ESS684侦测到ICMP包中的隐蔽通道而且【图】

系统：XP SP3 番茄
内存：1G
装了ESS 684 和 ThreatFire 4.0.0(刚装 ,原来用EQ老妈办公时觉得麻烦- -|| )

今天刚出现的...侦测到ICMP包中的隐蔽通道..是什么意思？
而且更神奇的是“来源IP”=本机   “目标IP”=网关    我是局域网的

另外还有一堆的ARP攻击和DNS欺骗... 什么世道啊...（当然我主要是问ICMP包中隐藏通道的是什么东西）


附ESS日志截图



[ 本帖最后由 benen35 于 2009-2-13 16:51 编辑 ]

[CODE]

2009-02-13,16:37:12

System Repair Engineer 2.7.0.1210
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 3 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    进程特权扫描
    API HOOK
    隐藏进程


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <egui><"C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice>  [(Verified)"ESET, spol. s r.o."]
    <ThreatFire><C:\Program Files\ThreatFire\TFTray.exe>  [(Verified)PC Tools]
    <MSConfig><; C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto>  [(Verified)Microsoft Windows Component Publisher]
    <360Safetray><; E:\360安全卫士\safemon\360tray.exe /start>  [(Verified)Qizhi Software (beijing) Co. Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><C:\WINDOWS\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
    <UPnPMonitor><C:\WINDOWS\system32\upnpui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    <WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\INF\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\system32\logon.scr>  [(Verified)Microsoft Windows Component Publisher]

==================================
启动文件夹
N/A

==================================
服务
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[Alertters / Alertters][Stopped/Disabled]
  <><(File is missing)>
[Contrl Center of Storm Media / ccosm][Stopped/Disabled]
  <><(File is missing)>
[Eset HTTP Server / EhttpSrv][Stopped/Manual Start]
  <"C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe"><ESET>
[Eset Service / ekrn][Running/Auto Start]
  <"C:\Program Files\ESET\ESET Smart Security\ekrn.exe"><ESET>
[EQService / EQService][Stopped/Auto Start]
  <><(File is missing)>
[FLEXnet Licensing Service / FLEXnet Licensing Service][Stopped/Manual Start]
  <C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe><Macrovision Europe Ltd.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Messenger / Messenger][Stopped/Disabled]
  <\SystemRoot\C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\msgsvc.dll><Microsoft Corporation>
[O&O Defrag / O&O Defrag][Stopped/Manual Start]
  <C:\WINDOWS\system32\oodag.exe><O&O Software GmbH>
[Remote Packet Capture Protocol v.0 (experimental) / rpcapd][Stopped/Manual Start]
  <"C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"><N/A>
[ThreatFire / ThreatFire][Running/Auto Start]
  <C:\Program Files\ThreatFire\TFService.exe service><PC Tools>

==================================
驱动程序
[360AntiArp / 360AntiArp][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\360AntiArp.sys><360安全中心>
[360procmon / 360procmon][Running/Manual Start]
  <\??\E:\360安全卫士\safemon\360procmon.sys><>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[avipbb / avipbb][Stopped/Disabled]
  <system32\DRIVERS\avipbb.sys><N/A>
[dtscsi / dtscsi][Running/Manual Start]
  <\SystemRoot\System32\Drivers\dtscsi.sys><N/A>
[eamon / eamon][Running/Auto Start]
  <system32\DRIVERS\eamon.sys><ESET>
[easdrv / easdrv][Running/System Start]
  <system32\DRIVERS\easdrv.sys><ESET>
[epfw / epfw][Running/Auto Start]
  <system32\DRIVERS\epfw.sys><ESET>
[Eset Personal Firewall / Epfwndis][Running/Manual Start]
  <system32\DRIVERS\Epfwndis.sys><ESET>
[epfwtdi / epfwtdi][Running/System Start]
  <system32\DRIVERS\epfwtdi.sys><ESET>
[EAYLNLost / FDXFIRost][Stopped/Manual Start]
  <\??\C:\WINDOWS\HQGHUMost.tmp><N/A>
[FwHookDrv / FwHookDrv][Stopped/System Start]
  <\??\C:\WINDOWS\system32\MicroShut\FwHookDrv.sys><N/A>
[ialm / ialm][Running/Manual Start]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[killvv / killvv][Stopped/Manual Start]
  <\??\C:\Documents and Settings\恒钰政.9B294EAF0C6C416\桌面\Twister自我保护测试\Twister自我保护测试\killvv.sys><N/A>
[Logitech SetPoint KMDF HID Filter Driver / LHidFilt][Stopped/Manual Start]
  <system32\DRIVERS\LHidFilt.Sys><Logitech, Inc.>
[Logitech SetPoint KMDF Mouse Filter Driver / LMouFilt][Stopped/Manual Start]
  <system32\DRIVERS\LMouFilt.Sys><Logitech, Inc.>
[Netpas Win32 Virtual Network Adapter / netpasadapter1][Stopped/Manual Start]
  <system32\DRIVERS\netpas.sys><Netpas>
[NetGroup Packet Filter Driver / NPF][Stopped/Manual Start]
  <system32\drivers\npf.sys><CACE Technologies>
[DDK PACKET Protocol / Packet][Running/Manual Start]
  <system32\DRIVERS\ProtoDrv.sys><360安全中心>
[Padus ASPI Shell / pfc][Running/Manual Start]
  <system32\drivers\pfc.sys><Padus, Inc.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Srramdisk Driver / RRamdisk][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\rramdisk.sys><gavotte>
[Realtek 10/100/1000 PCI NIC Family NDIS XP Driver / RTL8023xp][Running/Manual Start]
  <system32\DRIVERS\Rtnicxp.sys><Realtek Semiconductor Corporation>
[FN300 series 10/100M PCI Network Adapter Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\FN311.sys><Realtek Semiconductor Corporation>
[SafeBoxKrnl / SafeBoxKrnl][Running/System Start]
  <\??\C:\WINDOWS\system32\Drivers\safeboxkrnl.sys><360安全中心>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[PS/2 Keyboard Filter Driver for WinXp / Skkbdf][Running/Manual Start]
  <system32\DRIVERS\Skkbdf.sys><Silitek Corp.>
[SKNFW / SKNFW][Running/System Start]
  <\??\C:\WINDOWS\system32\Drivers\SKNFW.sys><N/A>
[SkyProcs / SkyProcs][Stopped/Manual Start]
  <\??\E:\FireWall\SkyProcs.sys><N/A>
[SoftFSB / SoftFSB][Stopped/Manual Start]
  <\??\C:\Documents and Settings\恒钰政.9B294EAF0C6C416\桌面\SoftFSB-v1.7g1\HA-SoftFSB17G1\SoftFSB\SoftFSB.SYS><N/A>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
  <system32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[sptd / sptd][Running/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[ssmdrv / ssmdrv][Running/System Start]
  <system32\DRIVERS\ssmdrv.sys><Avira GmbH>
[TCP/IP Protocol Driver / Tcpip][Running/System Start]
  <system32\DRIVERS\tcpip.sys><Microsoft Corporation>
[TesSafe / TesSafe][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\TesSafe.sys><TENCENT>
[TfFsMon / TfFsMon][Running/Boot Start]
  <\SystemRoot\system32\drivers\TfFsMon.sys><PC Tools>
[TfNetMon / TfNetMon][Running/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\TfNetMon.sys><PC Tools>
[TfSysMon / TfSysMon][Running/Boot Start]
  <\SystemRoot\system32\drivers\TfSysMon.sys><PC Tools>
[TVICHW32 / TVICHW32][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS><EnTech Taiwan>
[zlportio / zlportio][Stopped/Manual Start]
  <\??\D:\TK5\Star\zlportio.sys><SpecoSoft>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Stopped/System Start]
  <system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Stopped/Manual Start]
  <system32\drivers\ialmkchw.sys><Intel Corporation>

淡青呀有

貌似这个区里有人问过并且得到解答的.. 可是帖子在哪我找不到了.

lingbo110120

楼主请无视ESS的防火墙日志
没事的 这种人人都有  不必担心的
我还有洪水攻击呢  根本不必担心

童话小米饭

ESS的防火墙居然这么令人感到心寒的！

ly77yl

为什么寒心？这不是防御的挺好的吗？