Re: Weird Entries in System and Security Logs, With Sygate PF Failures

From: Sadie (anonymous_at_discussions.microsoft.com)
Date: 05/20/04


Date: Thu, 20 May 2004 10:28:09 -0700

Export your full packet logs to Sygate for analysis.

Port 5000 is exploited by Bobax (To name but one).Send
them the full captures.

Respect,

Sadie
>-----Original Message-----
>You should send this information to Sygate Support.
They should be
>aware of this, and provide a solution.
>
>
>"Pikachu" <anonymous@discussions.microsoft.com> wrote in
message
>news:E6DA2BAD-7937-42C1-9DA2-
203B7A9C57E0@microsoft.com...
>> Hi everyone,
>>
>> I've been having troubles recently (the past 2 weeks
or so) with
>Sygate personal firewall crashing unexpectedly, and no
error message
>is given. At first I thought it was a software conflict
of some kind.
>>
>> But now I'm thinking that there is a exploit out there
that will
>bring down Sygate. I am finding that SPF is crashing
only when this
>bad inbound traffic is occuring. Many times it blocks
incoming stuff,
>but fairly often my firewall will die without warning.
These bad
>packets are hitting me on a variety of ports, but 5000
seems to be the
>most commonly used. 0, 80, and 113 are also used fairly
often. The
>remote ports from which the connection attepts originate
are
>high-numbered.
>>
>> I have seen .dll requesters pop up, asking for
permission, and
>within seconds of their appearance, they disappear
again, and the
>Sygate program is no longer running. The icon for SPF
remains in the
>lower right, but it goes away if I move the mouse
pointer over it.
>Yesterday this happened twice in a row, in rapid
succession. (The
>request was something about a remote initiated
connection attempt to
>load .dll files relating to Windows help).
>>
>> Here is some info from my event log. Most of this I
don't really
>understand, but perhaps it has something to do with SPF
crashing all
>the time. Maybe there isn't an exploit out there, but I
have a
>misconfiguration on my machine.
>>
>> In the System log, there is an entry from today saying
the Service
>Control Manager is giving me an Error, and the Event ID
is 7034. It
>says "The Sygate Personal FIrewall service terminated
unexpectedly. It
>has done this 2 time(s)." I've tried looking around a
bit, but I
>haven't found anything that explains what Event ID 7034
is, and WHY
>Sygate is crashing.
>>
>> The Event Viewer for this System log entry says a file
named
>netevent.dll is involved, version 5.1.2600.0
>>
>> In my Security log, there are a few entries I also
don't understand.
>These entries were created shortly after I logged on,
before
>connecting to the net.
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Policy Change
>> Event ID: 615
>> Date: 5/19/2004
>> Time: 5:56:00 PM
>> User: NT AUTHORITY\NETWORK SERVICE
>> Computer: POOP1
>> Description:
>> IPSec Services: IPSec Services failed to get the
complete list of
>network interfaces on the machine. This can be a
potential security
>hazard to the machine since some of the network
interfaces may not get
>the protection as desired by the applied IPSec filters.
Please run
>IPSec monitor snap-in to further diagnose the problem.
>>
>> For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Policy Change
>> Event ID: 615
>> Date: 5/19/2004
>> Time: 5:56:01 PM
>> User: NT AUTHORITY\NETWORK SERVICE
>> Computer: POOP1
>> Description:
>> IPSec Services: IPSec Services failed to initialize
RPC server with
>error code: The authentication service is unknown.
>> . IPSec Services could not be started.
>>
>> For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Account Logon
>> Event ID: 680
>> Date: 5/19/2004
>> Time: 5:56:01 PM
>> User: NT AUTHORITY\SYSTEM
>> Computer: POOP1
>> Description:
>> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Logon account: (***myname***)
>> Source Workstation: POOP1
>> Error Code: 0xC000006A
>>
>> For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 529
>> Date: 5/19/2004
>> Time: 5:56:01 PM
>> User: NT AUTHORITY\SYSTEM
>> Computer: POOP1
>> Description:
>> Logon Failure:
>> Reason: Unknown user name or bad password
>> User Name: (***myname***)
>> Domain: POOP1
>> Logon Type: 2
>> Logon Process: Advapi
>> Authentication Package: Negotiate
>> Workstation Name: POOP1
>>
>> For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> (Why the heck is this appearing I didn't make a
mistake when I typed
>in my password, I just typed it once and logged right
in....)
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Account Logon
>> Event ID: 680
>> Date: 5/19/2004
>> Time: 5:56:01 PM
>> User: NT AUTHORITY\SYSTEM
>> Computer: POOP1
>> Description:
>> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Logon account: (***myname***)
>> Source Workstation: POOP1
>> Error Code: 0xC000006A
>>
>>
>> For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>>
>> And finally, we have my successful logon entry...
>>
>> Event Type: Success Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 528
>> Date: 5/19/2004
>> Time: 5:56:11 PM
>> User: POOP1\(***myname***)
>> Computer: POOP1
>> Description:
>> Successful Logon:
>> User Name: (***myname***)
>> Domain: POOP1
>> Logon ID: (0x0,0xDB75)
>> Logon Type: 2
>> Logon Process: User32
>> Authentication Package: Negotiate
>> Workstation Name: POOP1
>> Logon GUID: {00000000-0000-0000-0000-000000000000}
>>
>> For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>>
>> I don't have other computers or routers involved at
home. I am
>connecting to the 'net through a dialup. I am also
running TDS-3, PG,
>port explorer, AntiVir, and Opera 7.50 when I'm online.
>
>.
>



Relevant Pages

  • Re: Active Ports
    ... i can try to kill a process with aports by shutting the port, ... > Well is Messenger supposed to have a connection? ... Sygate should block all unsolicited inbound ... > You may want to use Process Explorer to look at running processes ...
    (comp.security.firewalls)
  • P.S.........
    ... >> Sygate. ... Your log is showing that the connection is being blocked ... > see if there is a port number problem. ... > with the port numbers listed in the traffic log for this ...
    (comp.security.misc)
  • P.S.........
    ... >> Sygate. ... Your log is showing that the connection is being blocked ... > see if there is a port number problem. ... > with the port numbers listed in the traffic log for this ...
    (comp.security.firewalls)
  • P.S.........
    ... >> Sygate. ... Your log is showing that the connection is being blocked ... > see if there is a port number problem. ... > with the port numbers listed in the traffic log for this ...
    (alt.computer.security)
  • Re: Port 80 is Open on My System
    ... > GRC.com test on the same connection. ... > Sygate says it and many, ... During an in-depth scan Sygate says my port 80 ... >> Call your ISP and ask them if they run a web proxy. ...
    (comp.security.firewalls)