Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious entries in my ZoneAlarm log viewer


  • Please log in to reply
5 replies to this topic

#1 InfinityPlusOne

InfinityPlusOne

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 12 February 2009 - 10:40 PM

Sorry, my first time posting and I'm not sure if this is the right place.

Some info you may (or may not) need:
Operating System: Windows XP SP 3
Anti-Virus/Anti-Malware: Avast 4.8 (recently changed from AVG 8.0) / Ad-Aware 2008 / Spybot S&D / SUPERAntiSpyware / Malwarebytes Anti-Malware / McAfee Avert Stinger / Trend Micro RootkitBuster / SpywareBlaster
Firewall: ZoneAlarm version 7.0.483.000 (firewall only)
Also, since I changed to Avast a few days ago I've been using it's Network Shield.

Recently I noticed that entries in my ZoneAlarm log were disappearing after one day. I had it configured to "show last 50", but every day when I started my computer all entries from the previous day would be gone. I took a look at some posts (by others with the same problem) on the ZoneAlarm website. A couple posters were advised to do a clean uninstall and reinstall of ZoneAlarm, so I decided to do the same. I followed the directions for a clean uninstall and reinstalled version 7.0.483.00 (there's a newer version, but people have reported problems with it blocking all Internet access, so I installed the older version). Since I just did this today, I don't know if it's fixed the problem of the disappearing logs, but I'm not here for that. After reinstalling and browsing the web for awhile, I noticed that some intrusions had already been blocked, and I became curious about where this traffic was coming from. I decided to go to samspade.org and look up the IP addresses that had been blocked. Of the 11 that had been blocked up to that point, 10 (both of the TCP and UDP type) were from East Asia (8 from China, 1 from Taiwan and 1 from Japan IIRC). (The 11th was just a ping from my ISP.) I also noticed that three consecutive entries had different IP's but the ports that the packets "originated" from were identical - TCP Port 6000 - and the first two had sent the packet to the same port on my computer - TCP Port 2967. Since then there have been 10 more blocked intrusions, and although I haven't checked samspade for these, they all have IPs similar to the previous ones (IPs beginning with 60, 61, 220, 202, 218, etc.). What worries me is that it seems unusual that all but one of the entries I checked out at samspade (and, I assume, the ones that I haven't checked due to the similarities of IPs) should all come from one specific region, namely China and nearby countries. I've run all of my Anti-spyware and -malware applications within the last week or so, and today specifically I've run Avast and I'm running Malwarebytes as I type this, and everything's been coming up clean. Sorry if this post is overlong, but what I'm basically asking is this: should I be worried about this, or am I just being paranoid?

Edited by InfinityPlusOne, 12 February 2009 - 10:43 PM.


BC AdBot (Login to Remove)

 


#2 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:09:21 AM

Posted 12 February 2009 - 11:04 PM

I think you can relax. Your firewall is doing it's job.

#3 InfinityPlusOne

InfinityPlusOne
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 12 February 2009 - 11:29 PM

I figured I was being overly nervous, but I wanted a second opinion. Thanks for the reply.

#4 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:10:21 AM

Posted 12 February 2009 - 11:43 PM

Disappearing logs
Alerts and Logs > Main > Click Advanced button, select Log Control tab - what does it say under Archive log text files every ?? days? Default is 1 day.
Don't worry anyway. You can always see the archived logs in \windows\Internet Logs\ZAlog<date>.txt.

Blocked IPs
If you are behind a router which blocks such things, then it needs further investigation.
If you are not behind a router, then most likely just a heap of noise to be ignored so long as ZA blocks which it will nicely so long as you don't invite the communication. (If you had a paid version of ZA you could block the whole big ranges of IPs as well as external ports larger than 5000).

Long ago there was a IRC BOT attacking port 2967. Either you do chatting using mIRC or someone else is and you're just picking up their traffic.

#5 InfinityPlusOne

InfinityPlusOne
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 13 February 2009 - 04:10 PM

I checked, and it is set to archive logs daily. Also, thanks for the tip about how to find the logs manually.

I'm not behind a router, and I don't use any chat services. I have the free version of ZA, so I can't block IP ranges. My log shows a few more blocked attempts today, checked two of them at samspade.org and they were both from China. Still think it'd weird, but as long as ZA is blocking them I supposed I'll just let it go. Thanks.

#6 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:10:21 AM

Posted 13 February 2009 - 10:29 PM

It's the lack of router that makes ZA work so hard :thumbsup: If you had a cheap router you'd see none of that stuff

If still interested in the subject, two short, on topic, posts for you
http://forums.zonealarm.com/zonelabs/board...essage.id=12517
http://forums.zonealarm.com/zonelabs/board...essage.id=54884

And this fascinating explanation of how it works, how it looks - see second half of the post at least, it's good reading
http://forums.zonealarm.com/zonelabs/board...id=20926#M33953

Edited by tos226, 13 February 2009 - 10:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users