Results 1 to 14 of 14
  1. #1
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Probing & Zone Alarm

    My question is about probe attempts on my new computer. My cable internet modem is feeding a wired Linksys router with DHCP enabled. The in-house computers are assigned internal addresses in the 192.168.x.x range. Both my old and new computers have Zone Alarm installed. I haven't looked at the log on the old computer yet but on this new one I've been getting several messages each day from ZA about attempted probes. They come from IP addresses all over the world and most of them are port numbers ABOVE 1056. The reason I mention the 1056 is that I've once again run Gibson's ShieldsUp program with declares my router to be "stealth" on the common 1056 ports. I think this means that the router refuses to acknowledge unsolicited packets.

    The question then is how are these probes reaching this computer's ZA when it has an internal IP address? Are the crud makers out there coming through the router and "seeing" the internal IP address of this machine? Is there some way to make the rest of my ports "stealth" also? If there is such a way on GRC.COM, I didn't spot it.

  2. #2
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Probing & Zone Alarm

    Hi Al,

    I don't know if this may help or not, but I found all my ports were open above that magic number because I had tried to set up Port Forwarding/Port Triggering on my router. Once I disabled that, I was "stealthed" completely per Mr. Gibson's site! <img src=/S/yep.gif border=0 alt=yep width=15 height=15>


    "Peace begins with a smile. "-- Mother Teresa

  3. #3
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Probing & Zone Alarm

    How did you find that out?

  4. #4
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Probing & Zone Alarm

    While I was experimenting, I put AIM's port number 5190 in the forwarding section of my router. And then in the triggering section I thought I would go one better and put it there and then open the inbound connections starting at the magic number and up to 65534. Now remember I was experimenting - trying to see if I could get connected to my daughter's computer via video conferencing through AIM. Well it never worked! And I should go back to that thread and tell what I finally did do but anyway.... I had forgotten I had put those in. When I purchased the iMAC computer and got it hooked up and going, I decided to check it at Mr. Gibson's site and I was horrified to find that I was wide open above 1056. THEN it dawned on me that I had put those numbers in my router. I quickly deleted all of it and I even enable the SPI firewall once again (a thread about my SPI questions starts with <post:=542,294>post 542,294</post:> ) and then went back to run those tests at ShieldsUp again. Whew. I was okay! I will never experiment like that again! Scary! And that's my story! <img src=/S/yep.gif border=0 alt=yep width=15 height=15>


    "Peace begins with a smile. "-- Mother Teresa

  5. #5
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Probing & Zone Alarm

    <hr>...the iMAC computer and got it hooked up and going, I decided to check it at Mr. Gibson's site and I was horrified to find that I was wide open above 1056 <hr>
    I know I'm probably having another senior moment, Skitterbug, but would you tell me where at GRC.COM you found the place to check the ports ABOVE 1056. I must be missing something. Thnx.

  6. #6
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Probing & Zone Alarm

    <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> Talk about "old" and even having brain fade..............

    You are quite right - there isn't any place in his site that checks above 1056. For some <img src=/S/doh.gif border=0 alt=doh width=15 height=15> reason when I saw all that red on the page, I panicked and "assumed" that everything was visible above that number! But it didn't say that! So <img src=/S/bagged.gif border=0 alt=bagged width=22 height=22> I am a very <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> <img src=/S/blush.gif border=0 alt=blush width=15 height=15> Skitterbug today! <img src=/S/grovel.gif border=0 alt=grovel width=31 height=23> <img src=/S/stupidme.gif border=0 alt=stupidme width=30 height=30> <img src=/S/surrender.gif border=0 alt=surrender width=31 height=23> and please forgive my post of misleading information.


    "Peace begins with a smile. "-- Mother Teresa

  7. #7
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Probing & Zone Alarm

    No problem, fair lady! He does have a selected port scan that one can use, but for only 64 at a time. BTW, for anyone who hasn't read it or isn't aware, there is an interesting read at the site on poart 113 here: Port Authority, for Internet Port 113 (I couldn't remember why I have my router setup the way I do for that port. Now I remember.)

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Probing & Zone Alarm

    > The question then is how are these probes reaching this computer's ZA when it has an internal IP address?

    Do these occur at random, or... When I visit some web pages, I get firewall notifications for outbound communications to unexpected ports. I think this relates to some kind of advertising script or perhaps even a flash movie. Rarely I get notifications for incoming connections, which I always block. If I'm on my usual sites or just doing other work, my firewall rarely if ever gets excited behind my corporate firewall or my home Netgear router firewall.

  9. #9
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Probing & Zone Alarm

    Yes, the popup messages from ZA come at random, and I may not even be doing anything except working in The Lounge. The ZA message just tells me that an incoming contact was blocked and what IP address it came from. When I've done a Whois on a number of them, they seem to be coming from IP addresses all over the world. I wonder how they're getting through my router to ZA on this machine. Here's a sample, cropped screenshot of my ZA log. BTW, I checked the ZA log on my old machine and there isn't this kind of activity. I guess the question (from my ignorance!) is: can a hacker/prober search through a router for 192.168.x.x addresses? Is there something different I need to do on this machine's ZA to stop this stuff from coming in? I've tried to look at all my router and ZA settings on both machines and I'm stymied...

  10. #10
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: Probing & Zone Alarm

    Do you have any IM programs running or set up?
    These are known for being probed!

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  11. #11
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Probing & Zone Alarm

    Nope, but thanks for asking.

  12. #12
    WS Lounge VIP rory's Avatar
    Join Date
    Dec 2000
    Location
    Burwash, East Sussex, United Kingdom
    Posts
    6,280
    Thanks
    3
    Thanked 191 Times in 177 Posts

    Re: Probing & Zone Alarm

    Al,
    Does your router have a firewall built-in? The routing protocol itself is not terribly secure as far as authentication goes, and it is fairly easy for hackers to spoof their own IP addresses. Also, the 192.168.n.n address range is pretty commonly used, so not that hard to guess.
    One further thought, do you have any server software installed for development etc?
    Regards,
    Rory

    Microsoft MVP - Excel

  13. #13
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Probing & Zone Alarm

    Hi Rory. Yes, I have a Linksys wired router that supposedly has "built-in" modest firewall protection, as far as it goes. I don't operate a server of any kind. What's been worrisome to me is that, until I got this new machine and plugged it in to the router, I wasn't getting ANY alerts of attempted probes on the "old" machine, which has been all by its lonesome on the LAN at IP address 192.168.1.101 for some time now. When I added this new machine, the DHCP of the router assigned an IP address of 192.168.1.102 and the probe warnings started on THIS machine. Of course, they were all stopped by ZA, so I don't think I've been "compromised" but I don't know what might have started the flood of probes. What's stranger yet is that the attempted probes have stopped both yesterday and today <fingers crossed> so I don't know what I may have done to help in that vain, if anything. It may have to remain an unanswered mystery for all I know.

    To be perfectly honest, I'm so naive in these security things, I have no idea how a hacker can get through a router if he probes my "real" IP address and (according to GRC.COM) the router is in full stealth mode and will not respond to unsolicited queries sent to it.

  14. #14
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Probing & Zone Alarm

    Duh! I think I figured out the reason behind the probes and they have stopped! For a long time, my son and I both had RADMIN installed, so I could remotely assist him with his computer. It IS a good product and about as secure as something like that can be. It requires explicit (real) IP address AND password protection, which we had (strong) in place. For someone with a good router and firewall software in place, I wouldn't hesitate to recommend it again for someone who needs that capability. ( Radmin - PC Remote Control Software ). Although it's not been used for some time, I still have the port forwarding in my Linksys router for the port RADMIN uses. Purely by coincidence, DHCP and all, the port was getting forwarded to THIS new machine - I won't bore you with the fact that I used to hard-code internal IP addresses. I guess because RADMIN is such a popular product, and hackers know what port it requires, they were trying to get through to that port's destination. Although I still don't understand how they get through the router, at least ZA seems to have been blocking them, and behind that I do have pretty strong passwords setup on the computer. I don't think I've been compromised, but who knows...

    Meanwhile, since I took the port forwarding out of the router, the ZA probe notices have stopped completely, since March 25. As a footnote to all of this, if I were doing the RADMIN thing again, I think I would only put the port forwarding in the router just prior to making a connection and then removing it afterward. That would take only a minute or two, but would be worth the security.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •