Results 1 to 6 of 6

Thread: Incoming internet access blocked

  1. #1
    benosmash Guest

    Default Incoming internet access blocked

    I've been made aware that this is just my Zone Alarm working, but I feel the need to bring this issue up.

    Starting at about 1 PM -5GMT I started recieving messages similar to the one below:

    "The firewall blocked Internet access to your computer (UDP Port *here*) from ip.adress.here (UDP Port *here*)"

    By this time I have recieved over 350 of these messages, some within seconds of each other. I've now got a small library of IP adresses and other information about the machines trying to access my computer. Yes, I've browsed through the list of computers that tried to access mine and there are only four repeats at this point.

    I was wondering if anyone might know, or have an idea of what this might signify. Are all of these computers compromised with a virus, or more than one, or something else? Or is this something that has to do with Windows XP Pro? Is this a normal thing that happens? I haven't recieved these messages since I started using the service a few years ago.

    Any info you all could provide me would be great.

    Thanks in advance.

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Incoming internet access blocked


    <blockquote><hr>benosmash wrote:
    I've been made aware that this is just my Zone Alarm working, but I feel the need to bring this issue up.

    Starting at about 1 PM -5GMT I started recieving messages similar to the one below:

    "The firewall blocked Internet access to your computer (UDP Port *here*) from ip.adress.here (UDP Port *here*)"

    By this time I have recieved over 350 of these messages, some within seconds of each other. I've now got a small library of IP adresses and other information about the machines trying to access my computer. Yes, I've browsed through the list of computers that tried to access mine and there are only four repeats at this point.

    I was wondering if anyone might know, or have an idea of what this might signify. Are all of these computers compromised with a virus, or more than one, or something else? Or is this something that has to do with Windows XP Pro? Is this a normal thing that happens? I haven't recieved these messages since I started using the service a few years ago.

    Any info you all could provide me would be great.

    Thanks in advance.
    <hr></blockquote>
    Any info you all could provide me for the remote IPs and the remote port and the local port would be great.
    Oldsod.
    Best regards.
    oldsod

  3. #3
    benosmash Guest

    Default Re: Incoming internet access blocked

    To be honest, I'm not sure exactly what you are asking for but I'll try to fill in some blanks. If you need more info I will see what I can do.

    Most of the attempts were against port 62313 the rest were against ports 63724, 1165, 4105 and my IP address without ports attached.

    The first digits of the IP addresses start at 24 then they jump to 41 and are pretty continuous, only skipping a number here or there until they reach the 99 digit. then they resume at 114 and are a bit more sporadic but still steady up until 125 where it jumps around a bit with 128, 137, 140, 146, 151 156-8, 160 164 and 173. they resume again at 189 and run fairly steady, missing a number here or there until the first digits of the IP addresses reach 222.

    The source ports are harder to pin down. the first thing I notice is that they for the most part stay in the four and five digit range. I suppose that they could be for the most part random ports. it doesn't seem to me that there are many ports being used in sequence and if they are, they aren't being used by the same IP so it's hard to find. Some IP addresses make multiple attempts but not more than two or three before they stop.

    At first I thought that this might have been due to some changes I made to my XP settings but I checked the time that these attempts started against the up time of my computer (I restarted so that they would take effect) and a few hours had passed before these attempts to contact my computer had started. I didn't change any Zone Alarm settings when I did this though, so I'm not sure how that could have affected anything. Just thought I'd throw that out there.

    Thanks for the quick response!

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Incoming internet access blocked

    Still insufficent information.
    Still meaning less.

    Check the ZA Logs in the Log viewer for the Firewall and the program logs.
    The older logs are stored in the WINDOWS\Internet Logs as ZALog.txt, ZALog*.txt, fwpktlog.txt and fwpktlog*.txt. Check these over for the required information.

    As important to know if you are using either a router or a dsl modem with a NAT firewall or if your computer is connected directly to the Internet such as dsl with no NAT or cable internet with no router or using dialup.
    Or if using a proxy or a gateway. Plus is this is a home network or a business network and are there other devices/computers connected to the network.

