Zone alarm log(is this an attack?) [Archive] - SpeedGuide.net Broadband Community
PDA

View Full Version : Zone alarm log(is this an attack?)

Scoot
11-30-00, 07:23 PM
I have had over 50 alerts in the last hour!
I will post some of my log.I have looked at the more info/who's this and they are all differnt.Is this normal?

FWIN,2000/11/30,15:28:32 -8:00 GMT,172.138.219.193:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:30:52 -8:00 GMT,172.133.63.68:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:31:27 -8:00 GMT,158.252.146.16:3439,24.20.118.93:27374,TCP (flags:S)
FWIN,2000/11/30,15:31:46 -8:00 GMT,63.169.70.53:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:33:10 -8:00 GMT,172.166.105.109:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:34:28 -8:00 GMT,172.152.61.216:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:37:17 -8:00 GMT,64.229.164.239:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:38:15 -8:00 GMT,208.180.3.52:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:38:40 -8:00 GMT,24.10.125.33:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:40:05 -8:00 GMT,24.182.82.57:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:41:51 -8:00 GMT,200.56.138.138:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:43:15 -8:00 GMT,24.23.197.237:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:45:09 -8:00 GMT,207.225.93.168:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:49:38 -8:00 GMT,206.172.234.145:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:52:28 -8:00 GMT,216.173.206.242:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:52:36 -8:00 GMT,172.145.134.31:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:53:28 -8:00 GMT,63.23.58.179:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:54:10 -8:00 GMT,172.144.2.88:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:56:04 -8:00 GMT,24.222.59.43:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:56:29 -8:00 GMT,208.213.221.160:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:57:17 -8:00 GMT,143.106.50.181:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:58:12 -8:00 GMT,63.101.133.11:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:58:39 -8:00 GMT,208.63.192.187:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:59:05 -8:00 GMT,24.179.193.140:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,15:59:28 -8:00 GMT,24.10.3.174:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:00:38 -8:00 GMT,24.188.24.218:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:01:18 -8:00 GMT,207.16.152.208:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:02:55 -8:00 GMT,172.164.159.218:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:02:57 -8:00 GMT,24.165.170.207:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:04:07 -8:00 GMT,207.253.221.229:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:04:09 -8:00 GMT,172.138.20.132:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:04:30 -8:00 GMT,213.5.24.201:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:06:37 -8:00 GMT,206.71.103.1:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:07:36 -8:00 GMT,208.141.205.74:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:08:08 -8:00 GMT,207.144.211.120:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:08:47 -8:00 GMT,172.168.118.231:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:08:54 -8:00 GMT,138.89.74.21:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:09:17 -8:00 GMT,138.88.45.36:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:11:03 -8:00 GMT,216.98.74.154:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:11:35 -8:00 GMT,216.173.206.242:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:12:21 -8:00 GMT,208.7.213.63:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:15:10 -8:00 GMT,209.214.142.154:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:15:14 -8:00 GMT,63.52.233.136:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:15:34 -8:00 GMT,24.13.76.15:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:15:35 -8:00 GMT,24.160.235.217:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:15:36 -8:00 GMT,4.17.81.208:0,24.20.118.93:0,ICMP (type:8/subtype:0)
FWIN,2000/11/30,16:16:20 -8:00 GMT,209.34.16.129:0,24.20.118.93:0,ICMP (type:8/subtype:0)


------------------
KNOWLEDGE=SPEED
JANDOENT
11-30-00, 09:48 PM
You can see who it is here: http://www.all-nettools.com/tools1.htm
Scoot
11-30-00, 09:55 PM
Thank's,that makes more sense than the zone alarm query. That site is really great.
Is it common to recieve over 50 hits in an evening?
Maybe I just didn't pay attention before as I have had the firewall for a couple months.
Your help is appreciated.

------------------
KNOWLEDGE=SPEED
JANDOENT
11-30-00, 11:42 PM
Yeah, you can get hits anytime. As long as you are stealth, no one can see you or get a response from your 'puter. In other words, follow instructions on your other thread and re run that trojan scan. you should be fine. Let me know if you have any problems.
JANDOENT
12-01-00, 09:40 AM
In looking over your "hit list", I see you are getting hit from a lot of diff. IP addresses. How many of these did you trace? It doesn't seem like they are from "blocks of IP numbers"
Scoot
12-01-00, 07:53 PM
Ten or so,I realized they were mostly different so it's no use reporting it.
I don't usually get that many in an evening so I was curious.
I turned off the mini-log and the always on top options to conserve resources.
Do you think this is a good idea?
JANDOENT-Your help is greatly appreciated!
I have learned alot from your various posts.
I wish you well with your eye trouble and will keep you in my prayers.
Scott

------------------
KNOWLEDGE=SPEED

[This message has been edited by Scoot (edited 12-01-2000).]
FunK
12-02-00, 02:50 AM
I wouldn't worry too much about most of them. They are mostly PINGS.
The one that I would worry about is this one:
========================
FWIN,2000/11/30,15:31:27 -8:00 GMT,158.252.146.16:3439,24.20.118.93:27374,TCP
(flags:S)
========================
27374 is a known Sub7 trojan port. Someone was trying to see if you had the client running on your computer.

Research that IP first. It is also the only TCP connection attempted.

Peace,
FunK
Scoot
12-02-00, 01:08 PM
What would I do with info obtained?

Sprint
12490 Sunrise Valley Dr.,
Mailstop VARESB0213
Reston, VA 20196
US

--------------------------------------------------------------------------------

12490 SunriseValley Drive
NOC@SPRINT.NET
800-232-6895Fax- 703-478-5471

--------------------------------------------------------------------------------



------------------
KNOWLEDGE=SPEED
JANDOENT
12-02-00, 10:56 PM
Funk, way to go buddy, catching that port was great.
Scoot, Sprint isn't your ISP, is it?
If you get a lot of hits from the same address (sometimes a block of adresses is issued to someone. Ex.all IP's from 216.173.000.000 to 216.173.555.524)you can notify their ISP and in many cases they will notify the culprete and tell them to stop.
Scoot
12-02-00, 11:46 PM
Well thanks,I will turn the log option back on for proof.
Yes,there has been unusuall number with the same block. I did not realize that could be the same person?
Does running the log use alot of resources?
I read somewhere that turning it off makes your machine run better and I am always looking for way's to trim the fat.
Not when security is at stake though.


------------------
KNOWLEDGE=SPEED
JANDOENT
12-04-00, 03:02 PM
Scoot, just limit the size of the log. Make notes on who is hitting you repeatedly. Knowing that you have Web3000 in there explains alot. Re format when you can and keep the door locked. Web3000 is probably using more resources than ZA log!