Results 1 to 8 of 8

Thread: Port 1026 Getting Hundreds of Inbound Alerts

  1. #1
    ups4 Guest

    Default Port 1026 Getting Hundreds of Inbound Alerts

    Since installing my Linksys router connecting two computers with a cable modem, I have notice that the Alert Log in ZA Pro on my XP Home machine has been getting hundreds of alerts to port 1026.This is the ONLY port being attacked and the ONLY alert being displayed in the log.
    Can anybody give me some insight on this? I'm not worried so much about the alerts, but just curious as to why this has started happening all of a sudden.
    Thanks,Paul
    EDIT: Changed subject and message
    to reflect correct port in question.

    Operating System:
    Windows XP Home Edition
    Product Name:
    ZoneAlarm Pro
    Software Version:
    6.1


    Message Edited by ups4 on 05-22-200611:47 AM

  2. #2

    Default Re: Port 1060 Getting Hundreds of Inbound Alerts

    Linksys router is acting as a hardware firewall in your case. Most probably or not it is protecting all ports except 1060. Check your Linksys manual on how you can stealth all ports with it.

    In any case, behind your router, you still have ZoneAlarm protecting you.

  3. #3
    ups4 Guest

    Default Re: Port 1060 Getting Hundreds of Inbound Alerts



    Thanks, I will check into stealthing all ports.

    Whoops, and let me correct myself in my original post. It's port 1026, not 1060 that is being attacked.

    Sorry about that....don't know exactly why this port is special, but I will check into it.




    Thanks again.

    Paul

  4. #4
    socalreviews Guest

    Default Re: Port 1060 Getting Hundreds of Inbound Alerts

    Make sure those alerts are not coming from within your own LAN. If you have a wireless network and you have a desktop computer and a notebook computer or more than one computer on that network with wireless it is possible those alerts are from your wireless notebook or any other computer looking for a DHCP server in the network's IP range and then requesting a local IP address. These requests from computers that just booted up often show up as continuous alerts in ZA on any computer that is already connected to that network. They sometimes even look like port scans but they are obviously are not. Once the computer on the LAN gets an IP address it usually quiets down and the alerts stop until the next time that computer boots up again. Putting your router IP and your modem IP in the trusted zone can help and if you need to you can also put your other LAN computers in the trusted zone. Generally though you should keep as much as possible in the Internet Zone or blocked but you will see more alerts such as described above if you have more restricted settings for any computer on your LAN. If you know this is happening you can simply turn off the pop up alerts for that particular alert while they will still may be recorded under the ZA alerts log.

    Message Edited by SoCalReviews on 05-24-200612:27 AM

  5. #5
    ups4 Guest

    Default Re: Port 1060 Getting Hundreds of Inbound Alerts



    Thanks SoCal,

    The router is a wired one, connected to two desktops. We are both using XP Home and both computers are in my home. This is not an office setup or anything that requires sharing files between the two systems. We are only sharing the cable Internet connection.

    The source
    IP addresses are always different and there are hundreds a day. Always trying to reach my port 1026. I know this port is used by Windows Messenger Service, but this service is, and always has been, disabled on both machines.

    I don't have the pop-up alerts turned on, but I clear out the Alert Log a couple of times a day. I have both router IP and modem IP in the trusted zone, as well as my DNS servers and DHCP server IP.

    I also wonder why my router is not blocking this port. Nothing else gets through. There must be an adjustment in the setup of the router that would block port 1026 as well. I might add that in looking at "Active Ports", it shows that
    one of the
    six instances
    of
    svchost.exe is listening to port 1026.




    Paul

    Message Edited by ups4 on 05-24-200609:19 PM

    Message Edited by ups4 on 05-24-200609:30 PM

  6. #6
    socalreviews Guest

    Default Re: Port 1060 Getting Hundreds of Inbound Alerts

    Thank you for posting back with more information about your ZA alerts. The fact that the router is wired and that there are only two desktops connected is a good thing. If you find out that these alerts are coming from inside your LAN then this is good news and it is simply network activity from the two computers. I see these ZA alert logs all the time on my desktop computer after I boot up my wireless notebook to connect to my LAN. There are some things you can do if you want to quiet these alerts. Do you have your Client for Microsoft Networks and File and Print Sharing for Microsoft Networking both turned off under your Windows Network Connection settings ? Messenger is often used by Microsoft Networking to chatter with other computers on the same LAN and if you turn these off the chatter often quiets down. For me to do this I had to completely prevent Microsoft Messenger from starting up at all or ever by following specific directions on the Microsoft support site. Simply disabling Messenger in other ways may not be successful as I learned a while back when I had similar problems with Messenger activity alerts in ZoneAlarm Pro. I know that there are several different Messenger type programs that can auto start with Windows (Microsoft, Windows, and MSN versions) so check to see that those or any other messenging programs are all turned off if you do not use them. Do you have any other protocals besides TCP/IP installed and running on those computers ? If you do then you can also uncheck those from being active under the Windows Network Connection settings.

    If you find that the alerts are coming from many different internet IP addresses that are not part of your LAN and they are trying to access port 1026 then try doing a WHOIS search of those addresses. Try the ARIN WHOIS site search and type in the IP addresses that are trying to access port 1026 to find out the general regions they are coming from. If it says Asian Pacific Network, Carribean or RIPE then those could very likely be outside attempts at trying to port scan or hack your router or computer's IP address. Normally those port attacks are deflected by the newer routers with enhanced WAN security as described below. Those port scans could also be coming from malware infected zombie computers from anywhere in the world that are trying to scan your IP address.

    Next I would ask how old your router is and has its firmware been recently updated ? If it is more than two or three years old then it might not have some of the newer safeguards that the newer versions have such as blocking various outside WAN requests. Last year I replaced several older Linksys routers I had with newer versions and noticed in the router logs that the number of port scan attempts on those routers dropped off significantly. If you have a newer router then try updating it with the latest firmware for that particular model of router from the manufacturer's support site. If you have a much older router it might be time for you to purchase a new router. I like the Linksys WRT54GL (not the newest WRT54G verions which I do not recommend but the GL Linux firmware based version). I like the features of this router and even though it is wireless you could simply turn off the wireless part completely if you want to only use a wired network. Any newer router could help if you enable the extra WAN security features under the router's security section. Finally, although you might have done this before check again both your computers for spyware and viruses using various online web based scanners. I hope some of this information helps you track down the source of these alerts.

    Message Edited by SoCalReviews on 05-25-200601:26 AM

  7. #7
    ups4 Guest

    Default Re: Port 1060 Getting Hundreds of Inbound Alerts

    Thanks again SoCal.
    Lots of good info and suggestions to look into.
    I did have Client for MS Networks enabled....turned it off. I guess it is on by default.
    File and Print Sharing has always been disabled.TCP/IP is the only protocol running on both machines. I don't use any kind of messaging on my machine, but my son's computer (I guess his is the "client" ) does use MSN Messenger to chat with his peeps .I will have to look into it further at the MS site to make sure I have Windows Messenger completely disabled. I have the service itself disabled and of course, stopped. It does not appear in msconfig startup.
    As for the router...it is a Linksys model BEFSR41, firmware version 1.04.02 dated Feb. 18, 2005. When I got the router a couple of months ago, I did try and update the firmware right away. It said I had the latest version. I do realize this is pretty much the economy model router, but that is really all I wanted or need. Got it for $39 on sale I will definitely look into the security WAN settings for something I'm missing.
    As for any malware that would dare try and invade my machine....well let's just say I'm almost **bleep** about keeping both machines clean and free of spyware and virus with a complete assortment of top-notch security software...updated daily.
    I have done several WHOIS lookups on many of the IP addresses listed in the log, using ZA Smart Defense Advisor, and may of them are from CNC Group ISP ranges. I'm not terribly concerned about this issue because ZA is doing it's job..as usual. It's more of a curiosity/learning thing. I won't be able to let it go until I figure it out....a serious character flaw .
    Thanks again for your time and input.
    Paul
    EDIT:
    You're kidding me...the word a*n*a*l is actually bleeped out...good Lord :0.





    Message Edited by ups4 on 05-25-200609:58 PM

  8. #8
    socalreviews Guest

    Default Re: Port 1060 Getting Hundreds of Inbound Alerts

    Thanks again, your posts and the responses to them will help many users of ZA with similar questions who view this forum. Your Linksys router and firmware version looks like it should be ok and it should have the latest WAN security features that you can enable under its WAN security settings. If you didn't see IP addresses coming from world sites that I mentioned or other outside WAN sites then I would guess that those alerts are most likely coming from the second computer on your LAN. You could put that second computer's IP as a Blocked IP address under the ZA firewall settings if you want which will not stop the alerts from showing in your ZA log but it will block any connection attempt from any unknown program that is installed on the second computer. If your LAN IP later changes or swaps IPs with the second computer make sure that you don't block your own IP address with this ZA setting.

    I get similar alerts from ZA on my desktop when I use my notebook or when a visitor connects with another notebook to my LAN. As you stated in your recent post ZA will protect your system regardless of it coming from the WAN or inside your LAN so you don't have much to worry about. I was happy to be able to provide some suggestions to help you understand these ZA alerts.

    One final thing I would recommend if you have not already done so is to upgrade your ZAP to the latest version which as of this posting is currently version 6.1.744.001. This more recent version of ZAP has many bug fixes, automatic settings and alert fixes, and improved network detection and stability. But I would highly recommend doing a complete clean uninstall of the older version of ZAP before upgrading to the newer version. Of course you don't have to upgrade if you don't want to but if you do upgrade then remember that you will need a current subscription and license key on hand to install the latest version. There is an excellent complete set of instructions to follow written out by SlyFox which you can find posted many times in the installation section of this ZA user forum.

    Here is a link to those helpful uninstall and upgrade instructions:

    http://forum.zonelabs.org/zonelabs/board/message?board.id=inst&message.id=48347

    Message Edited by SoCalReviews on 05-26-200601:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •