Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: ZA blocking incoming connection from 192.168.0.1:13xx

  1. #1
    freezmani Guest

    Default ZA blocking incoming connection from 192.168.0.1:13xx

    Hi all, I'm new here and just downloaded ZA. All seems to be working well except one thing, it seems to be blocking incoming connections from the above mentioned ip to 192.168.0.101 which I believe is my computer. I have a router which is connected to another computer, and I think 192.168.0.1 is somehow related to that since it stops attempting to connect when I disconnect the other computer from the internet, but I'm still not totally sure. I've just recovered from a pretty bad virus (a rootkit), and although I'm pretty sure my PC has recovered, I'm still paranoid. I know what I had was one of the really bad ones that leaves your PC totally vulnerable to being hacked so I want to be 100% sure about any connections incoming or outgoing. Any idea what exactly this connection is and if it's safe to unblock?

    Thanks

    Operating System:Windows XP Home Edition
    Software Version:
    Product Name:ZoneAlarm (Free)

  2. #2
    zaswing Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    Most likely, if you use standard setup of routers, one computer is 192.168.0.100 and the other one is 192.168,0.101. So you can check both using
    start, run, cmd, hit enter
    type ipconfig /all in both to see what IP each computer has.
    exit when done.

    The address 192.168.0.1 is your router, so it's trying to say something to you?

    In the ZA firewall zones tab, make sure you enter the LAN or the whole adapter subnet 192.168.0.0/255.255.255.0 as trusted (likely .100 or .101 is already there), then add to the list the other computer, be it .100 or .101, also add local host 127.0.0.1, and the router itself 192.168.0.1

    If you've done all that, then I have no clue

  3. #3
    freezmani Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    My computer is 192.168.0.101.

    Regarding the zones tab, this is how it was installed: http://img504.imageshack.us/img504/702/zahe9.jpg

    Is anything missing?

    What exactly is adding that extra entry supposed to do? I mean, I realize it's my router, but what purpose would unblocking it serve (unless for some reason wasn't set right on my install?) All my computers are still working fine with it blocked. There's nothing wrong with anything, I'm more concerned with the security aspect. What I want to know is what it is exactly and why it's trying to connect to me? If Zonealarm is auto-configured to block it, and blocking it doesn't make a difference...?

    I'm just paranoid is all. As I said before, I'm just getting over a really bad backdoor trojan infection and want to make sure everything is 100% secure.

  4. #4
    zaswing Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    I thought I understood your question but now I think I don't anymore.
    Can you quote the exact alert you're getting.
    Are there 2 computers hooked to the router and .101 is one of them?

    Nothing wrong with the setup though the first item, IMO can/should be trusted.
    If you don't fileshare with the other computer, things look ok, if you do file sharing and trust the other computer, add its IP address.

  5. #5
    freezmani Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    Zone alarm more info says this:

    "ZoneAlarm blocked traffic to port 2869 on your machine from port 1038 on a remote computer whose IP address is 192.168.0.1. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise."

    The source IP is 192.168.0.1:xxxx (port changes every time), and the destination is 192.168.0.101:2869 which is my computer. The other computer is .102.

    Yes there are two computers hooked up to the router, and .101 is mine. I unplugged the other computer from the internet all night and got no warnings. Sure enough, now that it's plugged back in, the warnings have started again. So I'm sure it has to do with the other computer. Strange. Neither computer is being affected by the block which is why I wonder what it is if it's apparently not doing anything. Could it be malware related? I don't use the other computer and the people who do are very careless, so it wouldn't surprise me.

  6. #6
    zaswing Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    Well ... as I said, hmmm, thinking about it!

    So the alert is about ZA blocking something from the router's any port to your computer's port 2869
    It's most likely the router sending packets to you, likely because the other comp is hooked up, so everybody's asking the router who is such and such IP and what MAC address it is, and .101 asks .102 and .1 and .102 asks .1 and .1 asks .101 who is who, it goes on forever, chances are these are just broadcast messages which are useless to you, so ZA blocks'm.
    Could be NetBIOS traffic (though the port seems wrong, should be 139, 138, 137). Are you using file sharing? Is NetBIOS enabled in your computers?
    Do you have a network (not USB) printer connected to the router?

    One other possibility - depends on your router - is the router sending logs to your .101 computer? if so, you can probably shut it off in the router's web interface.
    Still another - do you play games? If so this could be some upNp thing.
    Or something running in your computer that's listening on this port - what do you have running at startup? Do you have ProcessExplorer to check what's listening? Edit: Something like some web mail service, perhaps, notifying you all the time?

    I'm assuming your router hasn't been hacked, that you have a password, that you have security key enabled in the router if wireless and so on.
    I'm also assuming the other computer, .102 is clean.
    I'm assuming also that Generic Host process (svchost.exe) has been given three checks from the left, i.e. permit Trusted server (but not internet server).

    Message Edited by zasuiteuser on 11-14-2008 08:34 PM

  7. #7
    zaswing Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    Are you running ICS - internet connection sharing. It doesn't work with free ZA, though I think i've seen posts here about solving that, so use of the Search button will find you something. Port 2869 is called ICSLAP which makes me think of ICS.

    Perhaps the .102 computer thinks you're doing connection sharing. What kind of firewall is there and how is it setup?

    What was the application that caused the alert? Was it system? svchost.exe? greatmalware.exe?
    Can you quote a line from your ZAlog which is in \windows\Internet Logs - that might help someone else help you.

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    Port 2869 is used for the UPnP and SSDP.
    Your computer is sending out looking for networked devices and the incoming replies are getting blocked by the ZA.
    In all probability you do not use any networked devices such as printer/scanner/game box/media devices with this desktop, so disabling the UPnP and SSDP in the windows services will cease these outoing connections and stop the then answers replies from the other computers/router.
    This will now make these strange yet harmless connections events stop completely.
    Oldsod.
    Best regards.
    oldsod

  9. #9
    zaswing Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    Oldsod, this is great. Thanks for helping out.

    I smelled uPnP having read some ref after googling for that port, but didn't find anything specific. IANA called it ICSLAP. Would 2869 be specific to some device?
    So HOW did YOU know, since the only ones we normally see are 1900 and 5000?

  10. #10
    freezmani Guest

    Default Re: ZA blocking incoming connection from 192.168.0.1:13xx

    Alright, I just disabled UPnP on both computers. Hopefully this will solve the problem and put my mind at ease. Thank you both for your help, very much appreciated!

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •