I have a question. I logged on to the net this evening and I had 16 different warnings that someone was trying to access my computer in about 10 minutes time all through port 0. They were all blocked by ZA, but this concerns me.

Can anyone explain why this could be happening? Some was from AOL and I don't even have AOL. Some tried multiple times. Here is some of the report I got. Should I be concerned or just simply ignor this?

America Online, Inc. (NETBLK-AOL-172BLK </cgi-bin/whois.pl?queryinput=NETBLK-AOL-172BLK> )
12100 Sunrise Valley Drive
Reston, VA 20191
US

Netname: AOL-172BLK
Netblock: 172.128.0.0 </cgi-bin/whois.pl?queryinput=172.128.0.0> - 172.185.255.255 </cgi-bin/whois.pl?queryinput=172.185.255.255>
Maintainer: AOL

Coordinator:
America Online, Inc. (AOL-NOC-ARIN </cgi-bin/whois.pl?queryinput=AOL-NOC-ARIN> ) domains@AOL.NET
703-265-4670

Domain System inverse mapping provided by:

DAHA-01.NS.AOL.COM 152.163.159.233 </cgi-bin/whois.pl?queryinput=152.163.159.233>
DAHA-02.NS.AOL.COM 205.188.157.233 </cgi-bin/whois.pl?queryinput=205.188.157.233>

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 21-Nov-2000.
Database last updated on 3-Feb-2001 18:24:40 EDT.

ROADRUNNER-NYS (NETBLK-ROADRUNNER-NYS </cgi-bin/whois.pl?queryinput=NETBLK-ROADRUNNER-NYS> )
13241 Woodland Park Road
Herndon, VA 20171
US

Netname: ROADRUNNER-NYS
Netblock: 66.24.0.0 </cgi-bin/whois.pl?queryinput=66.24.0.0> - 66.24.255.255 </cgi-bin/whois.pl?queryinput=66.24.255.255>
Maintainer: RRNS

Coordinator:
ServiceCo LLC (ZS30-ARIN </cgi-bin/whois.pl?queryinput=ZS30-ARIN> ) abuse@rr.com
1-703-345-3416

Domain System inverse mapping provided by:

DNS1.RR.COM 24.30.200.3 </cgi-bin/whois.pl?queryinput=24.30.200.3>
DNS2.RR.COM 24.30.201.3 </cgi-bin/whois.pl?queryinput=24.30.201.3>

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 17-Jan-2001.
Database last updated on 3-Feb-2001 18:24:40 EDT.


Merit Network Inc. (NETBLK-MICHNET </cgi-bin/whois.pl?queryinput=NETBLK-MICHNET> ) MICHNET 207.72.0.0 </cgi-bin/whois.pl?queryinput=207.72.0.0> - 207.75.255.255 </cgi-bin/whois.pl?queryinput=207.75.255.255>
NetSoft Computer Service (NETBLK-MICH-216 </cgi-bin/whois.pl?queryinput=NETBLK-MICH-216> ) MICH-216207.74.92.0 </cgi-bin/whois.pl?queryinput=207.74.92.0> - 207.74.92.255 </cgi-bin/whois.pl?queryinput=207.74.92.255>

TELUS Advanced Communications (NET-TELAC-BLK4 </cgi-bin/whois.pl?queryinput=NET-TELAC-BLK4> ) TELAC-BLK4
207.194.0.0 </cgi-bin/whois.pl?queryinput=207.194.0.0> - 207.194.255.255 </cgi-bin/whois.pl?queryinput=207.194.255.255>
BC Sympatico (NETBLK-BCSYMPAT-BLK5 </cgi-bin/whois.pl?queryinput=NETBLK-BCSYMPAT-BLK5> ) BCSYMPAT-BLK5207.194.16.0 </cgi-bin/whois.pl?queryinput=207.194.16.0> - 207.194.31.255 </cgi-bin/whois.pl?queryinput=207.194.31.255>

Citizens Utilities (NET-CZNANET </cgi-bin/whois.pl?queryinput=NET-CZNANET> )
5600 Headquarters Drive
Plano, TX 75024
us

Netname: CZNANET
Netblock: 170.215.0.0 </cgi-bin/whois.pl?queryinput=170.215.0.0> - 170.215.255.255 </cgi-bin/whois.pl?queryinput=170.215.255.255>

Coordinator:
Kelkenberg, Melody (MK668-ARIN </cgi-bin/whois.pl?queryinput=MK668-ARIN> ) melody@citlink.net
469-365-3173

Domain System inverse mapping provided by:

NS.CITLINK.NET 207.173.224.3 </cgi-bin/whois.pl?queryinput=207.173.224.3>
NS2.CITLINK.NET 207.173.225.3 </cgi-bin/whois.pl?queryinput=207.173.225.3>

Record last updated on 14-Jul-2000.
Database last updated on 3-Feb-2001 18:24:40 EDT.


Access Wisconsin (NETBLK-WBN-BLK-1 </cgi-bin/whois.pl?queryinput=NETBLK-WBN-BLK-1> )
2801 INTNL LANE SUITE 200
Madison, WI 53704

Netname: WBN-BLK-1
Netblock: 64.33.128.0 </cgi-bin/whois.pl?queryinput=64.33.128.0> - 64.33.191.255 </cgi-bin/whois.pl?queryinput=64.33.191.255>
Maintainer: AWIS

Coordinator:
Walter, Steve (SW315-ARIN </cgi-bin/whois.pl?queryinput=SW315-ARIN> ) scwalter@NETWORK1.NET
419-739-9240

Domain System inverse mapping provided by:

BUCKY.WIN.BRIGHT.NET 208.140.2.15 </cgi-bin/whois.pl?queryinput=208.140.2.15>
NS.NETWORK1.NET 208.142.243.10 </cgi-bin/whois.pl?queryinput=208.142.243.10>

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 16-Jun-2000.
Database last updated on 3-Feb-2001 18:24:40 EDT.

For information on what you are seeing in the logs you should go to this RobertGraham site (http://www.robertgraham.com/pubs/firewall-seen.html) and read the info there or perhaps print it.
This RobertGraham site (http://www.robertgraham.com/pubs/) will also help.

I don't have the expertise to analyse the readout you posted but the links will help you know it for yourself.
Hope this helps

Listen saved, i dont mean to discount your concerns but i wouldnt worry about anyone getting access to your machine. despite what the press says and others . it is not really easy to actually access someone's PC running Win9x/Win200. I'm sorry to all those that are shocked. But unless you tell a cracker exact info on your machine and set up your PC a certain way to explicitly allow log-in access from outside your lan, it cannot be done. That Zone Alarm is recording pings, port probes, ISP pings. Just because someone can scan your ports does not mean they have access to them. That Zone Alarm is a nice toy but otherwise a total waste of system resources.

Mr Scum; ZA is a toy?? Thanks, now I can turn it off and not have to worry about Spyware, Adware or my PC making connections behind my back.

Is good to know I really don't need any Security on my puter.

Have to admit I fell for the Anti-Virus NONSENSE, too.

I also have one of those Anti-Trojan Toys.

What a relief, now I can delete all those TOYS and not have to worry about Anything.

Also, I will get a whopping gain of 4-5% on my available resources.

Did some math. Will also gain a few MB of HDD space.

Thanks again.

Sorry bud but its not that hard to get that info from what you call toys. Also for some that doesn't setup a computer correctly ot also isn't that hard to hack into it. Espically with WINDOWS.

dement; So is better to get rid of all the 'toys'??

Keeper My friend, I detected a slight hint of Sarcasm in that message. I will give you the benefit of the doubt and assume that you really do intend on ridding your computer of those Tinker Toys. As for you KEN, I really do not disagree with you that there are vulnerabilites in anything we do on the net. However, Unless you intentionally click on a virus file or give out your log-on password then what can happen? As for the port-hacking issue, I still contend that it is extremely difficult for someone without advanced knowledge to even attempt access on the average computer remotely from the Internet. LANS are a different issue but I will not go there. Seriously, it depends on what kind of special software you are using. But most people have Win9x with HTTP, POP, UDP/TCP etc. I have even lowered my security and opened my computer Wide-open and nobody has been able to access any info. They have surely scanned my ports but I have not detected any actual access. Now, I can't really claim I am totally exposed now because I am now behind a Broadband Router/Firewall. But still. :eek:

Hello Ken,
and thanks for taking the time to respond. First I am on a dial up connection. I have sence disconnected from the dial up and when I do that ZA just stores things in a log. I went to the Log and this is what it said. It is Greek to me, but perhaps you can figure it out. And yes every atempt was to port 0 at least yesterday. As you will see by the times and dates they were working hard to do what ever they were trying to do. If this is not of any help I will post the next attempt. I assume they will try again.

ZoneAlarm Basic Logging Client v2.1.44
Windows 98-4.10.1998- -SP
type,date,time,source,destination,transport
PE,2001/02/03,11:20:34 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A
FWIN,2001/02/03,11:21:20 -8:00 GMT,209.133.77.94:53,,UDP
PE,2001/02/03,13:21:22 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A
FWIN,2001/02/03,16:08:32 -8:00 GMT,216.79.78.18:3824,,TCP
FWIN,2001/02/03,18:31:34 -8:00 GMT,172.139.0.24:0,,ICMP
PE,2001/02/03,18:32:10 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A
FWIN,2001/02/03,18:33:56 -8:00 GMT,66.24.104.207:0,,ICMP
FWIN,2001/02/03,18:34:04 -8:00 GMT,65.33.35.248:0,,ICMP
FWIN,2001/02/03,18:34:18 -8:00 GMT,207.74.92.93:0,,ICMP
FWIN,2001/02/03,18:34:20 -8:00 GMT,207.194.21.189:0,,ICMP
FWIN,2001/02/03,18:34:50 -8:00 GMT,170.215.190.47:0,,ICMP
FWIN,2001/02/03,18:35:24 -8:00 GMT,172.154.53.42:0,,ICMP
FWIN,2001/02/03,18:36:28 -8:00 GMT,64.33.153.35:0,,ICMP
FWIN,2001/02/03,18:36:42 -8:00 GMT,64.20.194.78:0,,ICMP
FWIN,2001/02/03,18:37:38 -8:00 GMT,207.194.20.193:0,,ICMP
FWIN,2001/02/03,18:39:34 -8:00 GMT,172.158.156.39:0,,ICMP
FWIN,2001/02/03,18:40:06 -8:00 GMT,172.171.125.217:0,,ICMP
FWIN,2001/02/03,18:44:38 -8:00 GMT,208.180.77.3:0,,ICMP
FWIN,2001/02/03,18:46:00 -8:00 GMT,207.173.239.42:0,,ICMP
FWIN,2001/02/03,18:46:36 -8:00 GMT,172.170.84.73:0,,ICMP
FWIN,2001/02/03,18:46:58 -8:00 GMT,172.168.197.246:0,,ICMP
PE,2001/02/03,20:21:45 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A
PE,2001/02/03,20:45:50 -8:00 GMT,MooSoft Live Update,,N/A
FWIN,2001/02/03,20:46:30 -8:00 GMT,172.163.82.133:0,,ICMP
PE,2001/02/03,20:47:13 -8:00 GMT,MooSoft Live Update,,N/A
FWIN,2001/02/03,20:47:52 -8:00 GMT,24.69.123.8:0,,ICMP
FWIN,2001/02/03,20:48:46 -8:00 GMT,128.8.23.81:0,,ICMP
FWIN,2001/02/03,20:50:08 -8:00 GMT,24.184.180.118:0,,ICMP
FWIN,2001/02/03,20:50:44 -8:00 GMT,208.61.184.98:0,,ICMP
FWIN,2001/02/03,20:51:10 -8:00 GMT,213.75.49.227:0,,ICMP
PE,2001/02/04,04:59:28 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A
PE,2001/02/04,05:32:03 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A
PE,2001/02/04,06:23:14 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A
PE,2001/02/04,14:18:06 -8:00 GMT,ZoneAlarm Internet Security Utility,,N/A

[ 02-04-2001: Message edited by: saved ]
Saved I removed your IP address. Ken

[ 02-04-2001: Message edited by: Ken ]

Originally posted by Ken:
Hello saved,
I edited your address out of the log. That is really something that you shouldn't let people know, so I did it for your protection.
Sorry that I didn't tell you to do that originally.

