Results 1 to 4 of 4

Thread: Firewall entries changed by some external method - help!!

  1. #1
    phil_knott Guest

    Default Firewall entries changed by some external method - help!!

    Hi

    I recently upgraded to v7 of ZApro (7.0.408.000) and I have recently found that something is changing the ip addresses of entries in my firewall.

    This only seems to happen to Host/Site type entries.

    For example if I add an entry to myserver.company.com and press lookup it correctly finds 123.456.789.012 but as soon as I press apply on the main firewall page the IP is changed to 209.62.20.186 - it always seems to be the same address. At first it seemed to be just one of my entries but now it is all of them. Sometimes it just adds the IP to the definition so I have 209.62.20.186, 123.456.789.012 other times it replaces it completely.

    The ip resolves to ev1s-209-62-20-186.ev1servers.net can anybody throw any light on this?

    This seems very wrong.

    It seems like a huge security issue unless I am missing something !

    cheers

    Phil

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    loveyouforever Guest

    Default Re: Firewall entries changed by some external method - help!!

    Sometimes one IP address is registered in the DNS under more than one host name.

    Open a command prompt (CMD) and try to resolve the IP address of the mentioned host (e.g. myserver.company.com) with the PING command. Just enter the following line right after the command prompt (e.g. C:\WINDOWS&gt:

    ping myserver.company.com

    Now hit the [ENTER] key.

    You should receive four answers from the named host whose address has been resolved herewith. Does it match with the one registered in ZoneAlarm or not?

    Regards,

    loveyouforever

  3. #3
    phil_knott Guest

    Default Re: Firewall entries changed by some external method - help!!

    Thanks for the input but I should have said that the IP that are being changed are internal IP's i.e. they belong to my company and the ones that are be used in there place are external IP's.
    So I don't think this is a DNS type issue - is there a way to log what is making the changes to the firewall.
    The more I think about this the more I am sure that I have a serious security breach, although my system is fairly heavily protected.
    The host names of the systems are also being changed to things like NET82.24.176.0 or New Network
    At present I have added entries to block traffic to these addresses but as I think that something is changing the valid addresses then I am not sure this is giving me any protection.





  4. #4
    svasko Guest

    Default Re: Firewall entries changed by some external method - help!!

    If you look under "Alerts and Logs" in your Zone Alarm you can view all the entries from Viruses, Spyware, OS Program, Firewall,etc. They list the IP and it's destination and where it came from in that log. Also you may want to try using ARIN to find out who owns those IP's. Here's their address : http://www.arin.net/index.shtml
    They have the abuse reporting email address on the majority of the definitions that come up so you could write to them. Do you have Microsoft Agent Server running in your
    Programs in Zone Alarm? If so, kill it. Also check for TCPIP Services Application. You don't need them. Be sure and block Port 39 as well. Hope this helps a bit.

    Regards,
    Stephen

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •