Results 1 to 10 of 10

Thread: Lots of intrusions reported, is this normal?

  1. #1
    mariolemieux Guest

    Default Lots of intrusions reported, is this normal?

    For every version of ZA I installed under Vista, I had tons of intrusion. The latest beta (254) is no exception.

    I've re-installed ZA last week, and I have over 8000 intrusion attemps on my computer. By comparison, I have the latest available release of ZASS for XP installed on another computer for a little while now, and there are 0 intrusions reported.

    ZoneAlarm Security Suite has blocked access to port 49015 on your computer

    ZoneAlarm Security Suite has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe.
    What happened?

    ZoneAlarm Security Suite blocked traffic to port 49015 on your machine from port 54812 on a remote computer whose IP address is 89.5.248.199. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.
    this is one of the messages I get.

    The intrusion attemps occur at a few seconds interval each. Here is a part of the log:

    ZoneAlarm Logging Client v7.1.254.000
    Windows Vista-6.0.6001-Service Pack 1-SMP
    type,date,time,source,destination,transport (Security)
    type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
    type,date,time,source,destination,action,service (IM Security)
    type,date,time,source,destination,program,action (Malicious Code Protection)
    type,date,time,action,product,file,event,subevent, class,data,data,... (OSFirewall)
    type,date,time,name,type,mode (Anti-Spyware)
    AV/treatment,2008/04/21,17:38:34 -4:00 GMT,,,,Auto
    FWIN,2008/04/21,17:39:16 -4:00 GMT,66.188.106.71:31018,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:16 -4:00 GMT,200.84.120.119:59557,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:16 -4:00 GMT,88.207.20.207:4853,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:18 -4:00 GMT,217.132.204.110:3679,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:32 -4:00 GMT,82.38.34.242:1336,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:32 -4:00 GMT,89.5.126.69:61018,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:32 -4:00 GMT,74.72.251.85:4568,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:32 -4:00 GMT,87.161.243.16:55562,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:32 -4:00 GMT,217.86.126.40:63924,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:32 -4:00 GMT,84.161.61.64:63175,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:40 -4:00 GMT,80.202.124.234:55947,192.168.0.105:49015,TCP (flags:S)
    FWIN,2008/04/21,17:39:40 -4:00 GMT,66.57.40.56:54159,192.168.0.105:49015,TCP (flags:S)

    ***
    As far as I can tell, 99% of them are TCP protocol and are targetting the port 49015.

    Now, this port was 'forwarded' on my router, as it's the one I'm using for bitorrent applications (Azureus and Utorrent). The rule is now deleted in my firewall configuration (DLink DIR-625), but I still get the intrusion attemps.

    The attacks seems to occur more frequently when Utorrent is running, however, I still get logs when the application is not running. Even when they haven't run yet (be either bitorrent or Emule) when I start Windows, I still get these attacks. I was using these softwares before on XP, but I never had such problems.

    I have been infected with a few spyware/viruses since I installed Vista a few months ago, and so far, ZA, or my other AV program, has always told the infected file was removed. ZA always rated the security risk at "medium". Latest I got was "win32.trojan.keylogger.454". I cleaned it using ZA, I ran another spyware utility (Spybot) wich did not find anything abnormal, I've deleted my restore points and my cache, I ran Ccleaner in 'regular' mode as well as in 'Safe' mode, but there is no change in the logs, I keep getting these.

    Is it just ZA for Vista that is buggy or do I have a problem?



    Here is my netstat report, in case it's useful: (while I'm not connected to the internet)
    [quote]
    Microsoft(R) Windows DOS
    (C)Copyright Microsoft Corp 1990-2001.

    C:\USERS\STEVE>netstat -an

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:49269 127.0.0.1:49270 ESTABLISHED
    TCP 127.0.0.1:49270 127.0.0.1:49269 ESTABLISHED
    TCP 127.0.0.1:49281 127.0.0.1:49282 ESTABLISHED
    TCP 127.0.0.1:49282 127.0.0.1:49281 ESTABLISHED
    TCP 192.168.0.105:49553 206.162.145.250:80 ESTABLISHED
    TCP 192.168.0.105:49556 207.176.215.250:80 ESTABLISHED
    TCP 192.168.0.105:49557 207.46.27.253:7001 TIME_WAIT
    TCP 192.168.0.105:49557 207.46.27.254:7001 TIME_WAIT
    TCP 192.168.0.105:49583 76.74.140.165:80 ESTABLISHED
    TCP [::]:135 [::]:0 LISTENING
    TCP [::]:3389 [::]:0 LISTENING
    TCP [::]:5357 [::]:0 LISTENING
    TCP [::]:49152 [::]:0 LISTENING
    TCP [::]:49153 [::]:0 LISTENING
    TCP [::]:49154 [::]:0 LISTENING
    TCP [::]:49155 [::]:0 LISTENING
    TCP [::]:49156 [::]:0 LISTENING
    TCP [::]:49157 [::]:0 LISTENING
    UDP 0.0.0.0:123 *:*
    UDP 0.0.0.0:500 *:*
    UDP 0.0.0.0:3702 *:*
    UDP 0.0.0.0:3702 *:*
    UDP 0.0.0.0:4500 *:*
    UDP 0.0.0.0:49152 *:*
    UDP 127.0.0.1:1900 *:*
    UDP 127.0.0.1:44301 *:*
    UDP 127.0.0.1:49156 *:*
    UDP 127.0.0.1:56005 *:*
    UDP 127.0.0.1:57971 *:*
    UDP 127.0.0.1:60962 *:*
    UDP [::]:123 *:*
    UDP [::]:500 *:*
    UDP [::]:3702 *:*
    UDP [::]:3702 *:*
    UDP [::]:49153 *:*
    UDP [::1]:1900 *:*
    UDP [::1]:60961 *:*[/quote

  2. #2

    Default Re: Lots of intrusions reported, is this normal?

    Hello.

    This is considered pretty normal. Most of it is just general internet background noise. In whatever case, you are safe as long as ZoneAlarm is blocking these 'intrusions'.

    If you need help checking whether your computer still has malware inside, consider checking out the link in my signature below.

  3. #3
    mariolemieux Guest

    Default Re: Lots of intrusions reported, is this normal?

    Do you have any idea why it does not happen on XP with ZAISS 7.0.470? Both computers are on the same router, share the same external IP adress.

    Anyway, thank you for the link, I will check that later on and see if I need to post

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: Lots of intrusions reported, is this normal?

    Hi!
    to me sounds like more an issue with your router that let pass incoming calls directly to your system...
    It does not matter that XP does not do it... its the router allowing those connection to get to your system (105)

    You should not get those noise with a router in front under a standard configuration (i.e. no port forwarding, no DMZ, etc...).
    NAT should deflate all of those...

    Have you tried to reboot your router?
    Is the dlink router BIOS updated?

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    mariolemieux Guest

    Default Re: Lots of intrusions reported, is this normal?

    Hi!

    There is no DMZ, port 49105 is no longer forwarded (it was before), and the computer has been rebooted. Actually, I've deleted all of my port forwarding rules since yesterday, and there was no change after that.
    I haven't rebooted the rooter though, I'll see if it changes something.

    As for the firmware, I do have the latest firmware update for this model; it is an old "revision" though, and the firmware dates from 2006. The "C" revision of this model has newer updates.

    Message Edited by MarioLemieux on 04-22-2008 03:04 PM

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: Lots of intrusions reported, is this normal?

    Hi!have you tried to look for alternative firmware (at your own risk)?There are many on the net for Dlink (depending on the router).See, for example,here:http://whirlpool.net.au/forum-replie...fm/884726.htmlCheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    loveyouforever Guest

    Default Re: Lots of intrusions reported, is this normal?

    Windows XP Firewall has to be disabled and your router firewall enabled.

    Best regards,

    loveyouforever

  8. #8
    mariolemieux Guest

    Default Re: Lots of intrusions reported, is this normal?

    thanks Fax, but on the link you gave me, I don't seem my router in the supported list. So I won't be taking any chances for now.

    There are "connectivity" issues, apparently, with my router and my ISP; the other revision fixes this problem. Now, finding a way to get an exchange might be tricky. But I'll try this avenue and see how it goes after that, if I still have the same problem.

    I had similar issues with my previous D-Link router too. The router was reporting constant "ping of death" attack or "dropped packets", and the first versions of ZA for Vista had lots of intrustions reported too.

    I'll keep a look on your site anyway, to see if I can find something else for Dlink. Thanks again.

  9. #9
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: Lots of intrusions reported, is this normal?

    Hi!
    it is for sure a router issue... ZA should get zero incoming with a router even if only doing NAT.
    IMO. probably just a wrong configuration... reset to manufacturer defaults and check again. It should be silent...

    There are many other sites with alternative firmware for DLINK search your model in google.

    Cheers,
    Fax

    Message Edited by fax on 04-23-2008 09:51 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Lots of intrusions reported, is this normal?

    Low end D-Link router do make good door stops.
    Got one right now acting as a nice doorstop.
    Switched to netgear and linksys and never looked back.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •