Results 1 to 10 of 10

Thread: Hackers are getting through ZAP

  1. #1
    jeffkelly Guest

    Default Hackers are getting through ZAP

    Hello all,Let me briefly explain my situation. <UL><LI>My router port-forwards FTP ports 21 and 22 to a Win2K computer on my subnet </LI><LI>I have the latest ZAP installed on the computer.</LI><LI>ZAP has theetrusted rules in it: local host, my work public IP address and my local subnet address range. These are the only rules configured.</LI><LI>ZAP internet zone is set to high and the trusted zone is set to medium.</LI><LI>My NT server is set to file level permissioning onall files. Only my login can access them. "Allow anonomous users" is deactivated on the FTP server.</LI><LI>I've run port scans from Symantec and Broadband reports on the server and only ports 21/22 are identified.</LI>[/list]

    I log all ZAP events and downstream, I log all FTP connection attempts using IIS logging. About a week ago I began seeing hundreds of "polling" hits each dayin my IIS log. Several people from China are scanning my FTP server attempting to determine authentication. They are trying different combinations about every2-5 seconds. I'm certain they are getting through ZAP for the following reasons:<UL><LI>Per the ZAP log, many port 22 attempts are blocked but some are getting through.</LI><LI>Every event logged in my FTP log doen't show up in the ZAP log. Again, many attempts to reach my FTP server are being blocked by ZAP, but many are not. Here's an example of a couple of events (of thousands) that were logged in my FTP log, but not in ZAP.</LI>[/list]

    21:02:29 202.106.60.30 [2]USER dave 331
    21:02:29 202.106.60.30 [2]PASS - 530
    21:02:31 202.106.60.30 [2]USER dave 331
    21:02:31 202.106.60.30 [2]PASS - 530

    Can someone shed some light on this? For the time being, I entered manual blocking rules for the address ranges that made it past ZAP.

    Thanks,

    Jeff

    Operating System:Windows NT (workstation/server)
    Product Name:ZoneAlarm Pro
    Software Version:6.5

  2. #2
    jarvis Guest

    Default Re: Hackers are getting through ZAP

    Ok

    From the above information, the only thing to rule out is your Program Control settings for your FTP server program. If you have granted it Internet Server permission, then any packets your router forwards on the FTP ports will reach that program.

    You need to make sure it only has server permission for the Trusted Zone.

  3. #3
    jeffkelly Guest

    Default Re: Hackers are getting through ZAP

    Thanks Jarvis,That may have been the problem; IIIS was set for trusted and internet. I didn't get any hits on my FTP log last night (good sign) and there was one blocked attempt to my FTP server. I'm still puzzled why ZAP blocked some port 22 requests but allowed others to get through? Either way, if this fixes the problem it doesn't matter.I'll let you know if I start having problems again.Thanks again,Jeff

  4. #4
    jeffkelly Guest

    Default Re: Hackers are getting through ZAP



    Jarvis:

    That was the problem. Lots of blocked attempts, but no one is getting through anymore. Thanks for the tip!

    J

  5. #5
    tony_a Guest

    Default Re: Hackers are getting through ZAP

    Hello JeffKelly,

    This post might help.

    http://forum.zonelabs.org/zonelabs/b...d=14873#M14873

    You are being targeted. Your only recourse is to block the IP ranges. Contact your ISP and report the abuse.

    Tony_A

  6. #6
    jeffkelly Guest

    Default Re: Hackers are getting through ZAP

    It happened again. I haven't changed anything since my last post and everything was working well; no one was getting through ZAP. This morning I noticed my internet activity light on solid so I checked my FTP server. Once again, someone was scanning the server, trying different username/password combinations. They ran the scan for about 8 hours before I noticed it. For the time being, I put a blocking rule in ZAP for the IP address and contacted the university originating the scan. I also noticed someone from the Ukraine had scanned my server for two hours prior to the 8 hour scan. I put a manual block in ZAP for that address as well.I'm not sure what changed. I'm running the latest version of ZAP and have only two rules: local subnet and my company's public IP address -- both are in the trusted zone per Jarvis' recommendation.Anyone have insight on this?Thanks

  7. #7
    jarvis Guest

    Default Re: Hackers are getting through ZAP

    And does the FTP program have INTERNET server permission? It should only have Trusted server permission. It is possible that SmartDefense changed your setting. Go to Program Control --> Programs, find the FTP server program and put a red X under Internet Server and make sure the SmartDefense column changes to Custom.

  8. #8
    jeffkelly Guest

    Default Re: Hackers are getting through ZAP

    My FTP server is IIS. Something is switching the IIS zone from trusted to internet. It happened again a week ago and I didn't notice it until yesterday. The server is
    file level permissioned for my login only, so the hackers were
    denied access by
    Windows. Most of the attempts came from
    China with one from Holland. I've since switched the IIS zone back
    to trusted and haven't logged any FTP activity except my own.
    I have auto-update turned off, so does anyone know why the zone keeps switching.


  9. #9
    wyzzardusa Guest

    Default Re: Hackers are getting through ZAP

    I've never had any confidence in IIS, regardless of the firewall in use. I'd suggest installing a third-party FTP server program (I could name one I use, but not sure I'm allowed to, email me if you like for further info)
    But, in this particular program, any attempt to access the FTP can cause the IP addy to be blocked for a period of time, or to be permanently banned--and all this is automatic, never lift a finger----depending on how you wish to configure it. And access can ONLY be to folders the FTP server can &quot;see&quot;(which you control when setting it up).
    So, even allowing server in both Internet AND Trusted Zones
    for the app means
    that access can be
    ONLY
    to the designated FTP folders---the FTP app is incapable of accessing any other files or folders in the computer ---
    the rest of the drive is safe.

    Message Edited by WyzzardUSA on 11-30-200609:51 PM

  10. #10
    jeffkelly Guest

    Default Re: Hackers are getting through ZAP

    The FTP server has sensitive information on it
    that is not for public consumption. Therefore, I only allow one public
    IP address into the trusted zone (my office). I use it to gain access to information and to transfer files to and from home. IIS has worked fine for years, but I keep battling ZA.
    Something unattended periodically activates the internet zone for IIS. When I discover it I decheck Internet, leaving trusted checked.

    Sometime in the future, it Internet will become checked again.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •