help pls is this an attack? [Archive] - SpeedGuide.net Broadband Community
PDA

View Full Version : help pls is this an attack?

touser3
12-06-00, 10:55 PM
hello i have just downloaded zonealarm analyser and was looking through it and found this

Date: 12/2/2000
Time: 7:39:32 PM +0:00 GMT
Transport: TCP (flags:S)
From: 192.168.1.3 Port: 1052
To: 192.168.1.2 Port: 139

Firewall log entry:
type,date,time,source,destination,transport
FWIN,12/2/2000,7:39:32 PM +0:00 GMT,192.168.1.3:1052,192.168.1.2:139,TCP (flags:S)

the same ip is doing this all the time i have a full page worth of logs what should i do about this? just let zone alarm pro keep blocking it?

3 FWIN 12/2/2000 3:53:29 PM +0:00 GMT 192.168.1.3 N/A 1028 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 3:55:55 PM +0:00 GMT 192.168.1.3 N/A 1029 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 3:59:55 PM +0:00 GMT 192.168.1.3 N/A 1030 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:00:46 PM +0:00 GMT 192.168.1.3 N/A 1031 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:01:37 PM +0:00 GMT 192.168.1.3 N/A 1032 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:02:28 PM +0:00 GMT 192.168.1.3 N/A 1033 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:03:19 PM +0:00 GMT 192.168.1.3 N/A 1034 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:08:20 PM +0:00 GMT 192.168.1.3 N/A 1035 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:20:46 PM +0:00 GMT 192.168.1.3 N/A 1036 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:33:11 PM +0:00 GMT 192.168.1.3 N/A 1037 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:45:37 PM +0:00 GMT 192.168.1.3 N/A 1038 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 4:58:02 PM +0:00 GMT 192.168.1.3 N/A 1039 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 5:10:27 PM +0:00 GMT 192.168.1.3 N/A 1040 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 5:22:53 PM +0:00 GMT 192.168.1.3 N/A 1041 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 5:35:18 PM +0:00 GMT 192.168.1.3 N/A 1042 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 5:47:44 PM +0:00 GMT 192.168.1.3 N/A 1043 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 6:00:09 PM +0:00 GMT 192.168.1.3 N/A 1044 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 6:12:35 PM +0:00 GMT 192.168.1.3 N/A 1045 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 6:25:00 PM +0:00 GMT 192.168.1.3 N/A 1046 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 6:37:25 PM +0:00 GMT 192.168.1.3 N/A 1047 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 6:49:51 PM +0:00 GMT 192.168.1.3 N/A 1048 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 7:02:16 PM +0:00 GMT 192.168.1.3 N/A 1049 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 7:14:42 PM +0:00 GMT 192.168.1.3 N/A 1050 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 7:27:07 PM +0:00 GMT 192.168.1.3 N/A 1051 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 7:39:32 PM +0:00 GMT 192.168.1.3 N/A 1052 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 7:51:58 PM +0:00 GMT 192.168.1.3 N/A 1053 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 8:04:23 PM +0:00 GMT 192.168.1.3 N/A 1054 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 8:16:49 PM +0:00 GMT 192.168.1.3 N/A 1055 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/2/2000 8:29:14 PM +0:00 GMT 192.168.1.3 N/A 1056 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 4:49:36 PM -8:00 GMT 192.168.1.3 N/A 1028 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 4:52:01 PM -8:00 GMT 192.168.1.3 N/A 1029 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:12:46 PM -8:00 GMT 192.168.1.3 N/A 1030 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:13:37 PM -8:00 GMT 192.168.1.3 N/A 1031 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:14:28 PM -8:00 GMT 192.168.1.3 N/A 1032 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:15:19 PM -8:00 GMT 192.168.1.3 N/A 1033 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:16:10 PM -8:00 GMT 192.168.1.3 N/A 1034 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:21:25 PM -8:00 GMT 192.168.1.3 N/A 1050 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:33:50 PM -8:00 GMT 192.168.1.3 N/A 1051 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:46:16 PM -8:00 GMT 192.168.1.3 N/A 1052 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 5:58:41 PM -8:00 GMT 192.168.1.3 N/A 1053 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 6:11:06 PM -8:00 GMT 192.168.1.3 N/A 1054 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 6:23:32 PM -8:00 GMT 192.168.1.3 N/A 1055 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 6:35:57 PM -8:00 GMT 192.168.1.3 N/A 1056 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 6:48:23 PM -8:00 GMT 192.168.1.3 N/A 1057 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 7:00:48 PM -8:00 GMT 192.168.1.3 N/A 1058 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 7:13:14 PM -8:00 GMT 192.168.1.3 N/A 1059 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 7:25:39 PM -8:00 GMT 192.168.1.3 N/A 1060 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 7:38:04 PM -8:00 GMT 192.168.1.3 N/A 1098 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 7:50:30 PM -8:00 GMT 192.168.1.3 N/A 1166 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 8:02:55 PM -8:00 GMT 192.168.1.3 N/A 1311 192.168.1.2 139 TCP (flags:S)
3 FWIN 12/5/2000 8:15:21 PM -8:00 GMT 192.168.1.3 N/A 1324 192.168.1.2 139 TCP (flags:S)
JANDOENT
12-06-00, 11:37 PM
Did you run a virus and a trojan scan? Hit Ctrl+Alt+Delete and see what is doing it.
touser3
12-07-00, 12:17 AM
yes i ran a virus scan with norton antivirus 2001 and inoculateIT and they came up with nothing and i searched for trogans with THE CLEANER and anti-trojan and came up with nothing i ran ad-aware and it found severale things and deleted them but now i am running a firewall check from one fo your links JANDOENT the sygate one and it says that port 67 is wide open! i am currently behind a linksys 4 port router and running zonealarm pro is zonealarm pro configured incorrectly?
touser3
12-07-00, 12:20 AM
oh i left out in my last post that port 1080 showed up as open to UDP attacks as well! how is this? hehe help jandoent i know u know what you are tlaking about! thank you for your time :-)

