1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Windows Update triggers strange connections

Discussion in 'Computer Security' started by LukeP, May 18, 2010.

  1. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    I've noticed that everytime I check for Updates I get connections from China and Indonesia bouncing off my Smoothwall box.

    Any ideas why Windows Update triggers such connections?
    OS is Windows Server 2008 R2 from Technet.

    For whois on IP addresses in the attachement click here:
    http://www.ip-adress.com/whois/222.124.7.164
    http://www.ip-adress.com/whois/221.192.199.49
    http://www.ip-adress.com/whois/125.65.165.184
     

    Attached Files:

    Last edited: May 18, 2010
    WIP: Uhmm... not sure
  2. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    That is odd - but I can't see how it would be related to Windoze Updates. It's not unheard of for M$' update servers to get compromised - and Chinese hackers are becoming well-renowned for using zero-day exploits of late (witness the highly-targetted attacks on Google recently) - but not likely.

    Far more likely is that this is coincidence - you're noticing it whilst you're running Windows updates but it's actually happening quite regularly. What happens when you run netstat -ano from the local machine? Make a connection to Windows Update (with all other apps that may be accessing the internet shut down) and see whether you have any established TCP sessions to the outside world. If you do - then you may have a problem. If not, then just make sure your firewall is tight (i.e. not allowing unsolicited connections from ANYWHERE on the Internet unless you're running FTP/SMTP/Web etc - and if you are, put rules in place to limit which internal hosts can be communicated with and look at an application layer firewall to chuck in front of them)

    If you're really curious, chuck a box on the outside of your FW connected via stealth (e.g. no IP config) to the dirty side and hub out to it - then run snort on it and see what that throws up. Can give you detailed instructions on that if you need it - but it'll have to wait until tomorrow as I'm tired :biggrin

    EDIT - just grepped through my own logs, I see repeated attempts from Chinese and Indonesian IPs to TCP ports 8000, 8080 and (less frequently) 1080 from a source port of 12000. Botnet - bet you a million quid :biggrin. Unless it's a zero day exploit probing for a specific weakness on a publically exposed service you've got nothing to worry about - and on my network at least it's definitely not related in any way to Windows Updates
     
    Last edited: May 19, 2010
    Certifications: A few
    WIP: None - f*** 'em
  3. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    I think you're right actually. This probably is a coincidence as I've been seeing same traffic bouncing off all day long.

    I guess I have nothing to worry about as this is for testing only and there are no services running. Good to know that kind of stuff keeps hitting brand new IP range as it gives a show that you have to keep this in mind right from the start. Especially port 8080 as I've seen it being used occasionally.

    Thanks for info. :thumbleft
     
    WIP: Uhmm... not sure

Share This Page

Loading...