Solved

Why would ipconfig.exe try to access the internet - without me ruininng the command? Is the PC/Router  being attacked?

Posted on 2006-11-08
7
243 Views
Last Modified: 2013-11-16
Today when I started my PC Norton Internet Security 2005 was not running. I switched off the router immediately. Norton said NIS needed activating - I was suspicious because I had renewed the subscription a couple of weeks ago with no problems and everything has been running fine.

The PC (Standalone - Windows XP professional) is kept up to date with all the virus and spyware (norton,spybot, adaware, AOL).

I switched the router back on and activated (again!) everything now seems OK. I did a symantec and shields up scan and cam out perfect (I am paranoid!). I then checked the norton firewall log and I had the following from earlier on is the day: -

"An instance of "C:\windows\system32\ipconfig.exe " is preparing to access the internet"

Why would ipconfig run itsself? - it wasn't me! Does this indicate someone was trying to access the router config?

PS Just lately I have had a lot of file sharing blocked messages are these related?

Please put my mind at rest or otherwise!

Lou



0
Comment
Question by:Louverril
  • 5
  • 2
7 Comments
 
LVL 24

Expert Comment

by:SunBow
ID: 17900661
It generally should not, but it is more informative with more options these days. I just checked mine, and all data is what should be local. If you did not do it, do you have anyone else? For minimum packet attempts, my best guess is it is attempting to renew a dhcp lease. How old is yours?
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17900670
C:\>ipconfig /?

USAGE:
    ipconfig [/? | /all | /renew [adapter] | /release [adapter] |
              /flushdns | /displaydns | /registerdns |
              /showclassid adapter |
              /setclassid adapter [classid] ]

where
    adapter         Connection name
                   (wildcard characters * and ? allowed, see examples)

    Options:
       /?           Display this help message
       /all         Display full configuration information.
       /release     Release the IP address for the specified adapter.
       /renew       Renew the IP address for the specified adapter.
       /flushdns    Purges the DNS Resolver cache.
       /registerdns Refreshes all DHCP leases and re-registers DNS names
       /displaydns  Display the contents of the DNS Resolver Cache.
       /showclassid Displays all the dhcp class IDs allowed for adapter.
       /setclassid  Modifies the dhcp class id.

The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid, if no ClassId is specified, then the ClassId is removed.

Examples:
    > ipconfig                   ... Show information.
    > ipconfig /all              ... Show detailed information
    > ipconfig /renew            ... renew all adapters
    > ipconfig /renew EL*        ... renew any connection that has its
                                     name starting with EL
    > ipconfig /release *Con*    ... release all matching connections,
                                     eg. "Local Area Connection 1" or
                                         "Local Area Connection 2"

C:\>
0
 
LVL 24

Accepted Solution

by:
SunBow earned 500 total points
ID: 17900765
DHCP Ports
http://www.iana.org/assignments/port-numbers
bootps           67/tcp    Bootstrap Protocol Server
bootps           67/udp    Bootstrap Protocol Server
bootpc           68/tcp    Bootstrap Protocol Client
bootpc           68/udp    Bootstrap Protocol Client
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:Louverril
ID: 17908205
Thank you Sunbow,

Yes I think it was probably trying to revew a lease - I can't be certain (the PC and router get tunrned off often twice a day) but I have been swiching off the router and the pc and turning them on at the same time this behaviour could have caused it to ask for a new lease - if the PC got there first??

Best regards, Lou
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17940280
IpConfig/All

From Dos prompt should give the start time of lease, near the bottom of the list. Leases often requested by any MS Windows at reboot. DHCP packets, OTOH are ever few and far between no matter what anyone else says about it - it is negligible traffic. So when you get a lot of 'hits' it should be something else being the cause.
0
 

Author Comment

by:Louverril
ID: 17945846
Thanks Sunbow,

tried this and the lease was obtained today when I switched on and it says it expires 24 hours from then. So  it looks like it was windows requesting a new lease.

Best regards
Lou
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17948224
:-))
While you are at it, you might take last look at IpConfig and jot down the other packets needing to get through, in particular to the DNS servers (3), so that you can ensure all have a pathway through the routing filters and any firewalls. If you haven't yet, you might want to ping one just to see how that might get logged.

Ping -a <IpAddress>

- 'should' return the name of the server <IpName>
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question