[This message has been edited by touser3 (edited 12-07-2000).]
JANDOENT
12-07-00, 04:28 PM
Thanks fredra, that explains a lot.
FunK
12-07-00, 09:55 PM
hehe,
Your computer is looking for your other computer and getting blocked. Have you had any problems browsing your network?

It kinda looks like a port scan the way the ports are all listed in order. But I think that is the originating computer. The fact remains that this is all happening behind your router.
Another cool thing: All the attempts are 12 minutes apart after this line:
3 FWIN 12/2/2000 4:33:11 PM +0:00 GMT 192.168.1.3 N/A 1037 192.168.1.2 139 TCP (flags:S)
Looks like your computer is just looking for another computer to talk to on your LAN. Why though, I don't know. Looks like something may be wrong with the originating computer.

Peace,
FunK

[This message has been edited by FunK (edited 12-07-2000).]
JANDOENT
12-08-00, 12:03 AM
Hello touser3, Thank you for your compliments, I only hope that I can live up to your expectations. Well, lets give it a go... Your linky is a router that uses NAT to make your system seem like it is not there to someone scanning to find a weak system. If you don't use your 'puter for storage of very important or secret things, this should give you adequate protection as it is coupled with a Zone Alarm Pro firewall. However the open ports can be a security hole. First we need to understand what your open ports are used for. So lets go here; http://advice.networkice.com/advice/Exploits/Ports/default.htm
and here; http://www.isi.edu/in-notes/iana/assignments/port-numbers
A question: is this your only machine or are you networking? I'm gonna do this as if this is your only machine.
It appears that your machine is systematically checking its own ports for entry. Why? Hit these 3 keys at the same time and lets see what proggies are running in the background. Ctrl+Alt+Delete Write down what it lists, then hit cancel. Let me know what it said.
To check for current connections to your machine go to START>RUN, then type "netstat -a" (with out the quotation marks, and hit the space bar to make a blank space between "netstat" and "-a") Let me know what this says also. You may want to do this a few times.
Is ZAPro in it's default settings?
Answer these questions and we will go from there.
fredra
12-08-00, 12:29 AM
Hi Folks
Please remember that 192.168.x.x is a non-routeable address and is not seen beyond the Linky......most routers use 192.x.x.x range, in its DHCP to give to the PC's behind the router.
touser3
12-08-00, 01:12 AM
ok jandoent i did what u said on ctrl-alt-delete these programs were running

mplayer pager
IE
word 2000
and icq

for netstat -a

tcp cx501365-b:epmap cx501365-b:0 listening
tcp cx501365-b:microsoft-ds cx501365-b:0 listening
tcp cx501365-b:1025 cx501365-b:0 listening
tcp cx501365-b:1027 cx501365-b:0 listening
tcp cx501365-b:1030 cx501365-b:0 listening
tcp cx501365-b:2594 cx501365-b:0 listening
tcp cx501365-b:2595 cx501365-b:0 listening
tcp cx501365-b:3916 cx501365-b:0 listening
tcp cx501365-b:8385 cx501365-b:0 listening
tcp cx501365-b:19719 cx501365-b:0 listening
tcp cx501365-b:netbios-ssn cx501365-b:0 listening


i am also on a very small network which i managed to piece together it is just the main machine (this one) and one other i am currently running windows 2000 pro

[This message has been edited by touser3 (edited 12-08-2000).]

[This message has been edited by touser3 (edited 12-08-2000).]
fredra
12-08-00, 07:22 AM
NETBIOS Broadcast...behind the router
JANDOENT
12-08-00, 07:58 AM
Hey Funk & fredra, thanks, I don't have a network so I not familiar with its actions. It would seem to me that these actions would be irrelevant and harmless. Do you guys agree?
JANDOENT
12-08-00, 08:03 AM
Hey touser, I don't believe it is a problem, but lets see what funk & fredra say. Do you let word & ICQ run from start up? You will save resources if you only let the essentials run from start up and any other proggies, don't let them load until you are ready to use them. Funk had asked if you were having any networking problems- 1 machine not accessing the other or the net..
touser3
12-09-00, 12:08 AM
i do actually have problems browsing the network, at times the 2 comps cant even find eachother which i could never figure out why because everything is set-up perfectly to my knowledge and also no i do not let anything start at start-up.

thank you everyone for your help! i really appreciate it and hopefully we can figure out what is going on hehe :-)
JANDOENT
12-09-00, 01:31 PM
Your 2 computers not able to find each other explains those hits behind your router. This seems to be a networking problem. Try a thread in the networking forum. I am not really up to date on networking http://www.speedguide.net/ubb/frown.gif But there is a lot of people here that are http://www.speedguide.net/ubb/wink.gif Keep us informed.