Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Should I be afraid???

Reply
Thread Tools

Should I be afraid???

 
 
Sebastian G.
Guest
Posts: n/a
 
      10-25-2007
Bubba wrote:

> Leythos <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> You could have any number of malware on the computer, but you really
>> need to determine if you are actually compromised.

>
> Wouldn't the clean install negate that possibility? I only installed
> SP4, factory supplied audio and video drivers, ZoneAlarm, Firefox, and
> then finally the network card driver.



Where is that a clean install? You installed ZoneAlarm again, so how could
you get any reliable networking at all?

> Done. It doesn't see what ZoneAlarm is reporting but it's seeing plenty
> of other things. That much traffic is kind of scary.



OK. And now what about any reliable information source on any reliable system?

> All things done. ZoneAlarm still reports blocking attempts. But I do
> feel safer now.



Huh? You have ZoneAlarm installed. Now how could you be safe in any way? And
do you have any reliable reports somewhere?

> Also, I told ZoneAlarm to "Stop all internet activity" and a couple of
> blocks still happened, but not at the same furious rate as before, and
> then they stopped completely. Could this be something that Zonealarm
> itself is doing? And why wouldn't any of this be happening on XP?



Because ZoneAlarm is a nondeterministic software supposed to randomly
introduce networking errors? Seems to work quite well.

> For all I know this has been happening for years and I just never
> noticed. But now that I have noticed, it worries me.



Wait a moment... you have been running ZoneAlarm on this machine for years
long? Now you should seriously consider the machine as compromised and you
being a total fool.

> Are there any other ideas? I'm thinking a new NAT router might be a good
> way to go.


No, you're not thinking about it at all. Anyway else you'd immediately
notice that this is another foolish idea.
 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      10-25-2007
On Thu, 25 Oct 2007 08:50:46 +0200, "Sebastian G." <(E-Mail Removed)>
wrote:

>
>Wait a moment... you have been running ZoneAlarm on this machine for years
>long? Now you should seriously consider the machine as compromised and you
>being a total fool.


you got something against ZA ?
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      10-25-2007
In article <Xns99D3DD8CA63A1bubba@216.196.97.131>, (E-Mail Removed) says...
> Leythos <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> >
> > You could have any number of malware on the computer, but you really
> > need to determine if you are actually compromised.

>
> Wouldn't the clean install negate that possibility? I only installed
> SP4, factory supplied audio and video drivers, ZoneAlarm, Firefox, and
> then finally the network card driver.


No, you could be installing bad/infected applications or other
compromised software - since you're installing non-MS software from
unknown sources and in an unknown state, we don't really know that
you're using clean software.

> > Most Linksys have a LOG function, enable it and then download and
> > install WALLWATCHER so that you can see, in real time, what traffic is
> > entering and leaving your network.

>
> Done. It doesn't see what ZoneAlarm is reporting but it's seeing plenty
> of other things. That much traffic is kind of scary.


No, it's not scary, it's normal. What you want ot know is what things
actually make it INTO your network - if nothing is making it INTO your
network then ZA is giving false alarms or is telling you of something
INSIDE your network that is contacting your PC.

> > Since you've wiped/reinstalled 2000, why not reset the NAT router to
> > factory defaults, then properly configure it to block UPnP and not use
> > the DMZ and make sure that you change the password.
> >

>
> All things done. ZoneAlarm still reports blocking attempts. But I do
> feel safer now.


What is it reporting - you need to tell us exactly what it's reporting.

> The only thing I couldn't do was update the firewall firmware. I go thru
> the motions but it just doesn't take.
>
> Also, I told ZoneAlarm to "Stop all internet activity" and a couple of
> blocks still happened, but not at the same furious rate as before, and
> then they stopped completely. Could this be something that Zonealarm
> itself is doing? And why wouldn't any of this be happening on XP?
>
> For all I know this has been happening for years and I just never
> noticed. But now that I have noticed, it worries me.
>
> Are there any other ideas? I'm thinking a new NAT router might be a good
> way to go.


First, if you have a NAT Router, there is nothing that Zone Alarm will
provide that is better than the NAT Router. The NAT Router already
blocks INBOUND connections that you didn't request - meaning that you or
your computer has to reach out and connect to something before it can
connect to you/your computer.



--

Leythos - http://www.velocityreviews.com/forums/(E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
Bubba
Guest
Posts: n/a
 
      10-25-2007
Leythos <(E-Mail Removed)> wrote in
news:(E-Mail Removed):



>What you want ot know is what things
> actually make it INTO your network - if nothing is making it INTO your
> network then ZA is giving false alarms or is telling you of something
> INSIDE your network that is contacting your PC.
>


I'm starting to lean towards the false alarm theory. As I said before,
this is going on even after ZA is told to stop all internet activity.

Also, last night I installed a plain ZA firewall (no anti-virus, ect) and
it reported nothing. I'm starting to think the Security Suite is causing
this. I'll give ZA a shout and see what they say.



> What is it reporting - you need to tell us exactly what it's
> reporting.
>



"ZoneAlarm Security Suite blocked traffic to port 1036 on your machine
from port 53 on a remote computer whose IP address is 24.93.##.###."

24.93.##.### is the same number as my DNS, according to the router. The
port numbers increase, with some numbers being skipped, on every block.
And the numbers reset to 1025 or 1026 every time I reboot to Win2k

If I block that IP address, I get no more internet.

I'm still learing about Wallwatcher, but it isn't reporting anything from
that IP.


 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      10-25-2007
In article <Xns99D475C84ADDBbubba@216.196.97.131>, (E-Mail Removed) says...
> Leythos <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>
>
> >What you want ot know is what things
> > actually make it INTO your network - if nothing is making it INTO your
> > network then ZA is giving false alarms or is telling you of something
> > INSIDE your network that is contacting your PC.
> >

>
> I'm starting to lean towards the false alarm theory. As I said before,
> this is going on even after ZA is told to stop all internet activity.
>
> Also, last night I installed a plain ZA firewall (no anti-virus, ect) and
> it reported nothing. I'm starting to think the Security Suite is causing
> this. I'll give ZA a shout and see what they say.
>
>
>
> > What is it reporting - you need to tell us exactly what it's
> > reporting.
> >

>
>
> "ZoneAlarm Security Suite blocked traffic to port 1036 on your machine
> from port 53 on a remote computer whose IP address is 24.93.##.###."
>
> 24.93.##.### is the same number as my DNS, according to the router. The
> port numbers increase, with some numbers being skipped, on every block.
> And the numbers reset to 1025 or 1026 every time I reboot to Win2k
>
> If I block that IP address, I get no more internet.
>
> I'm still learing about Wallwatcher, but it isn't reporting anything from
> that IP.


Port 53 is used for DNS - it could be that YOUR computer is reaching out
for DNS information, as you indicate, and that it's not inbound by poor
working of ZA.

As for WW, make sure you have it set to show IN/OUT connections.

--

Leythos - (E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
Bubba
Guest
Posts: n/a
 
      10-25-2007
Leythos <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

>
> Port 53 is used for DNS - it could be that YOUR computer is reaching
> out for DNS information, as you indicate, and that it's not inbound by
> poor working of ZA.
>
> As for WW, make sure you have it set to show IN/OUT connections.
>



WW seems to be doing it's thing well. Lots of "i" and "o" listings.

I think I'll try someone else's firewall and see if it reports the same
thing.
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      10-25-2007
In article <Xns99D47B3454686bubba@216.196.97.131>, (E-Mail Removed) says...
> Leythos <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> >
> > Port 53 is used for DNS - it could be that YOUR computer is reaching
> > out for DNS information, as you indicate, and that it's not inbound by
> > poor working of ZA.
> >
> > As for WW, make sure you have it set to show IN/OUT connections.
> >

>
>
> WW seems to be doing it's thing well. Lots of "i" and "o" listings.
>
> I think I'll try someone else's firewall and see if it reports the same
> thing.


