Solved

Why would ipconfig.exe try to access the internet - without me ruininng the command? Is the PC/Router  being attacked?

Posted on 2006-11-08
7
237 Views
Last Modified: 2013-11-16
Today when I started my PC Norton Internet Security 2005 was not running. I switched off the router immediately. Norton said NIS needed activating - I was suspicious because I had renewed the subscription a couple of weeks ago with no problems and everything has been running fine.

The PC (Standalone - Windows XP professional) is kept up to date with all the virus and spyware (norton,spybot, adaware, AOL).

I switched the router back on and activated (again!) everything now seems OK. I did a symantec and shields up scan and cam out perfect (I am paranoid!). I then checked the norton firewall log and I had the following from earlier on is the day: -

"An instance of "C:\windows\system32\ipconfig.exe " is preparing to access the internet"

Why would ipconfig run itsself? - it wasn't me! Does this indicate someone was trying to access the router config?

PS Just lately I have had a lot of file sharing blocked messages are these related?

Please put my mind at rest or otherwise!

Lou



0
Comment
Question by:Louverril
  • 5
  • 2
7 Comments
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
It generally should not, but it is more informative with more options these days. I just checked mine, and all data is what should be local. If you did not do it, do you have anyone else? For minimum packet attempts, my best guess is it is attempting to renew a dhcp lease. How old is yours?
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
C:\>ipconfig /?

USAGE:
    ipconfig [/? | /all | /renew [adapter] | /release [adapter] |
              /flushdns | /displaydns | /registerdns |
              /showclassid adapter |
              /setclassid adapter [classid] ]

where
    adapter         Connection name
                   (wildcard characters * and ? allowed, see examples)

    Options:
       /?           Display this help message
       /all         Display full configuration information.
       /release     Release the IP address for the specified adapter.
       /renew       Renew the IP address for the specified adapter.
       /flushdns    Purges the DNS Resolver cache.
       /registerdns Refreshes all DHCP leases and re-registers DNS names
       /displaydns  Display the contents of the DNS Resolver Cache.
       /showclassid Displays all the dhcp class IDs allowed for adapter.
       /setclassid  Modifies the dhcp class id.

The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid, if no ClassId is specified, then the ClassId is removed.

Examples:
    > ipconfig                   ... Show information.
    > ipconfig /all              ... Show detailed information
    > ipconfig /renew            ... renew all adapters
    > ipconfig /renew EL*        ... renew any connection that has its
                                     name starting with EL
    > ipconfig /release *Con*    ... release all matching connections,
                                     eg. "Local Area Connection 1" or
                                         "Local Area Connection 2"

C:\>
0
 
LVL 24

Accepted Solution

by:
SunBow earned 500 total points
Comment Utility
DHCP Ports
http://www.iana.org/assignments/port-numbers
bootps           67/tcp    Bootstrap Protocol Server
bootps           67/udp    Bootstrap Protocol Server
bootpc           68/tcp    Bootstrap Protocol Client
bootpc           68/udp    Bootstrap Protocol Client
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Louverril
Comment Utility
Thank you Sunbow,

Yes I think it was probably trying to revew a lease - I can't be certain (the PC and router get tunrned off often twice a day) but I have been swiching off the router and the pc and turning them on at the same time this behaviour could have caused it to ask for a new lease - if the PC got there first??

Best regards, Lou
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
IpConfig/All

From Dos prompt should give the start time of lease, near the bottom of the list. Leases often requested by any MS Windows at reboot. DHCP packets, OTOH are ever few and far between no matter what anyone else says about it - it is negligible traffic. So when you get a lot of 'hits' it should be something else being the cause.
0
 

Author Comment

by:Louverril
Comment Utility
Thanks Sunbow,

tried this and the lease was obtained today when I switched on and it says it expires 24 hours from then. So  it looks like it was windows requesting a new lease.

Best regards
Lou
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
:-))
While you are at it, you might take last look at IpConfig and jot down the other packets needing to get through, in particular to the DNS servers (3), so that you can ensure all have a pathway through the routing filters and any firewalls. If you haven't yet, you might want to ping one just to see how that might get logged.

Ping -a <IpAddress>

- 'should' return the name of the server <IpName>
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now