A couple more questions. I didn't realize that you were on a dial up connection. Who is your ISP (Internet Service Provider).
How long have you had Zone Alarm? And did this just start happening.

Looking over it quickly, it seems that it may be your ISP checking to see if you are online. This happens a lot with dialup. It is how they know if you are connected or not. I don't have time to really think about it until 8-9 PM tonight. I will let you know.

In the mean time, you may want to download
Zone Log Analyser from here (http://zonelog.co.uk/)as it will help you in understanding.

Sorry that I don't have more time til tonight....

Thanks for doing the editing. My ISP is Samlink. They are also my electric company. I have had ZA about a month or two so i suppose that many were into my puter before I even knew it. I did have to re-format a couple of weeks ago. Dell told me I had some type of virus when it would not go to normal mode. My virus scan did not detect it, but they may have been correct. The warnings started as soon as I installed ZA, but last night was the most I have gotten in such a short time. I usually get two or three warnings a day, but not 10 or 15 in 5 minutes.
I hope this helps. Thanks for the information on the download. Also here is the latest waring I received while I was posting this.

IP Address: 210.74.122.94 IP Address: 216.207.89.xxx Host Name: Who is this? <javascript:show_it(> Host Name: Who is this? <javascript:show_it(> Port: 4960 Port: 111 Program: Not Available File Name: Not Available

[ 02-04-2001: Message edited by: saved ]

Ken,
I downloaded the program you suggested. I checked to see if it was my ISP and it was not at least in the 0 port. It did give me this information to a possible hacker. "Sub7 is written by a hacker who calls himself "Mobman". His site can be reached at http://subseven.slak.org/. This was another port though that someone has been trying to get through.
I ran a cleaner I just downloaded and found two trojans, so someone has gotten through somehow. I cleaned them so they are gone.
I still am curious about last night though. Would you suggest that I contact the persons ISP if I can get the information?

Contact the clown's ISP?? Absolutely.

Report these Jokers every chance you get, when you have the info.

Originally posted by Ken:
Sorry it took so long Saved.
Yes, I would contact the ISP. This is one of our only options to stop or at least slow down (hopefully)this type of people.

Write an email, being polite, copy and paste the info pertaining to the individual, and everytime it happens again repeat the process.

A favor or two from you if I may ask.

I would like to use your experience to help educate others that use dial up, on the importance of security issues.
If you wish, I will remove your name and certainly would not give your IP.

And for my knowledge banks, What anti virus were you using that did not catch the trojans.

What anti trojan found and cleaned them.

And the names of the trojans.

Please let me know if I have your permission and the answers to the questions.

If we can prevent and educate someone else from the same ordeal, you will know that it was due to your kindness and cooperation.

No problem if you do not want to do this, I understand.

You have my permission Ken. As to the antivirus I use it is Norton. I can not remember what the trojans were. It said there were two and I just had a program clean them. The program is from moosoft. It is free for 30 days and then you pay for it. The addy is http://www.moosoft.com/index.php

About how I got these I can not be sure,but here is a possibility. After I needed to re-format my computer because of a possible virus I did not have any protection for a couple of days. It is possible that during that time I was infected again. As for the person who is trying to get access now that I have ZA installed I really don't think he has, but he sure is persistent.

Ken
Moderator
Member # 5352
Member Rated:

posted 02-04-2001 04:15 PM | Posts: 1544 | From Tampa | Registered: Sep 2000 |
--------------------------------------------------------------------------------
Hello saved,
I edited your address out of the log. That is really something that you shouldn't let people know, so I did it for your protection.
Sorry that I didn't tell you to do that originally.
A couple more questions. I didn't realize that you were on a dial up connection. Who is your ISP (Internet Service Provider).
How long have you had Zone Alarm? And did this just start happening.

Looking over it quickly, it seems that it may be your ISP checking to see if you are online. This happens a lot with dialup. It is how they know if you are connected or not. I don't have time to really think about it until 8-9 PM tonight. I will let you know.

In the mean time, you may want to download
Zone Log Analyser from hereas it will help you in understanding.

Sorry that I don't have more time til tonight....

--------------------
lots of good info...disregard my learning experience... thanks