How to Read MS "pFirewall.txt" file, and IP deciphering

[SpenceQ]

Is there a tutorial somewhere that shows you how to read the firewall file generated by the system, along with the meaning of it's terms and key words
.?

There are IP addresses indicated on my file. How or where do I get info on the actual user of these addresses.?

Thanks

Spence

 

[Osiris]

post the log up and lets take a look

 

[SpenceQ]

post the log up and lets take a look

I'm posting a portion of the first page, as most of the key words are repeated
throughout the file which is lengthly. OP is WXP Pro, SP 2

What I'm looking for is who is using my connectivity while I've set no permissions to update. My send/receive goes nuts on occasion and can't detect who's up/down loading.

Exceptions Settings:

File printer Sharing - off
Remote assistance - on
Remote Desktop - off
UPnP Framework - on

"Log dropped packets is - enabled"
"Log successful connections is - disabled"

When "my secret friend" is down/uploading, TaskManager Shows High activity in:

Firefox.exe, svchost.exe, and csrss.exe

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2008-01-23 13:33:33 DROP UDP 202.97.238.200 216.209.139.45 43962 1026 485 - - - - - - - RECEIVE
2008-01-23 13:34:01 DROP UDP 218.10.137.139 216.209.139.45 47201 1027 485 - - - - - - - RECEIVE
2008-01-23 13:34:43 DROP TCP 216.209.168.73 216.209.139.45 43749 135 52 S 1639133699 0 60352 - - - RECEIVE
2008-01-23 13:35:30 DROP UDP 202.97.238.200 216.209.139.45 44721 1027 485 - - - - - - - RECEIVE
2008-01-23 13:35:30 DROP TCP 209.132.213.151 216.209.139.45 80 1072 40 A 3922545633 4169477860 64989 - - - RECEIVE
2008-01-23 13:35:30 DROP TCP 209.132.213.151 216.209.139.45 80 1072 40 FA 3922545633 4169477860 64989 - - - RECEIVE
2008-01-23 13:35:32 DROP UDP 221.208.208.101 216.209.139.45 45557 1026 486 - - - - - - - RECEIVE
2008-01-23 13:35:42 DROP TCP 209.132.213.151 216.209.139.45 80 1071 1500 A 583959127 3234938155 64367 - - - RECEIVE
2008-01-23 13:35:42 DROP TCP 209.132.213.151 216.209.139.45 80 1071 628 AP 583960587 3234938155 64367 - - - RECEIVE
2008-01-23 13:35:42 DROP TCP 209.132.213.151 216.209.139.45 80 1071 1500 A 583961175 3234938155 64367 - - - RECEIVE
2008-01-23 13:35:42 DROP TCP 209.132.213.151 216.209.139.45 80 1071 628 AP 583962635 3234938155 64367 - - - RECEIVE
2008-01-23 13:35:43 DROP TCP 209.132.213.151 216.209.139.45 80 1071 1500 A 583963223 3234938155 64367 - - - RECEIVE
2008-01-23 13:35:43 DROP TCP 209.132.213.151 216.209.139.45 80 1071 628 AP 583964683 3234938155 64367 - - - RECEIVE
2008-01-23 13:35:43 DROP TCP 209.132.213.151 216.209.139.45 80 1071 1500 A 583965271 3234938156 64367 - - - RECEIVE
2008-01-23 13:35:51 DROP TCP 209.132.213.151 216.209.139.45 80 1074 40 A 2585199913 384599677 64977 - - - RECEIVE
2008-01-23 13:35:51 DROP TCP 209.132.213.151 216.209.139.45 80 1074 40 FA 2585199913 384599677 64977 - - - RECEIVE
2008-01-23 13:36:00 DROP TCP 209.132.213.151 216.209.139.45 80 1073 1500 A 1630649412 3285033617 64351 - - - RECEIVE
2008-01-23 13:36:00 DROP TCP 209.132.213.151 216.209.139.45 80 1073 628 AP 1630650872 3285033617 64351 - - - RECEIVE
2008-01-23 13:36:00 DROP TCP 209.132.213.151 216.209.139.45 80 1073 1500 A 1630651460 3285033617 64351 - - - RECEIVE
2008-01-23 13:36:00 DROP TCP 209.132.213.151 216.209.139.45 80 1073 628 AP 1630652920 3285033617 64351 - - - RECEIVE
2008-01-23 13:36:01 DROP TCP 209.132.213.151 216.209.139.45 80 1073 1500 A 1630653508 3285033617 64351 - - - RECEIVE
2008-01-23 13:36:01 DROP TCP 209.132.213.151 216.209.139.45 80 1073 628 AP 1630654968 3285033617 64351 - - - RECEIVE
2008-01-23 13:36:01 DROP TCP 209.132.213.151 216.209.139.45 80 1073 1500 A 1630655556 3285033618 64351 - - - RECEIVE
2008-01-23 13:36:21 DROP TCP 209.226.111.88 216.209.139.45 58522 135 52 S 583940736

Thanks for the help

Spence

 

[Redmo0n]

If i'm wrong just ignore me.

202.97.238.200

Domain Name Service (DNS) Report for IP address: 202.97.238.200

Whois Report for IP address: 202.97.238.200

% [whois.apnic.net node-2]
% Whois data copyright terms APNIC Whois Database copyright statement

inetnum: 202.97.192.0 - 202.97.255.255
netname: CNCGROUP-HL
country: CN
descr: CNCGROUP Heilongjiang province network
admin-c: CH455-AP
tech-c: LZ31-AP
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20031110
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HL
mnt-routes: MAINT-CNCGROUP-RR
changed: hm-changed@apnic.net 20060124
source: APNIC

route: 202.97.192.0/18
descr: CNC Group CHINA169 Heilongjiang Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060118
source: APNIC

role: CNCGroup Hostmaster
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
admin-c: CH444-AP
tech-c: CH444-AP
changed: abuse@cnc-noc.net 20041119
mnt-by: MAINT-CNCGROUP
source: APNIC

person: Liu Zhiyong
nic-hdl: LZ31-AP
e-mail: gaobh@mail.hl.cn
address: Data Communication Bureau of HLJ
phone: +86-451-542931
country: CN
changed: gaobh@mail.hl.cn 20030801
mnt-by: MAINT-CNCGROUP-HL
source: APNIC

 

[SpenceQ]

Redmo0n:

Thanks for the info.!

Do you see any pattern in my file of hacking activity? If there is I wouldn't know as I don't know how to read the file.

If I understand your post correctly, 202.97.238.200 is within the domain of CNCGROUP.? I don't know who these people are as far as I know and I'm not running any of their products.

OK, I did a web search and found out these guys are major offenders. My concern now is they are using a proxy server. If they are I'll never be able to block them out in a firewall.

I'll input this address range somewhere in my firewall system if there is a place to do that.

Meanwhile if anyone can help thanks.

Spence