Re: Rogue Zonealarm entry??? Am I compromised?

From: Dazza (indieboy@optusnet.com.au)
Date: 04/14/02 

From: indieboy@optusnet.com.au (Dazza)
Date: Sun, 14 Apr 2002 00:59:57 GMT

On Sat, 13 Apr 2002 19:06:01 +0000 (UTC), "Digg/\\"
<paul@wackyNOSPAMracers.org.uk> wrote:

>Hi All, a bit new to this game, so please help if you can ;o)
>
>I have got the latest free version of zonealarm and believe i know how to
>use it.
>
>When the zonealarm box is on screen, to the right of the "stop" button are
>the little icons showing the programs that have/are accessing the net/lan.
>
>I have one such logo i dont remember seeing before, so am worried as to what
>it is.. Its the little hand (ala shared folders) holding a circular object
>and a blue tea cup, I am assuming its java related. If i hover my pointer
>over it it says "Begins a game of hearts on the internet Listening to
>port(s): TCP: 8431"
>I dont, never have and never will play hearts on the net (dont know how to
>play it!!). None of the programs listed in the programs section use this
>icon.
>
>Anyone any ideas why this is listening on this port? Have I been
>compromised?? ;o)
>
>Thanks for any help..
>
>Regards.
>
>Digg/\

Have you tried connecting to it yourself?

Try Telnet first of all, and see what sort of a response you get.

There is a program called Netcat on the internet (originally a unix
program, but it's been ported to Win32), that you could setup to
listen on that port and do some logging of any connection attempts.

To do this, you will of course need to close down that port and
whatever is using it.

Also, before you do, you could try using the two programs I've
included the URL's to, as they might reveal more information
(especially tdimon).

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://www.sysinternals.com/ntw2k/freeware/tdimon.shtml

Dazz

All my friends from school
Introduce me to their spouses
While I'm left standing here
With my hands down the front of my trousers

The Short Answer - Billy Bragg