Last night through a lot of trial and error I narrowed it down to the HP
"One touch multimedia keyboard" executable. It was generating an ICMP
ping about once every second. My network sniffer showed that the
outbound packet was an ICMP echo request which most Win applications do
not pay much attention to. When I disabled all network IO through
ZoneAlarm it would complain about the keyboard executable trying to
connect to the internet but would give very little detail because it was
ICMP not TCP or UDP. As long as I denied the keyboard from connecting to
the Internet the sniffer showed that the traffic was no longer there. I
then uninstalled the keyboard executable and opened up the network
interface and the rouge ICMP traffic was gone.
I can only think of one good reason for a "keyboard" executable to be
pinging any machine on the Internet, perhaps to keep a dialup line
alive. But then I don't dial up! If the binary was part of some kind of
rootkit I may never know because I had removed it completely from my
system. I may have to reinstall it just to read the documentation to see
if there is some kind of keep alive option, but for now I am going to
assume the worst and monitor my system very heavily looking for other
abnormalities.
Apparently BlackICE was not making any association between the return
ICMP timeout packet and the original outbound echo request packet,
probably due to the differing source and destination addresses. BlackICE
was therefor thinking that the Internet router that timed out the echo
request packet was trying to DOS my machine.
Many thanks to the people that pointed me to some really neat tools.
Unfortunately I have found that for many such tools Win 2000 != WinME
and I had a number of unresolved dll references. I guess I will just
have to shell out the bucks to upgrade to Win 2000 professional. At
least that way I will _know_ what is installed on my system! :-)
--
Steve Coleman <[EMAIL PROTECTED]> http://www.jhuapl.edu/
High Performance, fault tolerant, distributed, real-time computing
<<-------->> Johns Hopkins Applied Physics Laboratory <<--------->>
Balt:443-778-6330 Fax:443-778-5597 Wash:240-228-6330 Fax:240-228-5597
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
