Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 342
  • Last Modified:

how to block a machine to communicate with my Machine

Hi,

recently i found some machine have establish a connection with my pc.

i know it from netstat...

my machinese is win 7

can anyone suggest me how to strenghten my security and block the connection btw that machine.
0
tankergoblin
Asked:
tankergoblin
  • 24
  • 11
  • 5
  • +1
1 Solution
 
Santosh GuptaCommented:
use window firewall, if you have not already ON it.

configure the advanced settings, and block every port that you don't need.

additionally, use Antivirus firewall to achieve this task.
0
 
tankergoblinAuthor Commented:
ok but the thing now is it use port 80 and 443 where if i block i cannot surf internet.. any other idea??
0
 
Santosh GuptaCommented:
hi there is inbound and out bound, option is present. you use to block inbound  traffic.
Inbound
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
tankergoblinAuthor Commented:
erm if i block inbound i still connect to port 80 right...

the port 80 is not host by me..
0
 
tankergoblinAuthor Commented:
sorry i mean if i block port 80 then how can i communicate with remote webserver pls try to block port 80 by yourself to see if it is working?
0
 
McKnifeCommented:
Be precise about the problem. What did netstat tell you, what do you fear the others are doing to your computer?
0
 
tankergoblinAuthor Commented:
i told you already...

someone establish connection with my pc.. and backdoor to my pc... they hack to my computer and create blue screen
0
 
Santosh GuptaCommented:
Hi,

outbound will block "your http (port 80) traffic to others
while inbound will block others http traffic to you PC.

so i suggested to block inbound traffic not outbound. so you can access the any webserver after this configuration.
0
 
tankergoblinAuthor Commented:
ok will try it and get back to you..
0
 
McKnifeCommented:
The details, please. If no details are mentioned, I can only assume that your machine is setup with default settings (firewall already on, no open ports). Then, the only way someone could make a connection is by tricking you into opening ports.

Ok, that's surely not what we have here. So let's assume you would like to block access to network shares and block RDP and remote logon. Then, you can use the policy "Deny access to this computer from the network" as shown here: http://technet.microsoft.com/en-us/library/cc758316(v=ws.10).aspx or its counterpart http://technet.microsoft.com/en-us/library/cc740196(v=ws.10).aspx

If that is not enough, you need to configure the firewall according to your needs. But without details, who should tell you how?
0
 
tankergoblinAuthor Commented:
what detail do you need?
0
 
tankergoblinAuthor Commented:
also i try to block inbound port of 80 already and it doesnt work... i not sure why
0
 
tankergoblinAuthor Commented:
the link you give me is user right but now the user is remotely access to my pc ... can your link works in this case?
0
 
tankergoblinAuthor Commented:
is the step above usefull for person who backdoor my pc
0
 
Santosh GuptaCommented:
Hi,

how you are finding that "someone is hacking/using/accessing your PC" ?

By default In windows 7, no one can take more than one session, one that you are already using.

if still someone taking RDP then disable "Remote Desktop services"
0
 
McKnifeCommented:
What details? Simply describe in detail what you are seeing.
-please quote the output of netstat and explain what IP the attacker has.
-please explain what ports you have open and why (why is your firewall not blocking everything like it would by default!)?
-please tell us what "backdoor" you are talking about
-please explain who the attacker is

Now for your questions:
-"can your link works in this case?" - yes!
-"is the step above usefull for person who backdoor my pc " - please define "backdoring". Before you clear that up and answer my 4 questions above, I am unable to answer it.
0
 
Craig BeckCommented:
Please post the NETSTAT output.
0
 
tankergoblinAuthor Commented:
ok i found a way d... what i need to do is remove suspect pid.. now when i netstat i cannot see the suspect address d..  but not sure whether attacker can still attack me without showing address in netstat?
0
 
Craig BeckCommented:
What is the process you're suspecting?

It's usual to see listening ports and remote addresses in Netstat but it would help if we could see what you're seeing.

Something like this is normal if you have a connection to a website open...

 TCP    192.168.1.1:49475     195.82.3.12:80      ESTABLISHED

This is normal if you have a service on your PC listening for connections...

 TCP    192.168.1.1:139       0.0.0.0:0              LISTENING
0
 
tankergoblinAuthor Commented:
ok let say i suspect 195.82.3.12 how can i stop the ip established with my pc
0
 
Craig BeckCommented:
The Windows firewall will let you block anything you want, by IP, direction, port, protocol, etc.

This will explain how to do it better than me... :-)

http://www.ipburger.com/blog/easiest-way-to-block-an-ip-address/
0
 
Craig BeckCommented:
What is the port number next to the IP you suspect?
0
 
tankergoblinAuthor Commented:
80
0
 
tankergoblinAuthor Commented:
if i block with firewall port 80 how can i access to internet?
0
 
Santosh GuptaCommented:
hi,

block the port 80 or all ports for only 195.82.3.12 IP. go to firewall, advanced setting and create outbound rule. and block the complete 195.82.3.12 IP. see the screen shot block.
firewall
0
 
tankergoblinAuthor Commented:
i try thar already the local ip is blocking LAN network ip only... the connection still establish
0
 
tankergoblinAuthor Commented:
also if i block port 80 i cannot access to internet at all.
0
 
Craig BeckCommented:
If you're seeing that IP address with port 80 next to it you're looking at a connection you have made to a web-server (probably).

What is the real IP you're suspecting?
0
 
tankergoblinAuthor Commented:
actually what ip doesnt matter.. the matter is it is a public ip and use port 80 and  how to make the connection not establish with my pc
0
 
tankergoblinAuthor Commented:
and actually it is domain name... domain name like dummy228 and when try to ping the ip it does not show anything..
0
 
Craig BeckCommented:
It does matter.  If you're seeing something like I posted earlier that isn't something trying to get in - it's your PC connecting to something on the internet.

If you posted the real IP/domain we could tell you what it is and if it's anything to worry about.

This is fine...

TCP    192.168.1.1:49475     195.82.3.12:80      ESTABLISHED

That shows your PC connecting from port 49475 TO a website at 195.82.3.12 on port 80.

If you have this...

TCP    192.168.1.1:80     195.82.3.12:49475      ESTABLISHED

...that shows the connection is most likely the other way round, and that the 195.82.3.12 address is connecting to you on port 80.

You can determine what ports your PC is listening on by checking NETSTAT and looking for any lines that say LISTENING.  If you're looking at a specific ESTABLISHED connection check if the port number has a corresponding LISTENING entry.  If not, you're safe.

So,

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:554            0.0.0.0:0              LISTENING

Open in new window


This shows that I have ports TCP/21,135,445 and 554 open on my PC.

I've also got this...

 TCP    192.168.1.1:52001   192.168.1.150:443     ESTABLISHED

Open in new window


That shows the connection from my PC to a server I have using 192.168.1.150.  I don't have an entry that says something like...

 TCP    192.168.1.1:443   192.168.1.150:52001     ESTABLISHED

Open in new window


...though because my PC isn't a webserver.
0
 
tankergoblinAuthor Commented:
ok i get

tcp 10.10.10.2 dummy288:http    ESTABLISHED
0
 
Craig BeckCommented:
So that's probably ok.  You have a connection to that server (dummy288) open from your machine.

If you put the hostname/IP address in a browser does it take you to a website?
0
 
tankergoblinAuthor Commented:
no
0
 
Craig BeckCommented:
Ok, so that might still be ok.  Some websites will only respond to a hostname.

It really would be a lot more helpful if you could tell us the IP or hostname of the entry so we could tell you what it might be.
0
 
tankergoblinAuthor Commented:
that is the hostname...

i told you d it is someone hack me ... and i dont think firewall can help in this case... because it can create other host name actually it appear more that one hostname...
0
 
tankergoblinAuthor Commented:
i mean win7 firewall cannot help
0
 
Craig BeckCommented:
The firewall can help it just might be harder than you think.

Use NETSTAT -ao to include the PID in the output.  Note the PID and use the following command to find out which process is creating that connection...

tasklist /FI "PID eq <PID-Number>"

Open in new window


So if the PID is 9834 the command is tasklist /FI "PID eq 9834"

Tell us what the result is please.
0
 
tankergoblinAuthor Commented:
yes and i already say that in above thread...

id= 39936661

ok i found a way d... what i need to do is remove suspect pid.. now when i netstat i cannot see the suspect address d..  but not sure whether attacker can still attack me without showing address in netstat?

Pls provide me a different answer if not i will close the thread by giving all the point to myself
0
 
tankergoblinAuthor Commented:
also in tasklist you miss a step you need to open pid in column under option menu. if not you wont see process id in process tab..
0
 
Craig BeckCommented:
Really, this is not an attack; it's a normal scenario.  The reason I asked you to find the PID again was because it would probably be different to when you originally discovered the suspect app.  One of the things an attacker will try to do is hide his identity and cover his tracks.  Keeping the same process open isn't really the best way to do that, so it's common to launch several processes and often at the same time.

It's easy to kill a task process by using Windows Task Manager - but that's not what you asked.  You asked this...
can anyone suggest me how to strenghten my security and block the connection btw that machine.
We did that by suggesting using the firewall, but you couldn't work it out.  The question should have been closed there and a new one opened which asked how to configure the firewall.

Also, I didn't miss any steps in TASKLIST - I provided the COMMAND LINE syntax, not the GUI instructions.  I suppose that goes towards assuming you didn't even try what I asked you to do.

With all respect, you're not really understanding what's going on here and you're not helping by not posting what I'm asking for.  If I'm going to donate my time to help, please, at least humour me.

If you want to find the actual destination, you'll do what I asked.  When you do that you'll see why I asked you to do it.

I'll explain...

You need to display NETSTAT to find the PID of the process.  When you've done that you can check Task Manager (GUI) or Tasklist (CLI) to see what process is using the PID.  That's not enough though to determine the destination of the traffic (or the source of the attacker if that's what you want to call it.  Now we need to use NETSTAT -no to find the PID again (this time only displaying the IP address).

That will help us determine what the source is.  I think you'll find it's perfectly legitimate, but if you won't provide the info I'm asking for we'll never know.
0
 
tankergoblinAuthor Commented:
yes i would like to block the connection but it doest work in this case ...

let say if you block port 80 means you even block the access of me access to internet.

For me i think it is not a normal senario and netstat is a tool for you to see who are you establish connection with..

yes i want to block permanently with the suspect person who establish connection with me...

and i have already provide you the info you need... maybe you have not experience in this that why you cannot see the picture... No offence ok... no one know everything.. we all learn from mistake.,...
0
 
Craig BeckCommented:
I am extremely able... I am a senior engineer for one of Cisco's largest Gold Partners in the world.

No offence taken, and none intended towards you but I think you misunderstand what I'm asking and what I'm suggesting.

No one ever said block port 80 completely; just to block port 80 to the specific destination.  We all know that blocking port 80 completely is not an acceptable solution so we've not suggested it.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 24
  • 11
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now