    Best regards.
    Oldsod.
    Best regards.
    oldsod

  5. #5
    benosmash Guest

    Default Re: Incoming internet access blocked

    I'm not sure about the NAT firewall, but I connect to the internet via a dsl cable modem and between that and my computer is a router. Do you know of a way to check for a NAT firewall?

    Here's the first page of lines from the ZALog.txt file:

    ZoneAlarm Logging Client v7.0.483.000
    Windows XP-5.1.2600-Service Pack 2-SP
    type,date,time,source,destination,transport (Security)
    type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
    type,date,time,source,destination,action,service (IM Security)
    type,date,time,source,destination,program,action (Malicious Code Protection)
    type,date,time,action,product,file,event,subevent, class,data,data,... (OSFirewall)
    type,date,time,name,type,mode (Anti-Spyware)
    FWIN,2008/09/16,11:18:34 -4:00 GMT,91.145.85.195:10081,192.168.xx.xx:63724,TCP (flags:S)
    [edited out]

    I also found the firewall log that you mentioned but I'm not sure what you are looking for in there.

    I suppose that this is a home network with my tower being the only computer on the network. Again, I'm using a router with a DSL Cable Modem and I'm not sure if it has a NAT Firewall. I'm not aware of any proxies or gateways.

    Hope this helps,
    ~Beno

    Message Edited by benosmash on 09-17-2008 03:27 AM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Incoming internet access blocked

    Beno as soon as I saw a the Private Addresses of the 192.168.x.x I immediately knew you do have a NAT capable hardware firewall. And it is activiated.

    Now then to these unwanted incoming connections.
    Which makes me wonder why too.
    First the incoming connections with TCP (flags:S) where the "S" usually implies SYN.
    And any incoming SYN mean these are initiated not by your computer, but by those sites.
    But "S" can also mean "SYN/ACK" which is a return from your computer initial "S" packets.
    Now it could be these are sites trying to "sneak in" by holding the tail of the already established and approved connections - it depends if you "edited" the list for the post or not.
    So these could be correctly denied as these are not wanted connections or denied incorrectly depending if these are "sneaking in" connections or properly established connections.

    But and a big BUT is the fact the router is supposed to drop all unwanted incoming connections in the first place. So in fact these incoming attempts should not even be seen by the ZA.
    Which makes me think either the router is not working or more than likely there are open ports in the router, the port 63724 specifically.
    If there is a skye being used or some P2P sharing happening or perhaps an online game being played, the this would explain as to why there is an open port in your router.
    But if this is not the case, then I would assume your router is either failing or it needs to be reset or needs a new firmaware update. One of these at the least.

    But the port 63724 is very unusual by itself.
    This is the target or the destination port.
    But all of the ports involved are unusual and the most important port to be concerned about is your own receiving port of 63724. This is a most unusual port to be involved.

    https://isc.incidents.org/port.html?port=63724


    The IPs involved can be easily determined in the nslookup command.
    Open the Start | Run | type in cmd and OK | type in nslookup and the IP and press the Enter.

    Like this:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SkyRider>nslookup 91.145.85.195
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Name: host-91-145-85-195.kpylaajakaista.net
    Address: 91.145.85.195

    C:\Documents and Settings\SkyRider>

    A whosis is helpful at times:

    http://www.netip.de/ripe_net?ip=91.145.85.195

    or like this one:

    http://www.coolwhois.com/d/kpylaajakaista.net

    or this one:

    http://www.who.is/whois-net/ip-addre...ajakaista.net/

    or these:

    http://member.dnsstuff.com/pages/tools.php?ptype=free


    http://ws.arin.net/whois


    http://network-tools.com/

    Another possibility is spyware/troyan on your computer.
    I do not mean to scare you, but perhaps a full scann by your antivirus and any other scanners would be a good idea at this time.

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •