Got a question for security gurus
6 posts
• Page 1 of 1
Got a question for security gurus
by Bosscamper » Sat Feb 11, 2006 12:03 am
I just did a new install of Windows XP. along with my firewall .. (Sygate Personal)
Suddenly I get these warnings about every 3 or 4 minutes. (Both directions)
Whois trace for the IP numbers above point to
Yokubaitis Holding Corporation You can do a trace yourself for more details.
Anyone know anything about this?
Google showed me this
http://www.liutilities.com/products/win ... y/ndisuio/
A spyware scan turned up nothing.
I can block it permanently, but I would rather know what is doing it.
Eat well, stay fit, die anyway.
- Bosscamper
- PROfessional Member
-
- Posts: 424
- Joined: Fri Jul 09, 2004 2:44 am
- Location: Ontario, Canada
by SCgone » Sat Feb 11, 2006 1:25 am
That usually means nothing. If it were port 1031, then it could be the Xanadu trojan, but what you're seeing are listening ports that the RPC subsystem opens when it starts up.
Usually, a dynamically assigned port may be used by server processes. Applications using RPC will later on connect to port 135 (the netbios portmapper) to query where to find a particular RPC service, and get an answer back saying that that particular service may be contacted on....say port 1030. I think some online games actually use these high ports.
by Bosscamper » Sat Feb 11, 2006 2:11 am
That particular thing (ndisuio.sys), I come to find out has to do with the following ....
Quote:
Big Brother and Ndisuio.sys
A new Internet phenomenon?
By Red Squirrel
Ndisuio.sys, a very mysterious system file is present in Windows XP and is a driver for wireless things such as wi-fi and bluetooth. However, there have been many issues with this file downloading immense amounts of data and perhaps causing activity that is "big brother"ish.
The fact that hardly any information on this file downloading data is available by Microsoft makes things quite suspicious about it. It has even been noted that it looked as if it was transferring data to major companies like Comcast, Road Runner, Time Warner, BTC and Verizon.
The good news is, it turns out this file duplicates data that is sent/received, so wherever you go, it will also transfer the data to that file but it does not leave the computer/network so it's not spyware. So it's not as much of a big brother situation then it looks like. It simply performs internal communication tasks and stands for NDIS user I/O, hence, NDISUIO. NDISUIO is also used as a driver by many developers as it makes certain wireless network tasks easier such as implementing it for 802.11x connections. Some firewalls also use it as it can get the data in order to filter it.
But duplicating this data can hog resources for no reason, so disabling it is the best thing to do. The data rate of this file's received data is huge, so that indicates that the data transfer is not over the Internet, but locally. So it's just a duplicate of network activity but because it's local everything transfers faster but uses more resources then casual internet usage as there's more data involved at a given time span of 1 second, for example.
To disable this file, go to the control panel, administration tools, services, Wireless Zero Configuration, double click and disable it. This file is probably required to run if you use any linksys wireless devices.
I don't have anything wireless, so I disabled the service and now am not being bothered with it
One more hole plugged that I don't need to worry about.
Quote:
Big Brother and Ndisuio.sys
A new Internet phenomenon?
By Red Squirrel
Ndisuio.sys, a very mysterious system file is present in Windows XP and is a driver for wireless things such as wi-fi and bluetooth. However, there have been many issues with this file downloading immense amounts of data and perhaps causing activity that is "big brother"ish.
The fact that hardly any information on this file downloading data is available by Microsoft makes things quite suspicious about it. It has even been noted that it looked as if it was transferring data to major companies like Comcast, Road Runner, Time Warner, BTC and Verizon.
The good news is, it turns out this file duplicates data that is sent/received, so wherever you go, it will also transfer the data to that file but it does not leave the computer/network so it's not spyware. So it's not as much of a big brother situation then it looks like. It simply performs internal communication tasks and stands for NDIS user I/O, hence, NDISUIO. NDISUIO is also used as a driver by many developers as it makes certain wireless network tasks easier such as implementing it for 802.11x connections. Some firewalls also use it as it can get the data in order to filter it.
But duplicating this data can hog resources for no reason, so disabling it is the best thing to do. The data rate of this file's received data is huge, so that indicates that the data transfer is not over the Internet, but locally. So it's just a duplicate of network activity but because it's local everything transfers faster but uses more resources then casual internet usage as there's more data involved at a given time span of 1 second, for example.
To disable this file, go to the control panel, administration tools, services, Wireless Zero Configuration, double click and disable it. This file is probably required to run if you use any linksys wireless devices.
I don't have anything wireless, so I disabled the service and now am not being bothered with it
One more hole plugged that I don't need to worry about.
Eat well, stay fit, die anyway.
- Bosscamper
- PROfessional Member
-
- Posts: 424
- Joined: Fri Jul 09, 2004 2:44 am
- Location: Ontario, Canada
by Synaptic » Sun Feb 26, 2006 5:24 am
If in doubt, I always tracert the address it's coming from. If it's direct from your ISP or somewhere you recognise, then OK it (ie use common sense), otherwise block it.
"Know this, you can cut me off from the civilized world, you can incarcerate me with two moronic cell mates, you can torture me with your thrice daily swill, but you can not break the spirit of a Winchester. My voice shall be heard from this wilderness and I shall be delievered from this feted and festering sewer." - Charles Emerson Winchester, III, M*A*S*H
by augie » Sun Feb 26, 2006 6:22 am
I don't know if Sygate has the options ask/deny/allowed, if it does, change it back to ask so when it asks for access again you can run Process Explorer (dl is on the bottom of the page) and find the calling proggie. We can then take from there.
Yokubaitis is a Lithuanian surname and I wouldn't trust them a bit! I'm Lithuanian so I can say that about him and his 'holding' company.
Yokubaitis is a Lithuanian surname and I wouldn't trust them a bit! I'm Lithuanian so I can say that about him and his 'holding' company.
Everything that irritates us about others can lead us to an understanding of ourselves. -- Carl Jung
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
- augie
- Community Director
-
- Posts: 7870
- Joined: Mon Aug 26, 2002 1:55 am
- Location: Laurentians, Quebec
by Synaptic » Mon Feb 27, 2006 10:03 am
A Holding Company generally means exactly that - Holding. It's a front for some other business to store assets and call their company.
"Know this, you can cut me off from the civilized world, you can incarcerate me with two moronic cell mates, you can torture me with your thrice daily swill, but you can not break the spirit of a Winchester. My voice shall be heard from this wilderness and I shall be delievered from this feted and festering sewer." - Charles Emerson Winchester, III, M*A*S*H
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
