Solved

how to block a machine to communicate with my Machine

Posted on 2014-03-14
43
307 Views
Last Modified: 2014-04-10
Hi,

recently i found some machine have establish a connection with my pc.

i know it from netstat...

my machinese is win 7

can anyone suggest me how to strenghten my security and block the connection btw that machine.
0
Comment
Question by:tankergoblin
  • 24
  • 11
  • 5
  • +1
43 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39929408
use window firewall, if you have not already ON it.

configure the advanced settings, and block every port that you don't need.

additionally, use Antivirus firewall to achieve this task.
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39929449
ok but the thing now is it use port 80 and 443 where if i block i cannot surf internet.. any other idea??
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39929508
hi there is inbound and out bound, option is present. you use to block inbound  traffic.
Inbound
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39929621
erm if i block inbound i still connect to port 80 right...

the port 80 is not host by me..
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39929655
sorry i mean if i block port 80 then how can i communicate with remote webserver pls try to block port 80 by yourself to see if it is working?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39929681
Be precise about the problem. What did netstat tell you, what do you fear the others are doing to your computer?
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39929732
i told you already...

someone establish connection with my pc.. and backdoor to my pc... they hack to my computer and create blue screen
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39929853
Hi,

outbound will block "your http (port 80) traffic to others
while inbound will block others http traffic to you PC.

so i suggested to block inbound traffic not outbound. so you can access the any webserver after this configuration.
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39929880
ok will try it and get back to you..
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39930213
The details, please. If no details are mentioned, I can only assume that your machine is setup with default settings (firewall already on, no open ports). Then, the only way someone could make a connection is by tricking you into opening ports.

Ok, that's surely not what we have here. So let's assume you would like to block access to network shares and block RDP and remote logon. Then, you can use the policy "Deny access to this computer from the network" as shown here: http://technet.microsoft.com/en-us/library/cc758316(v=ws.10).aspx or its counterpart http://technet.microsoft.com/en-us/library/cc740196(v=ws.10).aspx

If that is not enough, you need to configure the firewall according to your needs. But without details, who should tell you how?
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39931129
what detail do you need?
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39931131
also i try to block inbound port of 80 already and it doesnt work... i not sure why
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39931132
the link you give me is user right but now the user is remotely access to my pc ... can your link works in this case?
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39931134
is the step above usefull for person who backdoor my pc
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39931138
Hi,

how you are finding that "someone is hacking/using/accessing your PC" ?

By default In windows 7, no one can take more than one session, one that you are already using.

if still someone taking RDP then disable "Remote Desktop services"
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39931168
What details? Simply describe in detail what you are seeing.
-please quote the output of netstat and explain what IP the attacker has.
-please explain what ports you have open and why (why is your firewall not blocking everything like it would by default!)?
-please tell us what "backdoor" you are talking about
-please explain who the attacker is

Now for your questions:
-"can your link works in this case?" - yes!
-"is the step above usefull for person who backdoor my pc " - please define "backdoring". Before you clear that up and answer my 4 questions above, I am unable to answer it.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39931500
Please post the NETSTAT output.
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39936661
ok i found a way d... what i need to do is remove suspect pid.. now when i netstat i cannot see the suspect address d..  but not sure whether attacker can still attack me without showing address in netstat?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39937815
What is the process you're suspecting?

It's usual to see listening ports and remote addresses in Netstat but it would help if we could see what you're seeing.

Something like this is normal if you have a connection to a website open...

 TCP    192.168.1.1:49475     195.82.3.12:80      ESTABLISHED

This is normal if you have a service on your PC listening for connections...

 TCP    192.168.1.1:139       0.0.0.0:0              LISTENING
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940201
ok let say i suspect 195.82.3.12 how can i stop the ip established with my pc
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39940226
The Windows firewall will let you block anything you want, by IP, direction, port, protocol, etc.

This will explain how to do it better than me... :-)

http://www.ipburger.com/blog/easiest-way-to-block-an-ip-address/
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39940229
What is the port number next to the IP you suspect?
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940242
80
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940247
if i block with firewall port 80 how can i access to internet?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39940272
hi,

block the port 80 or all ports for only 195.82.3.12 IP. go to firewall, advanced setting and create outbound rule. and block the complete 195.82.3.12 IP. see the screen shot block.
firewall
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940304
i try thar already the local ip is blocking LAN network ip only... the connection still establish
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940310
also if i block port 80 i cannot access to internet at all.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39940314
If you're seeing that IP address with port 80 next to it you're looking at a connection you have made to a web-server (probably).

What is the real IP you're suspecting?
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940340
actually what ip doesnt matter.. the matter is it is a public ip and use port 80 and  how to make the connection not establish with my pc
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940342
and actually it is domain name... domain name like dummy228 and when try to ping the ip it does not show anything..
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39940427
It does matter.  If you're seeing something like I posted earlier that isn't something trying to get in - it's your PC connecting to something on the internet.

If you posted the real IP/domain we could tell you what it is and if it's anything to worry about.

This is fine...

TCP    192.168.1.1:49475     195.82.3.12:80      ESTABLISHED

That shows your PC connecting from port 49475 TO a website at 195.82.3.12 on port 80.

If you have this...

TCP    192.168.1.1:80     195.82.3.12:49475      ESTABLISHED

...that shows the connection is most likely the other way round, and that the 195.82.3.12 address is connecting to you on port 80.

You can determine what ports your PC is listening on by checking NETSTAT and looking for any lines that say LISTENING.  If you're looking at a specific ESTABLISHED connection check if the port number has a corresponding LISTENING entry.  If not, you're safe.

So,

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:554            0.0.0.0:0              LISTENING

Open in new window


This shows that I have ports TCP/21,135,445 and 554 open on my PC.

I've also got this...

 TCP    192.168.1.1:52001   192.168.1.150:443     ESTABLISHED

Open in new window


That shows the connection from my PC to a server I have using 192.168.1.150.  I don't have an entry that says something like...

 TCP    192.168.1.1:443   192.168.1.150:52001     ESTABLISHED

Open in new window


...though because my PC isn't a webserver.
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39940437
ok i get

tcp 10.10.10.2 dummy288:http    ESTABLISHED
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39940729
So that's probably ok.  You have a connection to that server (dummy288) open from your machine.

If you put the hostname/IP address in a browser does it take you to a website?
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39942299
no
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39942471
Ok, so that might still be ok.  Some websites will only respond to a hostname.

It really would be a lot more helpful if you could tell us the IP or hostname of the entry so we could tell you what it might be.
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39942509
that is the hostname...

i told you d it is someone hack me ... and i dont think firewall can help in this case... because it can create other host name actually it appear more that one hostname...
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39942511
i mean win7 firewall cannot help
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39942687
The firewall can help it just might be harder than you think.

Use NETSTAT -ao to include the PID in the output.  Note the PID and use the following command to find out which process is creating that connection...

tasklist /FI "PID eq <PID-Number>"

Open in new window


So if the PID is 9834 the command is tasklist /FI "PID eq 9834"

Tell us what the result is please.
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39955766
yes and i already say that in above thread...

id= 39936661

ok i found a way d... what i need to do is remove suspect pid.. now when i netstat i cannot see the suspect address d..  but not sure whether attacker can still attack me without showing address in netstat?

Pls provide me a different answer if not i will close the thread by giving all the point to myself
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39955770
also in tasklist you miss a step you need to open pid in column under option menu. if not you wont see process id in process tab..
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39955828
Really, this is not an attack; it's a normal scenario.  The reason I asked you to find the PID again was because it would probably be different to when you originally discovered the suspect app.  One of the things an attacker will try to do is hide his identity and cover his tracks.  Keeping the same process open isn't really the best way to do that, so it's common to launch several processes and often at the same time.

It's easy to kill a task process by using Windows Task Manager - but that's not what you asked.  You asked this...
can anyone suggest me how to strenghten my security and block the connection btw that machine.
We did that by suggesting using the firewall, but you couldn't work it out.  The question should have been closed there and a new one opened which asked how to configure the firewall.

Also, I didn't miss any steps in TASKLIST - I provided the COMMAND LINE syntax, not the GUI instructions.  I suppose that goes towards assuming you didn't even try what I asked you to do.

With all respect, you're not really understanding what's going on here and you're not helping by not posting what I'm asking for.  If I'm going to donate my time to help, please, at least humour me.

If you want to find the actual destination, you'll do what I asked.  When you do that you'll see why I asked you to do it.

I'll explain...

You need to display NETSTAT to find the PID of the process.  When you've done that you can check Task Manager (GUI) or Tasklist (CLI) to see what process is using the PID.  That's not enough though to determine the destination of the traffic (or the source of the attacker if that's what you want to call it.  Now we need to use NETSTAT -no to find the PID again (this time only displaying the IP address).

That will help us determine what the source is.  I think you'll find it's perfectly legitimate, but if you won't provide the info I'm asking for we'll never know.
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 39980105
yes i would like to block the connection but it doest work in this case ...

let say if you block port 80 means you even block the access of me access to internet.

For me i think it is not a normal senario and netstat is a tool for you to see who are you establish connection with..

yes i want to block permanently with the suspect person who establish connection with me...

and i have already provide you the info you need... maybe you have not experience in this that why you cannot see the picture... No offence ok... no one know everything.. we all learn from mistake.,...
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39980170
I am extremely able... I am a senior engineer for one of Cisco's largest Gold Partners in the world.

No offence taken, and none intended towards you but I think you misunderstand what I'm asking and what I'm suggesting.

No one ever said block port 80 completely; just to block port 80 to the specific destination.  We all know that blocking port 80 completely is not an acceptable solution so we've not suggested it.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now