Results 1 to 7 of 7

Thread: i am getting rather scared...

  1. #1
    monotoko Guest

    Default i am getting rather scared...

    I have had ZA installed on my system for a day now, i installed it last night, its been under 30 hours since my install.I have already had almost 28,000 access attempts to my system and counting.
    A pic of my alerts: http://img21.imageshack.us/img21/3369/help1t.jpgand a pic of the amount of access attempts (has increaed since then) http://img24.imageshack.us/img24/7017/help2k.jpg
    This is a new install of Windows XP, installed just before i installed ZA, completly genuine.
    Surely that is not normal?? (Also...why is ZA using the classic windows layout, shouldnt it be using the theme windows is using?)
    It is also going very slow and very laggy, what the heck could be wrong with it??

    Operating System:
    Windows XP Pro
    Software Version:
    8.0
    Product Name:
    ZoneAlarm Pro


    Message Edited by Monotoko on 04-06-2009 02:13 PM

  2. #2
    monotoko Guest

    Default Should i be panicking??

    Yeah...im unsure if i should be panicking here or not, can you have a look at these images and tell me?
    http://img21.imageshack.us/img21/3369/help1t.jpg
    <--- Shows my current logs
    http://img24.imageshack.us/img24/7017/help2k.jpg
    <---- shows the ammount of access attempts, over 25000 in less than 2 days.

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Pro

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: i am getting rather scared...

    Hi Monotoko

    I see there is a hardare firewall in front of the windows computer.
    By default these unwanted inbound cpnnectionsshould be dropped by the router or the dsl modem (with the NAT enabled).
    So first check the hardware firewall:
    - make sure the latest firmware for the hardware device is installed
    - verify there are no open ports and the correct dns servers are used
    - change the default password and login to something more secure

    You may have to reset the router to get it back to the default settings.

    Also are you sharing the LAN with other computers or users that could be doing some file sharing or P2P or some sort of special connections?
    Oldsod.
    Best regards.
    oldsod

  4. #4
    monotoko Guest

    Default Re: i am getting rather scared...

    My dad does P2P every now and then, i also play some online client-based games (for which i put ZA into Gaming Mode) But none of them are active at the moment i took that screenshot, the only computer even switched on was my own, and they are still coming at at a rate of almost 4 per second??
    I have checked, double, and tripple checked that the router firewall is on, and the DNS servers are indeed correct, the only open port is port 80, as it is needed by skype.The router is a netgear and no-one else is connected to it apart from my family.
    Also, if it was supposed to go to another computer on the LAN, why would ZA be picking it up?

    Message Edited by Monotoko on 04-06-2009 03:24 PM

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: i am getting rather scared...

    <blockquote><hr>Monotoko wrote:
    My dad does P2P every now and then, i also play some online client-based games (for which i put ZA into Gaming Mode) But none of them are active at the moment i took that screenshot, the only computer even switched on was my own, and they are still coming at at a rate of almost 4 per second??
    I have checked, double, and tripple checked that the router firewall is on, and the DNS servers are indeed correct, the only open port is port 80, as it is needed by skype.The router is a netgear and no-one else is connected to it apart from my family.
    Also, if it was supposed to go to another computer on the LAN, why would ZA be picking it up?

    Message Edited by Monotoko on 04-06-2009 03:24 PM
    <hr></blockquote>


    Usually if doing P2P or games, the previous connections (or previous connected to P2P IPs) will still attempt to reconnect to the computer long after the P2P is no longer being used on that computer.
    Not unusual at all to see.
    Not by days to see to P2P connection attempts slowly drop off; but by weeks and maybe even a month or two for some of the odd P2P connection to finally stop as they begin to realise there is no longer a P2P node there any more.

    As for why these are coming to your computer and not the originally involved P2P computer... could be the computers on the LAN got the IP switched around or got re-assigned IPs by the router or even it is possible the incoming connections are sent to every possible IP of the LAN ( I do know skye does this) in hopes to connect to the skype program of a single computer.

    If there is only one port open in the router, then perhaps there are still ports forwarded or left open.
    But if you are absolutely sure there are no other open ports in the router, then pass these off as skye connections.
    Skype is well known to 'bust' or 'hack' the router's firewall and sneak or by pass it's way into the LAN and attempt to connect to every computer/device on that LAN. In other words the router's security or protection is beaten by Skype.
    Basically the incoming skype packets fool the firewall of the router by showing spoofed headers that show the new incoming skype connection is really a returning connection and so it get allowed in by the router. (hardware firewalls are not perfect).
    Since the skype packets do not know which particular LAN computer or LAN IP it is actually supposed to recieve these skype packets, the skype does some more spoofed packets to the router that tell the router to send these skype packets to every possible IP of the router's own route table, so then every LAN computer and LAN device gets these incopming skype packets:

    http://www.h-online.com/security/How...features/82481


    It is hard for me to squint at the images you showed, so the list of ports and IPs was hard to read determine.
    The ZA's firewall packet filtering log will be seen in the Windows\Internet Logs folder, if you want to see the complete listing.
    You could use nslookup command to see the urls for the un-named IPs and that could help determine if these IPs are infact skye IPs or P2P IPs.
    Often most P2P users use the standard P2P ports, but not always the case as some use other ports (to get around the providers filtering or limitations), so ask your Dad for further ideas.

    The ZA Firewall was still protecting your computer from the unwanted incoming connections, so these unwanted connections are not a real or true risk.
    And one further thing, please do a complete virus and spyware scan of your computer....just to rule out the possibility of any worms or troyans installed on your computer.
    Once you see your computer is 'clean' of any malware, then these unwanted connection attempts should not be a real security issue or even worth the while to be worried about.

    Oldsod.

    Message Edited by Oldsod on 04-06-2009 07:10 PM
    Best regards.
    oldsod

  6. #6
    stupefy Guest

    Default Re: i am getting rather scared...

    Within the Routers Firewall Enable the following To Be Blocked:
    Block WAN Requests = When Enabled to Block, the Router will Drop any TCP Requests and ICMP Packets
    Inbound from the WAN (Wide Area Network = Internet). Example, The Router Can Not Be Pinged.
    Block Multicast Passthrough = When Enabled to Block, the Router will Prevent an Single Data Transmission
    from being Forwarded to Multiple Recipients at the Same Time.
    IP Multicasting Occurs when an Single Data Transmission is Sent to Multiple Recipients at the Same Time.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: i am getting rather scared...


    <blockquote><hr>stupefy wrote:
    Within the Routers Firewall Enable the following To Be Blocked:
    Block WAN Requests = When Enabled to Block, the Router will Drop any TCP Requests and ICMP Packets
    Inbound from the WAN (Wide Area Network = Internet). Example, The Router Can Not Be Pinged.
    Block Multicast Passthrough = When Enabled to Block, the Router will Prevent an Single Data Transmission
    from being Forwarded to Multiple Recipients at the Same Time.
    IP Multicasting Occurs when an Single Data Transmission is Sent to Multiple Recipients at the Same Time.

    <hr></blockquote>


    Unfortunately both suggestions will prevent the Father's Skype and P2P habits from being functional.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •