Results 1 to 8 of 8

Thread: TCP Alerts

  1. #1
    duras Guest

    Default TCP Alerts

    Hi All


    Today, after establishing a LAN wireless network, I am getting TCP alerts from the same IP address [5.43.86.51] which has , as far as I can work out, nothing to do with the network;
    Anyone have any ideas as to the reason I get these alerts.
    I have had 5 alerts in 2 hours.
    This is the type of alert I am getting:




    Source IP Address

    5.43.86.51

    SourcePort

    1055 [also 2380, 2166, 4343, 1830]

    Destination IP

    192.168.0.xxx

    DestinationPort

    139

    TCP Flags

    SYN

    Transport Layer Protocol

    TCP

    Network Layer Protocol

    IP

    Link Layer Protocol

    Ethernet

    Alert Date

    Dec-14-2007 09:54:18 PM PST

    Operating System:
    Windows XP Home Edition
    Software Version:
    7.0
    Product Name:
    ZoneAlarm Internet Security Suite


    Message Edited by duras on 12-15-2007 05:33 PM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: TCP Alerts

    Hi Duras
    This is what the nslookup and tracert revealed:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Oldsod>nslookup 5.43.86.51
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    *** resolver1.opendns.com can't find 5.43.86.51: Non-existent domain

    C:\Documents and Settings\Oldsod>tracert 5.43.86.51

    Tracing route to 5.43.86.51 over a maximum of 30 hops

    1 <1 ms <1 ms <1 ms 192.168.0.1
    2 * * * Request timed out.
    3 7 ms 7 ms 8 ms gw10.wlfdle.rnc.net.cable.rogers.com [66.185.91.
    65]
    4 8 ms 8 ms 7 ms gw01.hnsn.phub.net.cable.rogers.com [66.185.80.2
    1]
    5 * * * Request timed out.
    6 * * * Request timed out.
    7 * * * Request timed out.
    8 * * * Request timed out.
    9 * * * Request timed out.
    10 * * * Request timed out.
    11 * * * Request timed out.
    12 * * * Request timed out.
    13 * * * Request timed out.
    14 * * * Request timed out.
    15 * * * Request timed out.
    16 * * * Request timed out.
    17 * * * Request timed out.
    18 * * * Request timed out.
    19 * * * Request timed out.
    20 * * * Request timed out.
    21 * * * Request timed out.
    22 * * * Request timed out.
    23 * * * Request timed out.
    24 * * * Request timed out.
    25 * * * Request timed out.
    26 * * * Request timed out.
    27 * * * Request timed out.
    28 * * * Request timed out.
    29 * * * Request timed out.
    30 * * * Request timed out.

    Trace complete.

    C:\Documents and Settings\Oldsod>

    Not very informative or helpful!


    5.43.86.51 is a IANA reserved IP.

    <target=_"blank">http://www.dshield.org/ipinfo.html?ip=5.43.86.51.

    A complete listing of IP v4 ranges can be seen <target=_"blank">here.

    Quote from CompleteWhois.com:

    "Bogons is the name used to describe IP blocks not allocated by IANA and RIRs to ISPs and organizations plus all other IP blocks that are reserved for private or special use by RFCs (the actual term "bogons" comes from word "bogus", as in bogus IP announcements). As these IP blocks are not allocated or specially reserved, such IP blocks should not be routable and used on the internet, however some of these IP blocks do appear on the net primarily used by those individuals and organizations that are often specifically trying to avoid being identified and are often involved in such activities as DoS attacks, email abuse, hacking and other security problems. These activities obviously pose great danger to everyone and ISPs should try to filter all these bad IP routes and we are trying to help in that by working to create complete detailed list of unassigned bogon ips based on whois data."

    See <target=_"blank">Bogon Filtering. Also see <target=_"blank">IP Hijacking.

    Often there are legitimate IPs in the Reserved ranges- both private and enterprise. These are considered to be "unassigned IPs".
    But this situation of yours does make us have to look at the local port (epmap or 135) and the question why is this IP bypassing the router. If it was part of the originally initated outgoing connections, I would assume it to be legitimate.
    If these are just inbound connection attempts without any action by your part, then I will assume these connection attempts are not legitimate and are genuine hacking attempts.
    It does makes me think the IP was spoofed or the TCP packets were fragmented. This would be done to cover up the true IP of the sender. Thus the original sender would be "untraceable".

    I would definitely consider blocking off the 5.0.0.0-5.255.255.255 range in either the router or in the ZA firewall. See if any sites that you use "break" or lose functionality.

    Cheers, Oldsod

    Message Edited by Oldsod on 12-15-2007 05:02 AM
    Best regards.
    oldsod

  3. #3
    duras Guest

    Default Re: TCP Alerts

    Thanks Oldsod.
    I've blocked 5.0.0.0-5.255.255.255 in the ZA firewall.
    We'll see what happens.:0Colin

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: TCP Alerts

    Colin, I have seen legitimate traffic coming from the Reserved ranges. But is was part of the ongoing connections that were correctly established and these did turn out to be just ad or banner servers. Plus it was very polite and was using the correct http connections and not making strange/illicit port connections as in your situation. Cheers, Oldsod
    Best regards.
    oldsod

  5. #5
    duras Guest

    Default Re: TCP Alerts

    Oldsod
    For your info, this is the log from just before the start of the alerts.

    It may mean something to you?
    OSFW,2007/12/15,13:13:14 +9:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,EXECUTION,GLOBALWINDOWSHOOK, SRC
    OSFW,2007/12/15,13:13:14 +9:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,EXECUTION,GLOBALWINDOWSHOOK, SRC
    FWIN,2007/12/15,14:22:00 +9:00 GMT,5.43.86.51:4343,192.168.0.102:139,TCP (flags:S)
    OSFW,2007/12/15,14:37:02 +9:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,EXECUTION,GLOBALWINDOWSHOOK, SRC
    FWIN,2007/12/15,14:54:10 +9:00 GMT,5.43.86.51:1055,192.168.0.102:139,TCP (flags:S)
    AV/update,2007/12/15,15:04:22 +9:00 GMT,,Update Install Failed,Auto
    FWIN,2007/12/15,15:26:10 +9:00 GMT,5.43.86.51:1830,192.168.0.102:139,TCP (flags:S)
    PE,2007/12/15,15:47:28 +9:00 GMT,UnrealTournament.exe,E:\Games\UnrealTournament \System\UnrealTournament.exe,209.85.199.83:53,N/A
    PE,2007/12/15,15:52:14 +9:00 GMT,UnrealTournament.exe,E:\Games\UnrealTournament \System\UnrealTournament.exe,192.168.0.101:8777,N/A
    FWIN,2007/12/15,15:58:10 +9:00 GMT,5.43.86.51:2166,192.168.0.102:139,TCP (flags:S)
    FWIN,2007/12/15,16:30:10 +9:00 GMT,5.43.86.51:2380,192.168.0.102:139,TCP (flags:S)
    FWIN,2007/12/15,17:34:24 +9:00 GMT,5.43.86.51:3391,192.168.0.102:139,TCP (flags:S)
    FWIN,2007/12/15,17:43:18 +9:00 GMT,5.43.86.51:3617,192.168.0.102:139,TCP (flags:S)
    AV/update,2007/12/15,18:04:24 +9:00 GMT,,Update Install Completed,Auto
    FWIN,2007/12/15,18:06:26 +9:00 GMT,5.43.86.51:4149,192.168.0.102:139,TCP (flags:S)
    OSFW,2007/12/15,18:14:00 +9:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,PHYSMEM,MAP,SRC
    OSFW,2007/12/15,18:14:06 +9:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,EXECUTION,GLOBALWINDOWSHOOK, SRC
    FWIN,2007/12/15,18:38:26 +9:00 GMT,5.43.86.51:1092,192.168.0.102:139,TCP (flags:S)
    FWIN,2007/12/15,19:10:26 +9:00 GMT,5.43.86.51:1752,192.168.0.102:139,TCP (flags:S)
    FWIN,2007/12/15,19:42:26 +9:00 GMT,5.43.86.51:2355,192.168.0.102:139,TCP (flags:S)

    All the bestColin

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: TCP Alerts

    Hi Colin

    I suppose the game in the media drive called out, using the Internet Explorer. Not uncommon for registration or updates. Or for online playing. But it does appear as though your game did update itself, first it failed and then it succeeded. It does have to hook into various things such as mouse, keyboard and the Internet Explorer, in order to function and update. It did have to function as a server (or open a port) to the internet in order to get the updates (not always the case, but not uncommon).

    I would say this was not an attack, but just a game getting updates.

    But if this was not your intentions, then read on.

    I assume you do not IM or use a networked printer or telnet or file sharing or VPN? If that is so or the case, then do this:

    Hold the reset button of the router down/in for at least ten seconds. The reset button is often red and very small and not easily seen. Power off the router and the the modem and the PC. Power up the modem and wait for two minutes. Now do the same with the router. Power up the PC. Open/navigate into the router using the Internet Explorer. Make sure the Privacy of the ZA is off and the IE6 or IE7 has servers rights for the Trusted Security Zone first!

    Now first change the default password and login name to your own special/secret password and login name.

    Secondly, the router should have the ability to close ports (or block ports). Close off these ports by both TCP/UDP: 23, 135, 137, 138, 139, 445. If there is an option to close off the IDENT then close it or if not then add port 113 to the list.
    Add to the list to block the entire range of 5001-65535 (by TCP/UDP). This will mean no traffic will never pass through these specific ports again no matter what happens.

    Look for the reply to ping and disable this.

    Look for remote logins or remote administration and disable this too.

    Look for network printer and if this is not used, then de-select this also.

    I will assume you have a desktop with a permanent connection to the router. If that is so, look for a assigned IP with a MAC. Lock this in! If this is a wireless router, then look for WPA or WEP and enable this. If there is another PC on the LAN, do the same for it.
    Once the IP is locked in at the router for the correct MAC of the PC(s), your home network is secured. The desktop will now always get the same IP assigned by the router and it will only work with the MAC of that PC and no other. This now makes the home network very secure and safe.


    Or...

    You could just disable the internet access and both of the server rights for the game listed in the ZA Programs listing.
    This would also stop it from going outbound or opening ports.

    Cheers, Oldsod

    Message Edited by Oldsod on 12-15-2007 08:05 AM
    Best regards.
    oldsod

  7. #7
    duras Guest

    Default Re: TCP Alerts

    Hi Oldsod
    There are two computers that I have networked at home.
    I realise now that the fact that
    the 2 computers were being used to play unreal tourrnament was most likely the cause of the alerts, my computer being one of them.
    Would you agree?
    Also, my son mentioned something about &quot;hamachi&quot; - would this have something to do with it?
    RegardsColin

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: TCP Alerts

    Yes I would agree with you Colin.
    Hamachi is a VPN client - it will be a different issue. It does seem as the security is okay. Cheers, Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •