[myblackstar]

Re: Unknown intruder has entered network

I have the same problems as Night Shade:

"I have a new IP address that has entered my network of computers. I know it is none of my computers because I turned each individual one on, got their IPs, looked at the network devices that were in my network on MacAfee, and confirmed that this new one is not mine. I have it marked down as an intruder, and I want to remove it from my network permanently. Does MacAfee even block it when you mark it as an intruder, or does it just notify you every time that this intruder is connecting to your network? So, bottom line, I need to remove this device from my network permanently and stop it from accessing it ever again."

here is what i got after i got he the notice intruder alert :upset: from MCAfee: I NETSTAT (my internet & network) and here is what i got:

Active Connections

Proto Local Address Foreign Address State
TCP myblackstar:1090 localhost:1091 ESTABLISHED
TCP myblackstar:1091 localhost:1090 ESTABLISHED
TCP myblackstar:1092 localhost:1093 ESTABLISHED
TCP myblackstar:1093 localhost:1092 ESTABLISHED
TCP myblackstar:1699 myblackstar.home:4286 ESTABLISHED
TCP myblackstar:2260 cpe-66-75-159-196.socal.rr.com:http CLOSE_WAIT
TCP myblackstar:3139 65.54.152.225:http ESTABLISHED
TCP myblackstar:3141 207.68.173.213:http ESTABLISHED
TCP myblackstar:3142 65.55.239.188:http ESTABLISHED
TCP myblackstar:3143 65.55.15.241:http ESTABLISHED
TCP myblackstar:3144 65.55.15.244:http ESTABLISHED
TCP myblackstar:3146 65.55.15.122:http ESTABLISHED
TCP myblackstar:3147 207.46.216.54:http ESTABLISHED
TCP myblackstar:3148 207.46.216.54:http ESTABLISHED
TCP myblackstar:3161 cf-in-f102.google.com:http ESTABLISHED
TCP myblackstar:3162 cf-in-f147.google.com:http ESTABLISHED
TCP myblackstar:3166 JUSTINLO.home:6646 TIME_WAIT
TCP myblackstar:3170 JUSTINLO.home:6646 TIME_WAIT
TCP myblackstar:3171 us.mcafee.com:http TIME_WAIT
TCP myblackstar:3172 JUSTINLO.home:6646 TIME_WAIT
TCP myblackstar:3173 JUSTINLO.home:6646 ESTABLISHED
TCP myblackstar:4286 myblackstar.home:1699 ESTABLISHED

And this is what the internet & network outbound event logs say::4-dontkno

I blocked the following IP (192.168.*.*)(which is very close to my own IP Address) at myblackstar.home has attempted to access UDP port 138 on your computer.

UDP port 138 is commonly used by the "NETBIOS DATAGRAM" service or program. NETBIOS is used for windows file sharing. IT can be exploited to access file on your computer. Your Computer is being proejected from this type of potential attack.

The Source IP is a 'Non-Routable' IP

**i have scanned my computer several times and have found no virus or anything else :4-thatsba...

What Should I DO....

 

[johnwill]

Re: Unknown intruder has entered network

Even though it appears you're having the same problem, please start a new thread when you have a new issue. It's very difficult to keep two problems straight and who's working on what in a single thread.

I've created a new thread for your issue here.

Note: You will need to post complete details of your configuration and your specific issue in this new thread for us to help you.

Thanks for your cooperation.

 

[myblackstar]

Re: Unknown intruder has entered network

Thank you for your help and I am sorry if caused any problems. I Do understand. Thanks again...and hope someone can help with my issue...

 

[johnwill]

Re: Unknown intruder has entered network

Please supply the following info, exact make and models of the equipment please.

Name of your ISP (Internet Service Provider).
Make and exact model of the broadband modem.
Make and exact model and hardware version of the router (if a separate unit).
Model numbers can usually be obtained from the label on the device.
Connection type, wired or wireless.
If wireless, encryption used, (none, WEP, WPA, or WPA2)
Version and patch level of Windows on all affected machines, i.e. XP (Home or Pro), SP1-SP2-SP3, Vista (Home, Business, Ultimate), etc.





Please give an exact description of your problem symptoms, including the exact text of any error messages.

• If you're using a wireless connection, have you tried a direct connection with a cable to see if that changes the symptoms?
• For wireless issues, have you disabled all encryption on the router to see if you can connect that way?
• Have you connected directly to the broadband modem to see if this is a router or modem/ISP issue?
• If there are other computers on the same network, are they experiencing the same issue, or do they function normally?

On any affected computer, I'd also like to see this:

Hold the Windows key and press R, then type CMD (COMMAND for W98/WME) to open a command prompt:

Type the following commands on separate lines, following each one with the Enter key:

PING 206.190.60.37

PING yahoo.com

NBTSTAT -n

IPCONFIG /ALL

Right click in the command window and choose Select All, then hit Enter.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.

 

[myblackstar]

Re: Unknown intruder has entered network

Name of your ISP: Verion Fios

Make and exact model of the broadband modem: Westell (Ultra Line Series3)

Model: A90-9100EM15-10 HW REV: A

Shipped Firmware Ver.: 1.02.00.03

Version and patch level of Windows on all affected machines: Windows (HM) XP SP3

Connection type: Wired

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Jose Ramirez>ping 206.190.60.37

Pinging 206.190.60.37 with 32 bytes of data:

Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for 206.190.60.37:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Jose Ramirez>ping yahoo.com

Pinging yahoo.com [69.147.114.224] with 32 bytes of data:

Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for 69.147.114.224:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Jose Ramirez>NBTSTAT -n

Local Area Connection:
Node IpAddress: [192.168.1.2] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
MYBLACKSTAR <00> UNIQUE Registered
MSHOME <00> GROUP Registered
MYBLACKSTAR <20> UNIQUE Registered
MSHOME <1E> GROUP Registered
MSHOME <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered

C:\Documents and Settings\Jose Ramirez>IPCONFIG /ALL

Windows IP Configuration

Host Name . . . . . . . . . . . . : myblackstar
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connect
ion
Physical Address. . . . . . . . . : 00-13-72-2B-19-9C
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : Thursday, May 14, 2009 10:07:44 AM
Lease Expires . . . . . . . . . . : Friday, May 15, 2009 10:07:44 AM

C:\Documents and Settings\Jose Ramirez>

Here is what the Intruction log Tells me:

EVENT 1:

A Computer i your banned IP list at new-home.home has attempted to access UDP port 137 on your computer.

UDP port 137 is commonly used by the "NETBIOS Name" service or program. NetBIOS is used for Windows File Sharing. IT can Be exploited to access files on your computer.

Your Computer is being protected from this type of Potential Attack.

The Source IP is a 'Non-routable' IP.

EVENT 2:

A Computer i your banned IP list at new-host.home has attempted to access UDP port 67 on your computer.

UDP port 67 is commonly used by the "Bootstrap Protocol Server" service or program. Some ISPs use the Bootstrap Protocol as a 'Keep Alive' mechanism. If you experience routine attempts to acccess this port from server at your ISP, you should add the IP address to your trusted IP list to guarantee your DSL modem is not disconnected.

The Source IP is a 'Non-routable' IP.


This is what the McAfee internet & network outbound event logs say:
(since that day i posted this error i have allow those IP address to enter my connection since kept happing all the times...and since that the warning have stop)...


Active Connections

Proto Local Address Foreign Address State
TCP myblackstar:1090 localhost:1091 ESTABLISHED
TCP myblackstar:1091 localhost:1090 ESTABLISHED
TCP myblackstar:1092 localhost:1093 ESTABLISHED
TCP myblackstar:1093 localhost:1092 ESTABLISHED
TCP myblackstar:1699 myblackstar.home:4286 ESTABLISHED
TCP myblackstar:2260 cpe-66-75-159-196.socal.rr.com:http CLOSE_WAIT
TCP myblackstar:3139 65.54.152.225:http ESTABLISHED
TCP myblackstar:3141 207.68.173.213:http ESTABLISHED
TCP myblackstar:3142 65.55.239.188:http ESTABLISHED
TCP myblackstar:3143 65.55.15.241:http ESTABLISHED
TCP myblackstar:3144 65.55.15.244:http ESTABLISHED
TCP myblackstar:3146 65.55.15.122:http ESTABLISHED
TCP myblackstar:3147 207.46.216.54:http ESTABLISHED
TCP myblackstar:3148 207.46.216.54:http ESTABLISHED
TCP myblackstar:3161 cf-in-f102.google.com:http ESTABLISHED
TCP myblackstar:3162 cf-in-f147.google.com:http ESTABLISHED
TCP myblackstar:3166 JUSTINLO.home:6646 TIME_WAIT
TCP myblackstar:3170 JUSTINLO.home:6646 TIME_WAIT
TCP myblackstar:3171 us.mcafee.com:http TIME_WAIT
TCP myblackstar:3172 JUSTINLO.home:6646 TIME_WAIT
TCP myblackstar:3173 JUSTINLO.home:6646 ESTABLISHED
TCP myblackstar:4286 myblackstar.home:1699 ESTABLISHED

And this is what the internet & network outbound event logs say:

 

[johnwill]

Re: Unknown intruder has entered network

The fact that it's coming from a nonroutable IP means it's most likely within your network. Their comment about keep-alive seems to make sense.