet?
source IP :192.168.0.11 Port 68
Application : SVchost.exe
Version : 5.1 2600.0 (xpclient, 010817-148.

HAD TO ACCEPT AS I COULDN'T GET AN ACTIVE WEB PAGE ON THE INTERNET.

192.168.0.11 is a machine on your LAN. It's requesting an IP address from a DHCP server. There's a DHCP server running on ONE as part of Internet Connection Sharing. Traffic from 192.168.0.11 would have arrived at ONE via its Ethernet adapter, and the request should have been answered by the DHCP server on ONE. So why did ZoneAlarm think that 192.168.0.11 needed to connect to the Internet?

Is the "Network Bridge" still present on ONE? After removing IPv6, you should have only two interfaces left - the PPP adapter for the dialup, and the Ethernet adapter. The Ethernet adapter should no longer be part of a bridge.

You should remove the bridge as follows:

Click on Start, then choose All Programs, then Accessories, then Communications, and then Network Connections.

You will see you various network connections. One of the connections will be called Network Bridge. Right-click on the Network Bridge and choose Delete from the menu that appears. You may be asked to confirm this decision: do so.

SHORTLY AFTER GOT THIS FROM ZONE ALARM

Blocked access to computer ( net BIOS Name) from 68.219.41.21 CDP port 27)

Zone alarm has just now blocked (TCP Port 135) from 12.150.142.14 (TCP Port 4249) [TCP flags: S].

That's ZoneAlarm doing its job! Even with a dialup, once a machine is connected to the Internet, there will be hostile traffic attempting to probe for vulnerabilities. What you reported are two examples of why it's vital to have a firewall installed on any machine that connects to the Internet.

I'm betting it's the presence of the bridge that's causing the dialouts.

Likely the traffic from 102.168.0.11 port 68 was headed for 255.255.255.255 port 67. That's a broadcast request to a DHCP server. A bridge is designed to propagage LAN traffic between two different types of interfaces. Wireless access points are "bridges" between the wireless portion of a LAN and the wired portion of the same LAN. Microsoft's "wizards" have a bad habit of bridging things that shouldn't be bridged!

Jim

frazser

99 Posts

March 7th, 2004 22:00

Jim,

Deleted the Bridge connection but now I can't connect to the internet with my other computers.

I should have just disable it. Will try and find the program to reload it unless you think I neeed to re-configure my network.

jwatt

4.4K Posts

March 7th, 2004 22:00

Given that each of the SETI computers has only one network interface present, it's not clear to me that the bridge device is needed on any of them. With the IPv6 pseudointerfaces present, I could rationalize the need for bridging.

What happens if you disable the bridge on our favorite test victim, SETI6?

Deleting the bridge is OK, because it's easy to create one.

But the network setup you have doesn't need any bridging. Everything's on an Ethernet LAN, and the default gateway is set to 192.168.0.1, the IP address of ONE, which is a "gateway" because it's the one that has the Internet connection. And the PPP dialup Internet connection is on a different IP network (12.251.204) than the LAN (192.168.0), so what's needed is routing, not bridging.

Jim

frazser

99 Posts

March 8th, 2004 01:00

Jim,

Finally got back on. Lost connection to the Internet and had to set up my network again on Computer ONE. The Bridge adapter connection was enabled by using the Wizard that XP has installed. Still unable to get SETI 6 back on line. I may be miss-using Zone Alarm. I think the best thing to do is delete Zone alarm at this time.

The network was started over a year ago by using the Build in Network Wizard. I really do't know that much about the network system except what was set-up for me by these computers.

Re-boot SETI 6 with the re-installed bridge and will see if that computer is able to connect to Computer One. Unable at this time to get any of my computers back on line with the internet.

I know you are working very hard on this and I do really appreciate the asssitance.

Any ideas.SETI 6 Network connection page shows...

1394 connection enabled, bridged,1294 net adapter

loacal area connection, enabled, bridge,broadcom netxreme gigabit E...

Network Bridge (Network Bridge) 14, enabled

 

Computer ONE Network Connection page shows

Pokynet com, Connected, shared, firewall, HSP56 modem

1394 Connection enabled, bridges, 1294 adapter

local are connection,enabled,bridged, broadband netXreme gogbit E..

Networkbridge (Network Bridge) 14, enabled

 

I still think deleting Zone Alarm now may be a good idea.

frazser

99 Posts

March 8th, 2004 02:00

Jim,

 

I found a log on Zone Alarm and it seems that Hotmail is dialing out or in. I use hot mail and wonder if this address has something to do wiith my problem,

ZoneAlarm Logging Client v4.5.538.001
Windows XP-5.1.2600-Service Pack 1-SP
type,date,time,source,destination,transport
FWIN,2004/03/06,18:45:04 -6:00 GMT,192.168.0.56:68,192.168.0.1:67,UDP
FWIN,2004/03/06,18:45:06 -6:00 GMT,192.168.0.225:68,192.168.0.1:67,UDP
FWIN,2004/03/06,18:45:14 -6:00 GMT,192.168.0.176:68,192.168.0.1:67,UDP
FWIN,2004/03/06,18:45:20 -6:00 GMT,192.168.0.15:68,192.168.0.1:67,UDP
PE,2004/03/06,18:45:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,18:45:54 -6:00 GMT,Generic Host Process for Win32 Services,12.151.203.10:53,N/A
PE,2004/03/06,18:47:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,18:49:16 -6:00 GMT,IP Configuration Utility,12.151.203.10:53,N/A
PE,2004/03/06,18:49:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,18:51:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,18:51:50 -6:00 GMT,68.93.134.27:1893,12.151.204.180:80,TCP (flags:S)
PE,2004/03/06,18:53:08 -6:00 GMT,SETI@home,12.151.203.10:53,N/A
PE,2004/03/06,18:53:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,18:54:28 -6:00 GMT,192.168.0.76:1053,192.168.0.1:53,UDP
PE,2004/03/06,18:55:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,18:57:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,18:58:40 -6:00 GMT,192.168.0.76:1053,192.168.0.1:53,UDP
PE,2004/03/06,18:59:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWROUTE,2004/03/06,19:00:04 -6:00 GMT,192.168.0.76:2663,81.52.248.152:80,TCP (flags:R)
FWIN,2004/03/06,19:00:48 -6:00 GMT,192.168.0.76:1030,192.168.0.1:53,UDP
PE,2004/03/06,19:01:14 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:01:18 -6:00 GMT,Zone Labs Client,12.151.203.10:53,N/A
PE,2004/03/06,19:01:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:01:28 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:03:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:05:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,19:06:22 -6:00 GMT,12.150.151.86:1853,12.151.204.180:135,TCP (flags:S)
PE,2004/03/06,19:07:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
ACCESS,2004/03/06,19:07:26 -6:00 GMT,siHotmailFilterProxy was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
PE,2004/03/06,19:09:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:11:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,19:12:50 -6:00 GMT,192.168.0.76:1030,192.168.0.1:53,UDP
PE,2004/03/06,19:13:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
ACCESS,2004/03/06,19:13:24 -6:00 GMT,siHotmailFilterProxy was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
FWIN,2004/03/06,19:14:34 -6:00 GMT,192.168.0.225:1033,192.168.0.1:53,UDP
PE,2004/03/06,19:15:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.11:53,N/A
ACCESS,2004/03/06,19:15:24 -6:00 GMT,siHotmailFilterProxy was temporarily blocked from connecting to the Internet (12.151.203.11:DNS).,N/A,N/A
PE,2004/03/06,19:17:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.11:53,N/A
PE,2004/03/06,19:19:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:19:32 -6:00 GMT,Generic Host Process for Win32 Services,192.168.0.76:1030,N/A
ACCESS,2004/03/06,19:20:56 -6:00 GMT,siHotmailFilterProxy was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
PE,2004/03/06,19:21:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.11:53,N/A
PE,2004/03/06,19:22:14 -6:00 GMT,Messenger,207.46.104.20:1863,N/A
PE,2004/03/06,19:23:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,19:24:18 -6:00 GMT,200.217.24.24:1030,12.151.204.180:137,UDP
PE,2004/03/06,19:25:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:26:52 -6:00 GMT,Spam Inspector by GIANT Company inc,12.151.203.10:53,N/A
PE,2004/03/06,19:27:08 -6:00 GMT,Microsoft Outlook,12.151.203.10:53,N/A
PE,2004/03/06,19:27:12 -6:00 GMT,Norton AntiVirus Agent,12.151.203.15:110,N/A
PE,2004/03/06,19:27:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:29:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
PE,2004/03/06,19:31:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,19:33:06 -6:00 GMT,68.123.214.191:3736,12.151.204.180:135,TCP (flags:S)
PE,2004/03/06,19:33:22 -6:00 GMT,siHotmailFilterProxy,12.151.203.10:53,N/A
FWIN,2004/03/06,19:33:24 -6:00 GMT,68.123.214.191:1920,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/06,19:35:48 -6:00 GMT,80.146.113.238:4320,12.151.204.180:135,TCP (flags:S)
PE,2004/03/06,19:45:46 -6:00 GMT,Microsoft Outlook,12.151.203.10:53,N/A
FWIN,2004/03/06,20:01:40 -6:00 GMT,133.217.115.89:2791,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/06,20:13:22 -6:00 GMT,213.137.108.231:3336,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,20:16:56 -6:00 GMT,12.152.192.64:4358,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/06,20:41:58 -6:00 GMT,211.28.113.169:4544,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,20:45:26 -6:00 GMT,66.222.138.122:1091,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/06,20:55:20 -6:00 GMT,69.105.11.53:2634,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,21:00:28 -6:00 GMT,202.64.85.30:8963,12.151.204.180:137,UDP
FWIN,2004/03/06,21:18:34 -6:00 GMT,12.150.139.237:3386,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,21:18:46 -6:00 GMT,220.164.30.186:1036,12.151.204.180:137,UDP
FWIN,2004/03/06,21:28:32 -6:00 GMT,12.150.150.106:1728,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,21:30:58 -6:00 GMT,218.161.57.92:3521,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,21:31:18 -6:00 GMT,218.161.57.92:1390,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/06,21:41:26 -6:00 GMT,12.151.203.82:4078,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,21:54:56 -6:00 GMT,12.151.204.67:3326,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,22:03:04 -6:00 GMT,64.231.207.105:1025,12.151.204.180:137,UDP
FWIN,2004/03/06,22:14:28 -6:00 GMT,12.150.153.52:2567,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,22:43:56 -6:00 GMT,12.150.225.157:1242,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,23:10:34 -6:00 GMT,61.149.27.67:9467,12.151.204.180:137,UDP
FWIN,2004/03/06,23:21:26 -6:00 GMT,12.150.225.175:4085,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,23:36:26 -6:00 GMT,218.64.47.184:1035,12.151.204.180:137,UDP
FWIN,2004/03/06,23:42:40 -6:00 GMT,12.134.52.86:1497,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/06,23:59:22 -6:00 GMT,12.13.135.150:4687,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/07,00:15:58 -6:00 GMT,220.107.185.88:3765,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/07,00:16:38 -6:00 GMT,200.100.174.181:3844,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/07,00:28:52 -6:00 GMT,217.208.23.21:1470,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/07,00:32:02 -6:00 GMT,220.219.85.68:3692,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/07,00:42:08 -6:00 GMT,217.85.94.33:4441,12.151.204.180:135,TCP (flags:S)
FWIN,2004/03/07,00:48:24 -6:00 GMT,12.150.224.161:3820,12.151.204.180:445,TCP (flags:S)
FWIN,2004/03/07,01:11:12 -6:00 GMT,219.105.137.8:3380,12.151.204.170:445,TCP (flags:S)
FWIN,2004/03/07,01:19:42 -6:00 GMT,218.63.164.229:1032,12.151.204.170:137,UDP
FWIN,2004/03/07,01:43:14 -6:00 GMT,4.4.82.32:1693,12.151.204.173:135,TCP (flags:S)
FWIN,2004/03/07,01:43:36 -6:00 GMT,4.4.82.32:3100,12.151.204.173:445,TCP (flags:S)
FWIN,2004/03/07,01:44:06 -6:00 GMT,68.249.7.215:2486,12.151.204.173:135,TCP (flags:S)
FWIN,2004/03/07,01:44:26 -6:00 GMT,68.249.7.215:4627,12.151.204.173:445,TCP (flags:S)
FWIN,2004/03/07,01:57:06 -6:00 GMT,12.151.203.193:3832,12.151.204.173:135,TCP (flags:S)
FWIN,2004/03/07,02:28:08 -6:00 GMT,218.2.49.9:1026,12.151.204.177:137,UDP
FWIN,2004/03/07,02:35:08 -6:00 GMT,172.188.152.209:1239,12.151.204.177:135,TCP (flags:S)
FWIN,2004/03/07,02:36:04 -6:00 GMT,172.188.152.209:2794,12.151.204.177:135,TCP (flags:S)
FWIN,2004/03/07,03:00:24 -6:00 GMT,218.234.162.102:1032,12.151.204.182:137,UDP
FWIN,2004/03/07,03:24:58 -6:00 GMT,24.108.229.128:1339,12.151.204.137:445,TCP (flags:S)
FWIN,2004/03/07,03:33:38 -6:00 GMT,216.211.5.93:3228,12.151.204.137:135,TCP (flags:S)
FWIN,2004/03/07,03:50:22 -6:00 GMT,64.114.231.69:1965,12.151.204.140:135,TCP (flags:S)
FWIN,2004/03/07,03:50:42 -6:00 GMT,64.114.231.69:3412,12.151.204.140:445,TCP (flags:S)
FWIN,2004/03/07,03:55:14 -6:00 GMT,81.91.226.108:1033,12.151.204.140:137,UDP
FWIN,2004/03/07,04:20:12 -6:00 GMT,217.76.53.218:4698,12.151.204.146:135,TCP (flags:S)
FWIN,2004/03/07,04:47:58 -6:00 GMT,62.241.150.33:3282,12.151.204.149:135,TCP (flags:S)
FWIN,2004/03/07,05:36:36 -6:00 GMT,12.101.62.202:3399,12.151.204.151:135,TCP (flags:S)
FWIN,2004/03/07,06:42:28 -6:00 GMT,210.42.228.62:2767,12.151.204.157:139,TCP (flags:S)
FWIN,2004/03/07,07:01:44 -6:00 GMT,12.150.244.46:3227,12.151.204.160:445,TCP (flags:S)
FWIN,2004/03/07,07:21:04 -6:00 GMT,64.108.70.182:1032,12.151.204.162:137,UDP
FWIN,2004/03/07,07:32:00 -6:00 GMT,219.117.13.33:2461,12.151.204.165:445,TCP (flags:S)
FWIN,2004/03/07,07:46:54 -6:00 GMT,81.98.81.131:3787,12.151.204.171:135,TCP (flags:S)
FWIN,2004/03/07,07:53:04 -6:00 GMT,209.88.110.37:35342,12.151.204.171:139,TCP (flags:S)
FWIN,2004/03/07,08:42:10 -6:00 GMT,12.151.197.24:1644,12.151.204.142:135,TCP (flags:S)
FWIN,2004/03/07,08:58:00 -6:00 GMT,62.0.81.138:1033,12.151.204.148:137,UDP
FWIN,2004/03/07,08:59:06 -6:00 GMT,12.77.141.115:3958,12.151.204.148:135,TCP (flags:S)
FWIN,2004/03/07,09:03:22 -6:00 GMT,12.73.161.123:4656,12.151.204.148:135,TCP (flags:S)
FWIN,2004/03/07,09:08:58 -6:00 GMT,12.73.161.123:2828,12.151.204.148:135,TCP (flags:S)
FWIN,2004/03/07,09:21:38 -6:00 GMT,61.127.42.109:1051,12.151.204.160:445,TCP (flags:S)
FWIN,2004/03/07,09:33:22 -6:00 GMT,12.150.225.152:3946,12.151.204.160:135,TCP (flags:S)
FWIN,2004/03/07,09:40:38 -6:00 GMT,218.5.186.70:4334,12.151.204.160:139,TCP (flags:S)
FWIN,2004/03/07,09:40:42 -6:00 GMT,203.205.149.230:2184,12.151.204.160:445,TCP (flags:S)
FWIN,2004/03/07,09:49:36 -6:00 GMT,217.44.179.231:4209,12.151.204.160:135,TCP (flags:S)
FWIN,2004/03/07,09:53:04 -6:00 GMT,12.151.197.49:2754,12.151.204.160:445,TCP (flags:S)
FWIN,2004/03/07,10:07:44 -6:00 GMT,212.142.190.174:1026,12.151.204.173:137,UDP
FWIN,2004/03/07,10:16:44 -6:00 GMT,12.151.203.180:3785,12.151.204.173:135,TCP (flags:S)
FWIN,2004/03/07,10:17:42 -6:00 GMT,63.196.56.253:1025,12.151.204.173:137,UDP
FWIN,2004/03/07,10:18:28 -6:00 GMT,217.95.169.39:2297,12.151.204.173:135,TCP (flags:S)
FWIN,2004/03/07,10:37:22 -6:00 GMT,24.185.221.55:4251,12.151.204.140:135,TCP (flags:S)
FWIN,2004/03/07,10:38:20 -6:00 GMT,203.70.227.31:2981,12.151.204.140:135,TCP (flags:S)
FWIN,2004/03/07,11:01:00 -6:00 GMT,12.150.148.27:2995,12.151.204.157:135,TCP (flags:S)
FWIN,2004/03/07,11:01:16 -6:00 GMT,80.164.95.125:1028,12.151.204.157:137,UDP
FWIN,2004/03/07,11:01:34 -6:00 GMT,213.23.223.162:62437,12.151.204.157:137,UDP
FWIN,2004/03/07,11:05:06 -6:00 GMT,218.214.37.116:1030,12.151.204.157:137,UDP
PE,2004/03/07,11:12:36 -6:00 GMT,Spam Inspector by GIANT Company inc,12.151.203.11:53,N/A
PE,2004/03/07,11:20:00 -6:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:67,N/A
PE,2004/03/07,11:20:00 -6:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:68,N/A
ACCESS,2004/03/07,11:20:00 -6:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for accepting a connection from the Internet (192.168.0.1:Port 68); access was denied.,N/A,N/A
PE,2004/03/07,11:20:00 -6:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:53,N/A
PE,2004/03/07,11:20:18 -6:00 GMT,siMailProxyServer,0.0.0.0:110,N/A
PE,2004/03/07,11:20:46 -6:00 GMT,XAUpdate Application,12.151.203.10:53,N/A
ACCESS,2004/03/07,11:21:00 -6:00 GMT,XAUpdate Application was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
PE,2004/03/07,11:21:16 -6:00 GMT,Spam Inspector by GIANT Company inc,12.151.203.10:53,N/A
PE,2004/03/07,11:21:20 -6:00 GMT,Generic Host Process for Win32 Services,192.168.0.11:68,N/A
PE,2004/03/07,11:21:24 -6:00 GMT,Generic Host Process for Win32 Services,12.151.203.10:53,N/A
FWIN,2004/03/07,11:30:42 -6:00 GMT,68.219.41.21:1027,12.151.204.169:137,UDP
FWIN,2004/03/07,11:39:22 -6:00 GMT,12.150.142.14:4269,12.151.204.169:135,TCP (flags:S)
PE,2004/03/07,11:42:02 -6:00 GMT,Zone Labs Client,12.151.203.10:53,N/A
PE,2004/03/07,11:46:26 -6:00 GMT,Norton AntiVirus Agent,12.151.203.15:110,N/A
FWIN,2004/03/07,11:51:46 -6:00 GMT,12.150.244.46:1041,12.151.204.169:135,TCP (flags:S)
FWIN,2004/03/07,12:22:42 -6:00 GMT,12.150.142.254:2823,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,12:38:08 -6:00 GMT,12.134.10.183:4847,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,12:43:54 -6:00 GMT,12.151.203.194:2206,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,12:46:22 -6:00 GMT,24.89.18.148:4337,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,13:05:30 -6:00 GMT,196.12.38.104:2429,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,13:26:30 -6:00 GMT,217.97.84.206:35790,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,13:27:18 -6:00 GMT,12.150.148.95:4205,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,13:37:34 -6:00 GMT,164.77.129.174:2255,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,13:49:06 -6:00 GMT,220.211.227.142:4611,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,14:22:02 -6:00 GMT,138.89.79.174:3356,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,14:24:48 -6:00 GMT,206.228.214.146:1455,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,14:55:18 -6:00 GMT,199.183.220.17:2105,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,15:05:50 -6:00 GMT,200.149.43.163:60344,12.151.204.178:137,UDP
PE,2004/03/07,15:14:58 -6:00 GMT,SETI@home,12.151.203.11:53,N/A
FWIN,2004/03/07,15:17:58 -6:00 GMT,218.102.71.185:3706,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,15:39:46 -6:00 GMT,12.150.225.175:3580,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,15:41:12 -6:00 GMT,12.151.197.49:2924,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,15:49:30 -6:00 GMT,216.209.153.105:3265,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,15:56:06 -6:00 GMT,24.164.110.148:60273,12.151.204.178:137,UDP
FWIN,2004/03/07,16:08:04 -6:00 GMT,65.43.152.144:2698,12.151.204.178:445,TCP (flags:S)
FWIN,2004/03/07,16:08:36 -6:00 GMT,142.161.91.222:1025,12.151.204.178:137,UDP
FWIN,2004/03/07,16:13:14 -6:00 GMT,195.29.104.202:1030,12.151.204.178:137,UDP
FWIN,2004/03/07,16:41:22 -6:00 GMT,12.151.204.172:3626,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,16:42:26 -6:00 GMT,12.147.245.201:4980,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,16:42:44 -6:00 GMT,12.152.192.173:2558,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,16:43:30 -6:00 GMT,82.255.13.246:4549,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,16:54:24 -6:00 GMT,12.150.128.85:4515,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,17:05:48 -6:00 GMT,80.228.87.86:1663,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,17:09:14 -6:00 GMT,146.175.220.55:1681,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,17:34:02 -6:00 GMT,12.151.115.222:3383,12.151.204.178:135,TCP (flags:S)
FWIN,2004/03/07,17:38:36 -6:00 GMT,12.152.8.144:3445,12.151.204.178:445,TCP (flags:S)
PE,2004/03/07,17:52:34 -6:00 GMT,Windows Explorer,12.151.203.10:53,N/A
ACCESS,2004/03/07,17:53:02 -6:00 GMT,Windows Explorer was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
FWIN,2004/03/07,17:57:02 -6:00 GMT,12.65.144.33:4053,12.151.204.178:135,TCP (flags:S)
ACCESS,2004/03/07,17:57:46 -6:00 GMT,Windows Explorer was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
FWIN,2004/03/07,18:00:42 -6:00 GMT,12.65.144.33:3472,12.151.204.178:135,TCP (flags:S)
ACCESS,2004/03/07,18:02:12 -6:00 GMT,Windows Explorer was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
FWIN,2004/03/07,18:16:06 -6:00 GMT,4.12.28.178:4354,12.151.204.178:135,TCP (flags:S)
PE,2004/03/07,18:29:50 -6:00 GMT,siMailProxyServer,0.0.0.0:110,N/A
PE,2004/03/07,18:31:16 -6:00 GMT,Spam Inspector by GIANT Company inc,12.151.203.10:53,N/A
FWIN,2004/03/07,18:41:16 -6:00 GMT,218.236.217.8:1433,12.151.204.180:137,UDP
PE,2004/03/07,18:47:48 -6:00 GMT,Zone Labs Client,12.151.203.10:53,N/A
FWIN,2004/03/07,18:50:16 -6:00 GMT,64.109.231.172:1027,12.151.204.180:137,UDP
PE,2004/03/07,18:54:04 -6:00 GMT,Run a DLL as an App,12.151.203.10:53,N/A
PE,2004/03/07,19:14:56 -6:00 GMT,Run a DLL as an App,12.151.203.10:53,N/A
FWIN,2004/03/07,19:16:56 -6:00 GMT,68.144.64.163:64707,12.151.204.163:445,TCP (flags:S)
FWIN,2004/03/07,19:17:40 -6:00 GMT,141.156.227.167:4592,12.151.204.163:445,TCP (flags:S)
FWIN,2004/03/07,19:19:10 -6:00 GMT,68.222.160.116:1701,12.151.204.163:445,TCP (flags:S)
PE,2004/03/07,19:21:02 -6:00 GMT,XAUpdate Application,12.151.203.10:53,N/A
ACCESS,2004/03/07,19:21:12 -6:00 GMT,XAUpdate Application was temporarily blocked from connecting to the Internet (12.151.203.10:DNS).,N/A,N/A
FWIN,2004/03/07,19:26:44 -6:00 GMT,12.150.151.85:1359,12.151.204.163:135,TCP (flags:S)
FWIN,2004/03/07,19:36:06 -6:00 GMT,12.152.70.201:1581,12.151.204.163:445,TCP (flags:S)
FWIN,2004/03/07,19:55:08 -6:00 GMT,210.196.41.161:4658,12.151.204.163:445,TCP (flags:S)
FWIN,2004/03/07,19:56:06 -6:00 GMT,151.197.31.234:4335,12.151.204.163:445,TCP (flags:S)
FWIN,2004/03/07,19:56:56 -6:00 GMT,12.78.12.71:4193,12.151.204.163:135,TCP (flags:S)
FWIN,2004/03/07,20:01:24 -6:00 GMT,67.117.148.53:3938,12.151.204.163:445,TCP (flags:S)
FWIN,2004/03/07,20:10:40 -6:00 GMT,12.151.197.24:3066,12.151.204.163:135,TCP (flags:S)

jwatt

4.4K Posts

March 8th, 2004 04:00

I found a log on Zone Alarm and it seems that Hotmail is dialing out or in. I use hot mail and wonder if this address has something to do wiith my problem.

All the requests made by the Hotmail proxy were attempts to look up IP addresses based on their names (DNS). You can confirm that by looking at the destination addresses and the port. All the destination ports were 53. That's "domain name service". The destination IP addresses all were one or the other of the two DNS servers listed in ONE's ipconfig /all output for the PPP adapter.

So they're legitimate. No connections were attempted, other than to look up IP addresses based on names.

It might be a good idea to undo the change to the "DNS Client" service on ONE. That was done via Start/Run services.msc. Right click on "DNS Client", select Properties, and click on "Start". Set the "Startup type" back to "Automatic". That may cut down on some of the outbound DNS queries. The majority of the outbound requests logged were DNS. If the information were being cached on ONE, that might cut down on the outbound DNS requests.

Is the Hotmail filter proxy set to run at some regular interval? It's odd that the filter proxy is doing a DNS lookup that's not followed by a connection to a Hotmail server. I'm not familiar with that product.

One of the good things about a dialup connection is that nothing will be able to dial in. Until you dial out, there's nothing but a telephone number!

I'm not sure ZoneAlarm's set up correctly on ONE. For example, DHCP traffic from 192.168.0.56, 192.168.0.225, 192.168.0.176, and 192.168.0.15 (machines on your LAN) to 192.168.0.1 (ONE) are marked as "FWIN", meaning that the firewall blocked an incoming request to connect to your computer. But ZoneAlarm is correctly permitting outbound http requests, like this one:

FWROUTE,2004/03/06,19:00:04 -6:00 GMT,192.168.0.76:2663,81.52.248.152:80,TCP

You should confirm that ZoneAlarm is configured to recognize 192.168.0.0/255.255.255.0 as a trusted network on ONE. But ZoneAlarm is blocking a lot of unwanted traffic from machines on the Internet! I wouldn't run ONE without a firewall, because while its connection to the Internet may not be fast, there's plenty of evidence of potential intruders being blocked by ZoneAlarm.

Jim

jwatt

4.4K Posts

March 8th, 2004 04:00

Still unable to get SETI 6 back on line. I may be miss-using Zone Alarm. I think the best thing to do is delete Zone alarm at this time.

On the machines other than ONE, I'd agree. See my other recent post for comments about ZoneAlarm, or some firewall, on ONE.

Bridges...

SETI 6 Network connection page shows...
1394 connection enabled, bridged,1294 net adapter
loacal area connection, enabled, bridge,broadcom netxreme gigabit E...
Network Bridge (Network Bridge) 14, enabled

Computer ONE Network Connection page shows
Pokynet com, Connected, shared, firewall, HSP56 modem
1394 Connection enabled, bridges, 1294 adapter
local are connection,enabled,bridged, broadband netXreme gigabit E..
Networkbridge (Network Bridge) 14, enabled

Is there a better description of the "1394" connections? Are those perhaps IEEE 1394 adapters, also known as "Firewire"? It sounds like there's still one more interface present in both ONE and SETI6 than we know about. With only one interface (Ethernet), there's no need for a bridge.

One SETI6, what output do you get if you enter tracert dslreports.com in a cmd.exe window? That should cause a dialout. On SETI6, you should see a series of lines of output showing the path between your LAN and dslreports.com.

If the output doesn't end with " Trace complete.", post the output.

Jim

frazser

99 Posts

March 8th, 2004 17:00

Jim,

Back on line.

Unable to connect to Computer ONE from any other computer in my network. Deleled Zone Alarm in SETI 6 and that didn't work. Deleted Zone Alarm in Computer ONE and that didn't work. Tried tracert dslreports.com in SETI 6 and it stated, Unable to reslove target system name dslreports.com Will past the reading from Computer ONE

tracert dslreports. com Computer ONE

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\vincent f. splain>tracert dslreports.com

Tracing route to dslreports.com [209.123.109.175]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2   281 ms   262 ms   275 ms  12.151.204.129
  3   275 ms   275 ms   301 ms  12.151.203.1
  4   293 ms   301 ms   301 ms  12.119.149.29
  5   311 ms   301 ms   288 ms  gbr6-p51.sl9mo.ip.att.net [12.123.198.166]
  6   290 ms   301 ms   301 ms  tbr1-p013601.sl9mo.ip.att.net [12.122.11.109]
  7   310 ms   327 ms   327 ms  tbr1-cl4.wswdc.ip.att.net [12.122.10.29]
  8   310 ms   327 ms   327 ms  tbr2-p013601.wswdc.ip.att.net [12.122.9.150]
  9   337 ms   340 ms   340 ms  tbr2-cl1.n54ny.ip.att.net [12.122.10.53]
 10   343 ms   354 ms   314 ms  gar1-p340.nwrnj.ip.att.net [12.123.214.185]
 11   309 ms   340 ms   340 ms  att-gige.esd1.nwr.nac.net [12.119.140.26]
 12   319 ms   327 ms   314 ms  3.ge-3-0-0.gbr2.nwr.nac.net [209.123.11.189]
 13   332 ms   354 ms   340 ms  0.so-0-3-0.gbr1.oct.nac.net [209.123.11.233]
 14   311 ms   340 ms   327 ms  www.dslreports.com [209.123.109.175]

Trace complete.

C:\Documents and Settings\vincent f. splain>

Jim are we still fun? I am really getting a workout. This stuff is overwhemming compared to just putting a computer together.

Vince

 

jwatt

4.4K Posts

March 8th, 2004 18:00

Unable to connect to Computer ONE from any other computer in my network. Deleled Zone Alarm in SETI 6 and that didn't work. Deleted Zone Alarm in Computer ONE and that didn't work. Tried tracert dslreports.com in SETI 6 and it stated, Unable to reslove target system name dslreports.com Will past the reading from Computer ONE.

Hmmmm...we somehow have broken DNS on the internal machines! From SETI6, does tracert -d 209.123.109.175 work? That will tell us whether SETI6 can reach the Internet at all. "-d" means "Do not resolve addresses to hostnames".

Jim are we still fun? I am really getting a workout. This stuff is overwhemming compared to just putting a computer together.

One of the problems with working out step by step what's going on is that it's a lot more tedious than the "shotgun" approach, which would be to reinstall XP. One problem with ONE that could explain the DNS failures on SETI6 is that somehow it's no longer providing DNS service to the internal machines. I wonder what would happen if you uninstalled Internet Connection Sharing on ONE, rebooted it, and then reinstalled ICS? According to HomeNetHelp.com's tutorial on Internet Connection Sharing, the uninstall is done this way:

In your control panel, double-click the "Add/Remove Programs" icon. Select the "Windows Setup" tab. Double click "Internet Options", and unselect the Internet Connection Sharing box. Click OK and OK again.

You might want to look at HomeNetHelp's "ICS-related frequently asked questions", which is where I found the quote about uninstalling ICS, and see if you spot anything useful there. PracticallyNetworked.com has a lot of material about troubleshooting ICS that also might help.

(edit #1) I just found this in a Microsoft TechNet article about ICS on Windows 2000. It very likely applies to XP as well:

You cannot modify the default configuration of Internet connection sharing. This includes items such as disabling the DHCP allocator or modifying the range of private IP addresses that are distributed, disabling the DNS proxy, configuring a range of public IP addresses, or configuring inbound mappings. If you want to modify any of these items, you must use network address translation.

So turn the "DNS Client" back on for all machines, and see what that does with "tracert" from SETI6. That one's in "Start/Run services.msc".

Good grief! The more I find out about ICS, the more I dislike it! Even for a dialup connection, an external router is less quirky!

(edit #2) I found this tidbit in the ZoneLabs support forum:

[To set up ZoneAlarm on ICS machines,] Go to the firewall tab, click the main tab, click the advanced button and setup for ICS.

(edit #4 - corrected info about ICS gateway setup for ZoneAlarm)
The IP address needed for the ICS gateway machine (ONE), is the machine's local WAN IP address, 12.151.204.180. That information is from  one of the ZoneAlarm gurus' sites. For a dialup connection, that seems problematical to me. What if you get a different IP address when you dial up?

(edit #3) Also from the ZoneLabs support forums:

The reason the client computer can not access the internet is because the basic free version of Zone Alarm does not support ICS. To resolve this problem, you can either upgrade the 'gateway's' Zone Alarm to the Pro version or use a router. You can keep ZA Free on the client computer.

Speaking of dialouts, have they been affected by any of the things we've tried?

Jim

Message Edited by jimw on 03-08-2004 02:45 PM

frazser

99 Posts

March 9th, 2004 16:00

Jim,

Just got back on line. Had lost my network. Finally used system restore on all the computers and then ran the Network setup. Finally got it up and running. First thing I noticed was that one of the connections numbers had been corrected. It was 255.255.255, when I couldn't get the netwoek running it was 255.255.0.0. I know one of the group of 255 was missing.

Will check out all those website you passed on to me. More than likely will get Zone Alarm Pro especially after seeing all the activity coming my way.

Nothing we did affected the dial out up to the time I lost my network. I messed up using Zone Alarm or something. Going to see what happens when I shut this computer down and will let you know.

jwatt

4.4K Posts

March 9th, 2004 16:00

First thing I noticed was that one of the connections numbers had been corrected. It was 255.255.255, when I couldn't get the netwoek running it was 255.255.0.0. I know one of the group of 255 was missing.

That sounds like the netmask for a "locally assigned" IP address. Those mean that the DHCP client was unable to obtain an IP address from the DHCP server. Installing a DHCP server on the ICS host machine (ONE) is part of what's done when setting up ICS.

Nothing we did affected the dial out up to the time I lost my network. I messed up using Zone Alarm or something. Going to see what happens when I shut this computer down and will let you know.

One thing I've learned, and it's been at your expense, is that ICS is a very quirky product. Applying the troubleshooting techniques that work on a routed network can create problems on an ICS setup.

Hopefully you'll get the whole thing stabilized soon. The fact that the free version of ZoneAlarm doesn't work on an ICS host machine was a surprise to me. But that's only one of the suprises that ICS contains!

One of the advantages ZoneAlarm has (assuming a version that works on an ICS host!) over the XP firewall is that it requires outbound connections to be authorized. Since we've still not been able to determine the underlying cause of the unexpected outbound connections, a firewall that works that way is very useful...to say nothing of the inbound stuff you discovered!

Jim

frazser

99 Posts

March 11th, 2004 16:00

JimW,

At last. After messing around with this network system, losing it and reconfiguring a few times in the past few days and messed up TCP/IP addresses or something, I just reloaded Windows XP. Low and behold, everything is working correctly. At present,for the past four hours there have been no dial outs.

Problem had to be generated from the host computer, in the network system, all the time because the problem had moved from one computer to another. Had another computer as my master computer when the problem started and changed the master computer. Same problem. So perhaps reloading Windows XP like you were thinking, in the beginning, was the correct solution.

Thanks for your help.

Vince

jwatt

4.4K Posts

March 11th, 2004 17:00

I just reloaded Windows XP. Low and behold, everything is working correctly. At present,for the past four hours there have been no dial outs.

That's approximately four hours longer than it's been in a long time! Hurray!

So perhaps reloading Windows XP like you were thinking, in the beginning, was the correct solution.

We certainly struggled to avoid that fix! It would have been nice to have been able to pinpoint the source of the problem...but it's very nice to have things working again!

Are you planning on installing ZoneAlarm (Plus should suffice) on the machine with the dialup connection? Even though we didn't find any signs of malware, it's prudent to have a firewall running on any machine that's directly connected to the Internet...even dialup!

The XP firewall would be a good step if you're worried about ZoneAlarm in an ICS environment, because it blocks inbound connections. And it hopefully works OK with ICS!

Thanks for your help.

You're welcome! TGIO!!!!

Jim

frazser

99 Posts

March 11th, 2004 18:00

Jim,

I always had the XP firewall in place, however since (I may of had problems with the Zone Alarm and my system) I just order the Norton Internet Security program. That I believe will aid my XP firewall and also it will also advise what programs are going out and coming in.

Thank again,

Vince

jwatt

4.4K Posts

March 11th, 2004 20:00

You might want to start a new thread asking for opinions on personal firewall products. I've seen some decidedly negative opinions expressed about Norton's.

Another good place to ask for advice is  DSL Reports' Security forum.

Be sure to mention XP ICS! As we found out, there can be problems if a firewall product can't handle the environment presented by an ICS host.

Jim

Was this post helpful?

View All

No Events found!

Top