Jump to content


Photo

wbenton - Firewall alerts


  • Please log in to reply
4 replies to this topic

#1 wbenton

wbenton

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 14 January 2012 - 08:37 AM

For over a week now, my firewall has been giving off the following errors:

01/14/2012 11:07:20.848 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 68.232.45.119, 80, WAN -
172.16.31.4, 1040, WLAN -
01/14/2012 11:07:57.640 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1196, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:11:43.112 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1088, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:11:51.448 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1091, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:12:01.304 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1094, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:12:15.240 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1096, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:12:32.784 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1098, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:13:24.656 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 28799, WAN -
TCP scanned port list, 28804, 28811, 28807, 28681, 28794
01/14/2012 11:15:42.384 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1028, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:16:00.864 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1030, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:18:24.384 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1095, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:19:15.320 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1097, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:19:34.720 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1099, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:20:05.064 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1101, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:21:27.880 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1105, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:21:33.880 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 29064, WAN -
TCP scanned port list, 29083, 29088, 29075, 28839, 28843
01/14/2012 11:24:46.208 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1028, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:01.896 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1030, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:15.576 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1033, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:35.192 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1035, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:52.448 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1037, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:26:05.864 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1039, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:26:15.608 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1041, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:26:35.176 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 29139, WAN -
TCP scanned port list, 29148, 29144, 29188, 29135, 29192
01/14/2012 11:27:08.880 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1046, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:28:24.624 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 29144, WAN -
TCP scanned port list, 29192, 29195, 29209, 29135, 29139
01/14/2012 11:32:55.624 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1028, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:33:08.128 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1030, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:38:32.384 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1189, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:55:37.880 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1381, WLAN -
68.232.45.119, 80, WAN -

Notice the repetitive "Suspicious#RLPack (Worm) blocked" activity as
well as the numerous port scans discovered in between as well.

Also note that this happens while trying to download the AdAware latest signature file updates.

Shortly after the firewall gives off this message, the AdAware update abruptly terminates with no error what so ever.

172.16.31.4 is the address of the PC and the xxx.xxx.xxx.xxx is the edited out global IP address of my firewall!

Something's fishy.

Are you sure your sig files are not corrupt with a worm?

And why does your update go to 68.232.45.119? I cannot currently find anything about this IP.

FWIW
  • Mimiideap, KiguninsHen, Evesitefe and 1 other like this

#2 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7238 posts

Posted 15 January 2012 - 01:24 AM

Hi wbenton,

68.232.45.119 belongs to EdgeCast Networks according to http://www.dnsstuff....p=68.232.45.119 and other companies uses EdgeCast Networks for delivering files, see http://en.wikipedia....geCast_Networks . I have not confirmed it with Lavasoft but I guess that Lavasoft has started to use them for hosting update servers or something similar.

RLPack is a packing program/method used by both good programs and malicious programs, see http://answers.micro...33-03d18ea5c338 and http://www.woodmann....ndex.php/RLPack Of course, signature files don't contain any worms. It is a false alarm of your firewall.

When the update program notices that its communication is stopped, it tries with other ports and therefore the firewall believes it is a port scan that takes place.

#3 wbenton

wbenton

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 15 January 2012 - 05:37 AM

Hi wbenton,

68.232.45.119 belongs to EdgeCast Networks according to http://www.dnsstuff....p=68.232.45.119 and other companies uses EdgeCast Networks for delivering files, see http://en.wikipedia....geCast_Networks . I have not confirmed it with Lavasoft but I guess that Lavasoft has started to use them for hosting update servers or something similar.

RLPack is a packing program/method used by both good programs and malicious programs, see http://answers.micro...33-03d18ea5c338 and http://www.woodmann....ndex.php/RLPack Of course, signature files don't contain any worms. It is a false alarm of your firewall.

When the update program notices that its communication is stopped, it tries with other ports and therefore the firewall believes it is a port scan that takes place.


In other words, the packaged file turns up as a false positive, but it seems to be turning up as a false positive on numerous systems, not only my firewall.

Thus my recommendation is to re-package it again such that it's packged contents turn up as other than false positive.

It may or may not be a false positive, I don't know for sure, but several systems are turning it up as false positive.

Thus re-packaging it so that it doesn't turn up as a false positive seems to be the quickest way rather than wait for all the other security systems to modify their sigs!

#4 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7238 posts

Posted 15 January 2012 - 11:15 AM


In other words, the packaged file turns up as a false positive, but it seems to be turning up as a false positive on numerous systems, not only my firewall.

Thus my recommendation is to re-package it again such that it's packged contents turn up as other than false positive.

It may or may not be a false positive, I don't know for sure, but several systems are turning it up as false positive.

Thus re-packaging it so that it doesn't turn up as a false positive seems to be the quickest way rather than wait for all the other security systems to modify their sigs!

I will inform my contact person at Lavasoft tomorrow, when he is back in the office.

I will also separate your posts and my answers to them to a separate topic since it's another issue than the general update problem during the beginning of January.

#5 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7238 posts

Posted 15 January 2012 - 11:19 AM

Above posts have been moved from the topic: http://www.lavasofts...post__p__132186




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users