Solved

Why would ipconfig.exe try to access the internet - without me ruininng the command? Is the PC/Router  being attacked?

Posted on 2006-11-08
7
245 Views
Last Modified: 2013-11-16
Today when I started my PC Norton Internet Security 2005 was not running. I switched off the router immediately. Norton said NIS needed activating - I was suspicious because I had renewed the subscription a couple of weeks ago with no problems and everything has been running fine.

The PC (Standalone - Windows XP professional) is kept up to date with all the virus and spyware (norton,spybot, adaware, AOL).

I switched the router back on and activated (again!) everything now seems OK. I did a symantec and shields up scan and cam out perfect (I am paranoid!). I then checked the norton firewall log and I had the following from earlier on is the day: -

"An instance of "C:\windows\system32\ipconfig.exe " is preparing to access the internet"

Why would ipconfig run itsself? - it wasn't me! Does this indicate someone was trying to access the router config?

PS Just lately I have had a lot of file sharing blocked messages are these related?

Please put my mind at rest or otherwise!

Lou



0
Comment
Question by:Louverril
  • 5
  • 2
7 Comments
 
LVL 24

Expert Comment

by:SunBow
ID: 17900661
It generally should not, but it is more informative with more options these days. I just checked mine, and all data is what should be local. If you did not do it, do you have anyone else? For minimum packet attempts, my best guess is it is attempting to renew a dhcp lease. How old is yours?
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17900670
C:\>ipconfig /?

USAGE:
    ipconfig [/? | /all | /renew [adapter] | /release [adapter] |
              /flushdns | /displaydns | /registerdns |
              /showclassid adapter |
              /setclassid adapter [classid] ]

where
    adapter         Connection name
                   (wildcard characters * and ? allowed, see examples)

    Options:
       /?           Display this help message
       /all         Display full configuration information.
       /release     Release the IP address for the specified adapter.
       /renew       Renew the IP address for the specified adapter.
       /flushdns    Purges the DNS Resolver cache.
       /registerdns Refreshes all DHCP leases and re-registers DNS names
       /displaydns  Display the contents of the DNS Resolver Cache.
       /showclassid Displays all the dhcp class IDs allowed for adapter.
       /setclassid  Modifies the dhcp class id.

The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid, if no ClassId is specified, then the ClassId is removed.

Examples:
    > ipconfig                   ... Show information.
    > ipconfig /all              ... Show detailed information
    > ipconfig /renew            ... renew all adapters
    > ipconfig /renew EL*        ... renew any connection that has its
                                     name starting with EL
    > ipconfig /release *Con*    ... release all matching connections,
                                     eg. "Local Area Connection 1" or
                                         "Local Area Connection 2"

C:\>
0
 
LVL 24

Accepted Solution

by:
SunBow earned 500 total points
ID: 17900765
DHCP Ports
http://www.iana.org/assignments/port-numbers
bootps           67/tcp    Bootstrap Protocol Server
bootps           67/udp    Bootstrap Protocol Server
bootpc           68/tcp    Bootstrap Protocol Client
bootpc           68/udp    Bootstrap Protocol Client
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:Louverril
ID: 17908205
Thank you Sunbow,

Yes I think it was probably trying to revew a lease - I can't be certain (the PC and router get tunrned off often twice a day) but I have been swiching off the router and the pc and turning them on at the same time this behaviour could have caused it to ask for a new lease - if the PC got there first??

Best regards, Lou
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17940280
IpConfig/All

From Dos prompt should give the start time of lease, near the bottom of the list. Leases often requested by any MS Windows at reboot. DHCP packets, OTOH are ever few and far between no matter what anyone else says about it - it is negligible traffic. So when you get a lot of 'hits' it should be something else being the cause.
0
 

Author Comment

by:Louverril
ID: 17945846
Thanks Sunbow,

tried this and the lease was obtained today when I switched on and it says it expires 24 hours from then. So  it looks like it was windows requesting a new lease.

Best regards
Lou
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17948224
:-))
While you are at it, you might take last look at IpConfig and jot down the other packets needing to get through, in particular to the DNS servers (3), so that you can ensure all have a pathway through the routing filters and any firewalls. If you haven't yet, you might want to ping one just to see how that might get logged.

Ping -a <IpAddress>

- 'should' return the name of the server <IpName>
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question