cancel
Showing results for 
Search instead for 
Did you mean: 

PlusNet anti-virus warning

N/A

PlusNet anti-virus warning

A couple of times earlier I got a worm virus warning page from PlusNet in place of the URL I requested. It said I likely had a worm virus and gave advice to get a Trend Micro tool.

It's scanning away at the moment but nothing so far. I do keep my PC very up to date with Windows Update and am careful, I'm also behind my NetGear router firewall.

It is very cool PN can pickup on this but is there any chance it's a false alarm (I'm browsing no problem since)?

Rich
24 REPLIES
N/A

PlusNet anti-virus warning

I am unsure when the tool was officialy introduced, though it was projected for last Thursday.

The idea is that if they detect you are sending any data outbound with a destination port of 135, then they treat it as a virus infection.

For the next 60 seconds, any attempts to browser websites, automaticaly redirect you to the page you saw. After the 60 seconds, your are able to browse as normal with the exceptiont hat you can't send outbound ICMP packets.

There are very few things that can be sending to a destination port of 135. Are you using any specialist software on your system at all?
N/A

PlusNet anti-virus warning

I use a Symantec VPN client for work but nothing much else unusual.

I'll be annoyed if I have something as I'm careful to stay up to date and thought my Netgear router did a good job of keeping me safe!
N/A

PlusNet anti-virus warning

Is there any function on your router to specificly block outbound packets with a destination port of 135?

If so, use it.
N/A

PlusNet anti-virus warning

I can stop certain ports. 135 is not in the list of options but I can add a custom one. Is 135 a TCP, UDP or TCP/UDP port? Also is it just 135 or a range?

Virus scan just finished and found nothing. There is some odd entries in the router log below, particularly the telnet and FTP ones (I have used neither recently).

Thanks



Tue, 2003-12-16 18:18:47 - UDP packet dropped - Source:62.202.157.138
,1027 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:23:57 - TCP packet dropped - Source:61.151.252.197
,80[HTTP] WAN - Destination:212.159.69.161,20128 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:28:29 - UDP packet dropped - Source:24.33.226.121
,1034 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:30:16 - UDP packet dropped - Source:81.248.101.36
,1039 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:33:06 - UDP packet dropped - Source:200.171.42.248
,1036 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:38:08 - UDP packet dropped - Source:62.3.117.1
,500 WAN - Destination:212.159.69.161,500 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:39:56 - UDP packet dropped - Source:64.229.129.12
,1026 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:41:59 - UDP packet dropped - Source:64.172.106.133
,1030 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:42:34 - UDP packet dropped - Source:200.64.221.221
,1025 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:45:59 - UDP packet dropped - Source:80.50.152.238
,1165 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:50:56 - TCP packet dropped - Source:24.129.197.154
,32782 WAN - Destination:212.159.69.161,17300 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:53:58 - UDP packet dropped - Source:62.43.37.88
,1033 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:57:41 - UDP packet dropped - Source:199.2.113.220
,13557 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 18:59:28 - UDP packet dropped - Source:148.243.192.254
,5571 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:04:15 - UDP packet dropped - Source:24.28.12.6
,1032 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:07:16 - UDP packet dropped - Source:80.213.245.252
,1034 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:12:20 - UDP packet dropped - Source:24.73.143.245
,1028 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:13:12 - UDP packet dropped - Source:200.89.173.103
,1026 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:15:45 - UDP packet dropped - Source:219.233.17.7
,1031 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:27:28 - UDP packet dropped - Source:66.157.100.36
,50825 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:30:28 - UDP packet dropped - Source:200.141.82.121
,61666 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:30:30 - UDP packet dropped - Source:80.180.43.160
,1028 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:33:06 - UDP packet dropped - Source:81.53.106.185
,1025 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:45:30 - UDP packet dropped - Source:66.105.107.189
,1035 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:46:04 - UDP packet dropped - Source:217.136.175.230
,1026 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 19:56:55 - UDP packet dropped - Source:217.127.70.185
,11289 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:01:29 - UDP packet dropped - Source:200.151.141.125
,1025 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:02:46 - UDP packet dropped - Source:63.105.135.201
,1034 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:11:17 - UDP packet dropped - Source:216.123.177.10
,1039 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:23:04 - UDP packet dropped - Source:195.223.225.178
,1031 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:24:40 - UDP packet dropped - Source:141.153.169.3
,1029 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:32:39 - UDP packet dropped - Source:200.253.119.130
,62833 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:33:26 - UDP packet dropped - Source:200.68.91.17
,1031 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:34:46 - TCP packet dropped - Source:69.19.200.48
,5625 WAN - Destination:212.159.69.161,1080 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:41:00 - TCP packet dropped - Source:213.8.185.70
,3548 WAN - Destination:212.159.69.161,139 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:46:16 - UDP packet dropped - Source:200.155.73.56
,1029 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 20:59:11 - UDP packet dropped - Source:142.59.222.41
,1027 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 21:14:39 - UDP packet dropped - Source:80.34.119.218
,61651 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 21:21:52 - UDP packet dropped - Source:212.98.247.77
,19003 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 21:30:04 - TCP packet dropped - Source:211.137.255.10
,3185 WAN - Destination:212.159.69.161,1433 LAN - [Inbound Default rule match]
Tue, 2003-12-16 21:34:13 - UDP packet dropped - Source:200.64.96.208
,1041 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 21:41:14 - UDP packet dropped - Source:148.246.73.79
,1027 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 21:52:29 - UDP packet dropped - Source:151.197.194.21
,1030 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 21:56:58 - UDP packet dropped - Source:65.70.166.4
,1027 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:09:03 - UDP packet dropped - Source:203.74.232.61
,1027 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:13:18 - UDP packet dropped - Source:80.128.57.244
,64992 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:14:08 - UDP packet dropped - Source:63.224.10.162
,1027 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:14:15 - UDP packet dropped - Source:4.65.151.72
,1029 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:18:33 - UDP packet dropped - Source:151.205.98.5
,1025 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:20:12 - UDP packet dropped - Source:68.248.28.45
,1027 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:25:07 - TCP packet dropped - Source:62.211.215.228
,23420 WAN - Destination:212.159.69.161,21[FTP Data] LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:25:07 - TCP packet dropped - Source:62.211.215.228
,24620 WAN - Destination:212.159.69.161,23[TELNET] LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:25:07 - TCP packet dropped - Source:62.211.215.228
,24419 WAN - Destination:212.159.69.161,3128 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:25:07 - TCP packet dropped - Source:62.211.215.228
,22519 WAN - Destination:212.159.69.161,6588 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:26:12 - UDP packet dropped - Source:68.248.28.45
,1025 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
Tue, 2003-12-16 22:31:00 - Administrator login successful - IP:192.168.0.2
Tue, 2003-12-16 22:32:12 - UDP packet dropped - Source:82.88.17.164
,1032 WAN - Destination:212.159.69.161,137 LAN - [Inbound Default rule match]
N/A

PlusNet anti-virus warning

Had the PlusNet worm virus warning again this morning... Hmmm..
N/A

PlusNet anti-virus warning

You need to setup a outbound traffic filter rule with a destination port of 135. This should be a TCP rule and it isn;t a range.
N/A

PlusNet anti-virus warning

Thanks Phil, I've done that now.

Also ran Blaster Fixer and "Spybot Search and Destroy" but they turned up nothing. Also no critical updates from Windows Update need to be installed. Something is definitely happening though. I'm even having a bad connection at the moment - don't always get to hosts (even this portal), sometimes it's just really slow.

I've turned on logging for the new firewall rule so I'll see what turns up.

Thanks again for the help.

Rich
mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

PlusNet anti-virus warning

By default your Netgear firewall allows outgoing NETBIOS traffic and a couple other dangerous protocols.

As a minimum precaution you should define and block the following services

NETBIOS TCP/UDP Start port 135 End port 139
RPC1 TCP Start port 445 End port 445
RPC2 TCP Start port 593 End port 593
TFTP TCP/UDP Start port 69 End port 69
Slammer UDP Start port 1434 End port 1444

Regards
Matt
www.mssystems.co.uk
N/A

PlusNet anti-virus warning

I had this warning the other day too. I was doing a port scan on some *$%*$£% that keeps spamming me and then the warning appeared. I've since had a long winded e-mail conversation with PlusNet where they insist it MUST be a worm causing this traffic, when I know for a fact that it is not. False alarm it most certainly could be.

I am behind a D-Link firewall, use McAfee VirusScan that auto checks for updates every hour and have all the latest MS patches installed.
N/A

PlusNet anti-virus warning

The virus page presented by PlusNet is generated from any traffic with a destination port of 135, originating from your connection.

If you are performing a port scan, then this why.

If you are getting it for other reasons other than a port scan, then a virus is only one possible reason.

You didn't make it clear what you where attempting to say here?
N/A

PlusNet anti-virus warning

Sorry to jump in here but I thought it's topical enough to add and maybe would be interesting for others...
I connect to my office via a Cisco VPN client over my PkusNet ADSL and use MS Outlook to connect to work's Exchange server, causing me to receive this possible worm message also.

Can't PlusNet figure out it's VPN traffic and let it through? VPN traffic is afterall internal to my company and does not route directly to the Net like a regular direct connection.
N/A

PlusNet anti-virus warning

It's true that there is a pattern to these kind of worms. I've seen them scan for action picking an IP range (usually the one the host is in) and scanning the range consecutively looking for machines to infect.

Therefore connecting to an Exchange server or VPN will just create NetBIOS between two consenting hosts.

PlusNet: Can your system look for this too?
N/A

PlusNet anti-virus warning

First things first, if your using a VPN through which you route traffic to your office, yet your still receive this message when using exchange server, then your VPN is incorrectly configured.

A VPN is a tunnel through which communications to the remote netwrok are encoded into a pre-exisitng stream (stream within a stream) and encrypted.

If PlusNets server detects a packet with a destination port of 135 from your system, then this packet isn't within that VPN data stream. Even unecrypted data within a data stream should not be picked up (not that a VPN can do that) as the top most IP packet is the one inspected.

Microsoft themselves recomend using VPN's for Exchange server traffic and anything that may even be remotly connected with the RPC server, coming from an untrusted source (allthough the source is trusted, the route over the internet isn't).

As for detecting patters. You are talking about routers designed to route the traffic of 100,000+ customers, changing them into statful packet inspection firewalls.

Carrier class routers of the type PlusNet use already have enough on there hands without being converted to take over the full protection of there users.
N/A

PlusNet anti-virus warning

Thanks Phillip,

I've forward on this information to my IT department for them to have a look at. I suspect this will be a big enough issue for them to do something about it as there are quite a few of us signed up to PlusNet.

Although this is a pain from my perspective I believe PlusNet have done a good thing and hope this will help prod others who have incorrectly/lazy configured equipment to get it right.

Cheers,

SteveC