Re: deciphering Zonealarm alerts

From: Claus Erichsen (viruslist@nettsikkerhet.info)
Date: 09/26/02 

From: "Claus Erichsen" <viruslist@nettsikkerhet.info>
Date: Thu, 26 Sep 2002 06:33:44 GMT

"Doc" <docsavage20@yahoo.com> wrote in message
news:f0c1bc20.0209252100.3d370f23@posting.google.com...
> "Claus Erichsen" <viruslist@nettsikkerhet.info> wrote in message
news:<Nvpk9.25898$sR2.458884@news4.ulv.nextra.no>...
>
> >
> > -what do you mean with "looking up addresses"?
>
> For example, one alert reads:
>
> The firewall has blocked Internet access to your computer (TCP Port
> 1433) from 218.148.107.135 (TCP Port 3727) [TCP Flags: S].

This tells you that a computer located at IP: 218.148.107.135 uses its TCP
port nr. 3727 (Ports 3710-3736 are Unassigned) to try to reach your computer
on port 1433. Port 1433 is commonly used by Microsoft SQL server. I would
guess that someone is scanning for voulnerable MSSQLs og the IP range where
you are located. This is quite normal, -happens all the time.

> 218.148.107.135 is an address, correct? I put that in the URL bar and
> see where it goes, this one happens to give a server error, but often
> it gives an "address not found" message or takes me to one of these,
> "oops, address not found, but sign up for your domain name here" type
> locations.

The point is, -you cannot expect the intrding IP to be a webserver. In the
example above, it seems more likely to be a private computer that scans your
network. Webservers are compters with visble webpages on TCP port 80. If you
use Internet Explorer and type in for instance my IP, you wouldnt get
anything exept the DNS error/page not found. Only actitve webservers will
show you pages when you use IE to "lookup" addresses.

If you put "xxx.xxx.xxx.xxx:21" (xxx being ip-nmbers) in your IE, it tries
connect to a FTP interface. If you use :1214, you might find napster
protocols. If you use no extension (no colon and portnumber) IE tries to
connect on port 80 by default. IE is not made for IP-checking...

>
> > -websites doesnt snoop,
>
> Then what is it that's snooping?

Private compters, scriptkiddies, misconfigured servers, lost packets,
yourself and your firewall :-)

-if someone IS snooping, -its not likely to be a server, but rather someone
who intentionally will try to hide oneself, and not be traceable. Dont waste
too much time running after those alert-IPs, -you can take a look at
NeoTrace (or any other GUI-IP-tracker) and educate yourself on Tracing
IPs...

Regards

Claus Erichsen
www.nettsikkerhet.info

Relevant Pages

  • Re: RWW stopped functioning
    ... listening on Transmission Control Protocol port 4125. ... the Remote Web Workplace uses TCP ... The most common process that claims TCP port 4125 is Mad.exe. ... Server 2003 Remote Web Workplace ...
    (microsoft.public.windows.server.sbs)
  • Event 1097 and 1030 on boot..
    ... be sure to adjust your firewalls for TCP port ... Windows 2000 uses NTP via UDP on port 123. ... Microsoft states it both ways in their ... >server 2000 server network, ...
    (microsoft.public.windows.server.setup)
  • Re: Remote View/Control
    ... If you will connect to your server from home over ... In MSTSC client you don't have to specify TCP port if you will use 3389 port ... > the remote desktop connection window at home and the as ...
    (microsoft.public.windows.server.networking)
  • Re: TCP port 5000 syn increasing
    ... I have noticed the TCP port 5000's also, and I'm getting a fair amount from ... > Security Linux, the comprehensive security solution that combines six ...
    (Incidents)
  • Re: SuperSocker Bind Failed on port TCP:1433 Error
    ... > We have a lot of connection problems lately. ... Bind failed on TCP port 1433. ... > We have a couple of IP Addresses configured on that server for SSL ... > the last entry is the SuperSocket Info: Bind failed on TCP port 1433. ...
    (microsoft.public.sqlserver.server)