Something On This Web Site Trying To Breach My Firewall

[worgeordie]

Over a week ago I posted on here for help with a problem

I was having ,with 50/60 attempts daily that where blocked

by my firewall.

Well by elimination I have found they originate when I log

into ThaiVisa website, Last 2 days I did not log on here,

and have had no intrusion attempts,

Today I log on to ThaiVisa only on my browser, opened

my firewall GUI ?, and the intrusion attempts just kept getting

blocked 37 in a few minutes,while I typed this.

I dont know if this is something dangerous or something just not

to worry about, as, I do not know a lot about computers ,but to

me it feels like someone ,something is trying to access my

computer ,I just want to know why and for what reason ?

It is 203.151.21.63 and its definitely happening only when

I log into ThaiVisa.com

Anyone know why, what and for what reason this is happening

Regards Worgeordie

[wolf5370]

Is it incoming or outgoing? It could be something in your browser (or your browser is calling for functionality) that is blocked (or not yet opened) on your firewall. For example, spell check can be had using IESpell (assuming IE), but it needs its own entry on the firewall - usually agreed on install - hitting spell check on a post may cause this.

On the other hand, if it is external coming in, what port is it trying to use? Maybe its a feed or some sort. I have 3 layers of firewall and have used TV for many years now (about 9 I think) and never get a flag, so I wouls suggest it is either something innocuous that just requires a firewall rule set up, or a virus on your machine that triggers when certain conditions are met that TV happens to meet.

PS: MODS probably better in the Support Forum(?)

Edited January 22, 2012 by wolf5370

[george]

IP 203.151.21.63 does not belong to Thaivisa.com, it belongs to truehits.net which is a website stats counter.

Nothing to worry about.

[worgeordie]

The firewall has now blocked 146 attempts and it only happens

when I am logged into ThaiVisa,.

its ICMP source port type(3) destination 192.168.1.3 destination port type(10)

George says its Truehits .net , but I dont have anything True on my computer,

is there anything from True on this website ??

nothing to worry about, it is if you dont know what it is or what its trying to do

and why...

regards Worgeordie

[george]

Likely false positives from your firewall.

Are you using ZoneAlarm or similar, or a hardware firewall?

[worgeordie]

Hi George ,No its CoMoDo firewall,its very good no problems at all

until I enter Thaivisa ?? now up to 166 blocked attempts.

Do you use anything from Truehits.net on this website? its diffidently

triggered when I use ThaiVisa.

regards Worgeordie

[george]

Hi George ,No its CoMoDo firewall,its very good no problems at all

until I enter Thaivisa ?? now up to 166 blocked attempts.

Do you use anything from Truehits.net on this website? its diffidently

triggered when I use ThaiVisa.

regards Worgeordie

Yes, we are using truehits.net as a stats counter since 9 years. Never heard about any issues like you describe.

No reason for them to contact your computer.

[harrry]

Hi George ,No its CoMoDo firewall,its very good no problems at all

until I enter Thaivisa ?? now up to 166 blocked attempts.

Do you use anything from Truehits.net on this website? its diffidently

triggered when I use ThaiVisa.

regards Worgeordie

Yes, we are using truehits.net as a stats counter since 9 years. Never heard about any issues like you describe.

No reason for them to contact your computer.

Well if his firewall is activating they obviously are. Maybe for 9 years they did not but now do. It is your site george I think it deserves checking.

[george]

Truehits is Thailand's largest service for webstats statistics and traffic auditing. The implementation is a piece of javascript code pasted in the website template, and this implementation is identical for more than 10,000 other big Thailand related websites like:

http://www.nationmultimedia.com/

http://www.bangkokpost.com

Does your firewall behave the same way if you browse any of those above or any of the following websites listed in Truehits directory?

http://directory.truehits.net/

[worgeordie]

George, will try the Bangkok post and Nation site and will report

back,

regards Worgeordie

[worgeordie]

Have tried the Bangkok Post and Nation sites and report

no problems, will try again tomorrow to make sure

regards Worgeordie

PS this time I have logged on to ThaiVisa also no firewall intrusions, just hope it lasts

[worgeordie]

No it did not last ,just logged in again and already 18 intrusion attempts

and rising

this is bloody annoying

Bi Worgeordie

[urandom]

Good catch droogie,

Well, obviously, if you want this to stop, you just have to disable javascript or to drop ICMP with the destination-unreachable flag.

for example, with iptables, this will work:

# iptables -A INPUT -p icmp --icmp-type destination-unreachable -j DROP

You can also use your hosts file and make this truehits server point to localhost.

now this ICMP message is in fact a REPLY to a ack, fin tcp packet sent by YOUR machine that the truehits server's firewall doesn't allow for some reason. it means you'll get several hits every time you load a thaivisa page. why is a mistery but i'll drop a few lines to truehits.net webmaster later today (i don't have too much hope but anyway).

here's the sequence of sent tcp packet, ICMP reply:

No. Time Source Destination Protocol Length Info

3763 190.305447 192.168.3.104 203.151.21.63 TCP 66 34438 > http [FIN, ACK] Seq=811 Ack=399 Win=15680 Len=0 TSval=115329792 TSecr=2352471551

Frame 3763: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)

Arrival Time: Jan 22, 2012 21:17:52.362163000 ICT

Epoch Time: 1327241872.362163000 seconds

[Time delta from previous captured frame: 11.600035000 seconds]

[Time delta from previous displayed frame: 11.600035000 seconds]

[Time since reference or first frame: 190.305447000 seconds]

Frame Number: 3763

Frame Length: 66 bytes (528 bits)

Capture Length: 66 bytes (528 bits)

[Frame is marked: False]

[Frame is ignored: False]

[Protocols in frame: eth:ip:tcp]

[Coloring Rule Name: HTTP]

[Coloring Rule String: http || tcp.port == 80]

Ethernet II, Src: IntelCor_xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: Tp-LinkT_xx:xx:xx (xx:xx:xx:xx:xx:xx)

Destination: Tp-LinkT_xx:xx:xx (xx:xx:xx:xx:xx:xx)

Address: Tp-LinkT_xx:xx:xx (xx:xx:xx:xx:xx:xx)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Source: IntelCor_xx:xx:xx (xx:xx:xx:xx:xx:xx)

Address: IntelCor_xx:xx:xx (xx:xx:xx:xx:xx:xx)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: IP (0x0800)

Internet Protocol Version 4, Src: 192.168.3.104 (192.168.3.104), Dst: 203.151.21.63 (203.151.21.63)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

Total Length: 52

Identification: 0xade2 (44514)

Flags: 0x02 (Don't Fragment)

0... .... = Reserved bit: Not set

.1.. .... = Don't fragment: Set

..0. .... = More fragments: Not set

Fragment offset: 0

Time to live: 64

Protocol: TCP (6)

Header checksum: 0xe7fa [correct]

[Good: True]

[bad: False]

Source: 192.168.3.104 (192.168.3.104)

Destination: 203.151.21.63 (203.151.21.63)

Transmission Control Protocol, Src Port: 34438 (34438), Dst Port: http (80), Seq: 811, Ack: 399, Len: 0

Source port: 34438 (34438)

Destination port: http (80)

[stream index: 136]

Sequence number: 811 (relative sequence number)

Acknowledgement number: 399 (relative ack number)

Header length: 32 bytes

Flags: 0x11 (FIN, ACK)

000. .... .... = Reserved: Not set

...0 .... .... = Nonce: Not set

.... 0... .... = Congestion Window Reduced (CWR): Not set

.... .0.. .... = ECN-Echo: Not set

.... ..0. .... = Urgent: Not set

.... ...1 .... = Acknowledgement: Set

.... .... 0... = Push: Not set

.... .... .0.. = Reset: Not set

.... .... ..0. = Syn: Not set

.... .... ...1 = Fin: Set

[Expert Info (Chat/Sequence): Connection finish (FIN)]

[Message: Connection finish (FIN)]

[severity level: Chat]

[Group: Sequence]

Window size value: 245

[Calculated window size: 15680]

[Window size scaling factor: 64]

Checksum: 0xa50d [validation disabled]

[Good Checksum: False]

[bad Checksum: False]

Options: (12 bytes)

No-Operation (NOP)

No-Operation (NOP)

Timestamps: TSval 115329792, TSecr 2352471551

Kind: Timestamp (8)

Length: 10

Timestamp value: 115329792

Timestamp echo reply: 2352471551

No. Time Source Destination Protocol Length Info

3764 190.334561 203.151.21.63 192.168.3.104 ICMP 94 Destination unreachable (Host administratively prohibited)

Frame 3764: 94 bytes on wire (752 bits), 94 bytes captured (752 bits)

Arrival Time: Jan 22, 2012 21:17:52.391277000 ICT

Epoch Time: 1327241872.391277000 seconds

[Time delta from previous captured frame: 0.029114000 seconds]

[Time delta from previous displayed frame: 0.029114000 seconds]

[Time since reference or first frame: 190.334561000 seconds]

Frame Number: 3764

Frame Length: 94 bytes (752 bits)

Capture Length: 94 bytes (752 bits)

[Frame is marked: False]

[Frame is ignored: False]

[Protocols in frame: eth:ip:icmp:ip:tcp]

[Coloring Rule Name: ICMP errors]

[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]

Ethernet II, Src: Tp-LinkT_xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: IntelCor_xx:xx:xx (xx:xx:xx:xx:xx:xx)

Destination: IntelCor_xx:xx:xx (xx:xx:xx:xx:xx:xx)

Address: IntelCor_xx:xx:xx (xx:xx:xx:xx:xx:xx)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Source: Tp-LinkT_xx:xx:xx (xx:xx:xx:xx:xx:xx)

Address: Tp-LinkT_xx:xx:xx (xx:xx:xx:xx:xx:xx)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: IP (0x0800)

Internet Protocol Version 4, Src: 203.151.21.63 (203.151.21.63), Dst: 192.168.3.104 (192.168.3.104)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

Total Length: 80

Identification: 0x2bb0 (11184)

Flags: 0x00

0... .... = Reserved bit: Not set

.0.. .... = Don't fragment: Not set

..0. .... = More fragments: Not set

Fragment offset: 0

Time to live: 56

Protocol: ICMP (1)

Header checksum: 0xb216 [correct]

[Good: True]

[bad: False]

Source: 203.151.21.63 (203.151.21.63)

Destination: 192.168.3.104 (192.168.3.104)

Internet Control Message Protocol

Type: 3 (Destination unreachable)

Code: 10 (Host administratively prohibited)

Checksum: 0xa203 [correct]

Internet Protocol Version 4, Src: 192.168.3.104 (192.168.3.104), Dst: 203.151.21.63 (203.151.21.63)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

Total Length: 52

Identification: 0xade2 (44514)

Flags: 0x02 (Don't Fragment)

0... .... = Reserved bit: Not set

.1.. .... = Don't fragment: Set

..0. .... = More fragments: Not set

Fragment offset: 0

Time to live: 57

Protocol: TCP (6)

Header checksum: 0xeefa [correct]

[Good: True]

[bad: False]

Source: 192.168.3.104 (192.168.3.104)

Destination: 203.151.21.63 (203.151.21.63)

Transmission Control Protocol, Src Port: 34438 (34438), Dst Port: http (80), Seq: 4206775565, Ack: 950198611

Source port: 34438 (34438)

Destination port: http (80)

Sequence number: 4206775565

[stream index: 136]

Sequence number: 4206775565 (relative sequence number)

Acknowledgement number: 950198611 (relative ack number)

Header length: 32 bytes

Flags: 0x11 (FIN, ACK)

000. .... .... = Reserved: Not set

...0 .... .... = Nonce: Not set

.... 0... .... = Congestion Window Reduced (CWR): Not set

.... .0.. .... = ECN-Echo: Not set

.... ..0. .... = Urgent: Not set

.... ...1 .... = Acknowledgement: Set

.... .... 0... = Push: Not set

.... .... .0.. = Reset: Not set

.... .... ..0. = Syn: Not set

.... .... ...1 = Fin: Set

[Expert Info (Chat/Sequence): Connection finish (FIN)]

[Message: Connection finish (FIN)]

[severity level: Chat]

[Group: Sequence]

Window size value: 245

[Calculated window size: 245]

[Window size scaling factor: 64]

Checksum: 0xac30 [validation disabled]

[Good Checksum: False]

[bad Checksum: False]

Options: (12 bytes)

No-Operation (NOP)

No-Operation (NOP)

Timestamps: TSval 115329792, TSecr 2352471551

Kind: Timestamp (8)

Length: 10

Timestamp value: 115329792

Timestamp echo reply: 2352471551

[NanLaew]

^ Or... if all that gobbledygook is way, way over your head, you could always just stop visiting TV.

Patient: "Doctor, it hurts every time I do this."

Doctor: "Well... stop doing that."

Edited January 23, 2012 by NanLaew

[worgeordie]

^ Or... if all that gobbledygook is way, way over your head, you could always just stop visiting TV.

Patient: "Doctor, it hurts every time I do this."

Doctor: "Well... stop doing that."

Yes above post was way over my head,but appreciate the help very much,Urandom,

NanLaew your post was neither helpful or constructive ,but I suppose you could not help yourself.

Been on here a while now and nothing has happened,so fingers crossed someone ,somewhere has

rectified my problem, maybe other people have the same problem but never check their firewall events

Thanks regards Worgeordie

[urandom]

I'm still seeing the ICMP replies so you may see them at some point too. If you want to get rid of this, a quick and dirty solution would be:

open notepad *as administrator* (right click the notepad icon -> chose run as administrator). Then, in notepad, click file -> open and open the following file:

C:\Windows\System32\drivers\etc\hosts (if you can't see the file, chose "All Files" in the drop down menu at the bottom right of the file explorer of notepad. By default, it is set to "Text Documents *.txt" )

Then add the following line:

127.0.0.1 host63.truehits.net

it should be look exactly like this, no # at the beginning of the line.

Save, close and enjoy.

What does it do?

as I said earlier, those ICMP messages are replies to a tcp packet sent from your host to truehits.net. Therefore, if you can't send any packet first, you won't get any reply. This is what you have done by modifying your hosts file, it tells your machine that the IP address of the the truehits server is 127.0.0.1, which is what is called a loopback device: your own network interface.

[manarak]

Sounds like a misconfigured firewall and a scared user who doesn't have the knowledge to evaluate if the considered ICMP traffic is a threat or not.

ICMP is a useful protocol - blocking it completely is not advisable.

From another forum:

ICMP has many facets so you're going to want to be selective. The first thing to consider is PMTUD (Path MTU Discover) -- which is a good thing, if ICMP is in the clear for the entirety of the network traversal. If you want to allow PMTUD you're going to want to allow ICMP type 3 in and out. Don't worry -- it's not evil. The next to consider is source quench (type 8). It basically tells your upstream hop to slow down if needed. So you're going to want to let those out. Next we have the generic ICMP "ping". We want to be able to ping out and get the reply, but we don't want to let others ping us. Easy... Just allow ICMP type 8 out and type 0 back in. Lastly we want traceroutes to work (obviously not all traces use ICMP by default -- the real route uses UDP). So to do that all you really need to do is let type 11 back in.

Here's an IPFW example if you need one for all your ICMP needs:

00010 allow icmp from any to any icmptypes 3

00011 allow icmp from any to any icmptypes 4

00012 allow icmp from any to any icmptypes 8 out

00013 allow icmp from any to any icmptypes 0 in

00014 allow icmp from any to any icmptypes 11 in

http://help.comodo.com/topic-72-1-155-1100-application-rules.html

[urandom]

sorry droogie, the line should be:

127.0.0.1 hits.truehits.in.th

[worgeordie]

Pleased to report no Firewall intrusions today,visited many

sites, including ThaiVisa classifieds which seemed to trigger

the firewall,

So maybe someone or something has fixed this problem for

me,

Thanks everyone for your responses and help.

regards Worgeordie