You don't need a soft firewall, the router provides better protection in
most cases.

You need to pay attention to the I's that show a local IP address, if
they only show it ending in your public IP it means that it was blocked,
if it shows a local IP then it means that it got in your network.

You also need to watch the OUTBOUND so that you can see what is going
out - in case you had a rouge malware that was doing bad things.

--

Leythos - (E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
Bubba
Guest
Posts: n/a
 
      10-25-2007
Leythos <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

>
> You need to pay attention to the I's that show a local IP address, if
> they only show it ending in your public IP it means that it was blocked,
> if it shows a local IP then it means that it got in your network.


I'm not sure I understand what you mean here, but let me give it a try.

Most of the inbound attemts appear to want to want to contact my real world
IP address.

But I've found one that was trying (or did) contact my router IP of
192.168.1.100.

Is that what you mean for me to watch out for?

WW reports no contact from 24.93.##.###
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      10-25-2007
In article <Xns99D4814824891bubba@216.196.97.131>, (E-Mail Removed) says...
> Leythos <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> >
> > You need to pay attention to the I's that show a local IP address, if
> > they only show it ending in your public IP it means that it was blocked,
> > if it shows a local IP then it means that it got in your network.

>
> I'm not sure I understand what you mean here, but let me give it a try.
>
> Most of the inbound attemts appear to want to want to contact my real world
> IP address.
>
> But I've found one that was trying (or did) contact my router IP of
> 192.168.1.100.
>
> Is that what you mean for me to watch out for?
>
> WW reports no contact from 24.93.##.###


If the inbound shows a PRIVATE IP then it means that something OUTSIDE
made it INSIDE your network - the only way that can happen is if you've
enabled UPnP on the router or if you've setup port forwarding.

Disable UPnP on the router, Disable Port Forwarding, Disable Admin
Forwarding, Disable GAME forwarding, Disable "Trigger" Forwarding,
disable DMZ address if it has one.


--

Leythos - (E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
goarilla
Guest
Posts: n/a
 
      10-25-2007
Leythos wrote:
> In article <Xns99D4814824891bubba@216.196.97.131>, (E-Mail Removed) says...
>> Leythos <(E-Mail Removed)> wrote in
>> news:(E-Mail Removed):
>>
>>> You need to pay attention to the I's that show a local IP address, if
>>> they only show it ending in your public IP it means that it was blocked,
>>> if it shows a local IP then it means that it got in your network.

>> I'm not sure I understand what you mean here, but let me give it a try.
>>
>> Most of the inbound attemts appear to want to want to contact my real world
>> IP address.
>>
>> But I've found one that was trying (or did) contact my router IP of
>> 192.168.1.100.
>>
>> Is that what you mean for me to watch out for?
>>
>> WW reports no contact from 24.93.##.###

>
> If the inbound shows a PRIVATE IP then it means that something OUTSIDE
> made it INSIDE your network - the only way that can happen is if you've
> enabled UPnP on the router or if you've setup port forwarding.
>
> Disable UPnP on the router, Disable Port Forwarding, Disable Admin
> Forwarding, Disable GAME forwarding, Disable "Trigger" Forwarding,
> disable DMZ address if it has one.
>
>

and disable telnet, http interface, ssh (remote management) on the WAN
side as well
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
gems should *not be case sensitive.. or should they? botp Ruby 6 10-04-2010 11:42 PM
What the FAQs should and should not contain Josef 'Jupp' SCHUGT Ruby 0 08-19-2005 01:46 PM
Should I Bridge? =?Utf-8?B?Zmx1ZmZ5IHRoZSB3b25kZXIga2l0dGVu?= Wireless Networking 1 07-21-2005 01:25 AM
taking 70-290 should i be scared? What should i expect??? Raymond Munyan MCSE 31 12-01-2004 02:34 PM
How should control images should be handled? ~~~ .NET Ed ~~~ ASP .Net Building Controls 1 11-03-2004 12:30 PM



Advertisments