Hi :D

This morning - it's here 9.20 am (PDT) I found over 500 records of alerts port 1133.

The "only" info I found regarding this port is:

Name: SweetHeart
Aliases: Backdoor.Zhang, Zhang,
Ports: 600, 1133, 1183, 1183 (UDP), 2101, 2222, 2222 (UDP), 6711, 8311
Files: Zhang.zip - Aboutagirl.exe - Girl.exe - Iloveyou.exe -
Created:
Requires:
Actions: Remote Access
Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CLASSES_ROOT\txtfile\shell\open\command
Notes: Works on Windows.
Country: written in China
Program: Written in Delphi.

http://www.simovits.com/nyheter9902.html

Anyone knows what is going on??

Thanks ;D

Portsdb.org and Neohapsis port list didn't list anything for those ports (wasn't sure if you mean UDP or TCP)

Did the activity happen over a defined period or is it continuing?

I enabled full packet capture on those ports on my firewall to see what it might catch but nothing yet.

Ooo, also, what was the situation with the source?

All from single host?

From static port or incremental?

Agreed, without posting a portion of the firewall log there isn't much we can say about this. (If you can post some of the log here, you can just obscure your own IP address if you'd like to keep that from public view.)

If you don't have a tool to capture packets yourself Marianna, you can use this freeware tool. It's not a packet sniffer, it just listens on a port and captures the packets so you can look at them. >> Freeware Port Listener Released (http://www.wilderssecurity.com/showthread.php?t=8652)

Thanks guys,

I was in a hurry this morning - just came back. Here is a portion:

http://members.shaw.ca/schmudlach/ZoneLog13.06.2003a.jpg

The "alerts" are all different from almost all over the world. Sure also more port 80 in now -

At the moment I have 778 "alerts" ....

Thought "something" was running "wild" in the internet ??

1214 points to kazaa. Seems to me that 1133 is a p2p client port too. Since the number of hits is large, a p2p connection is to be assumed ::)

Okay, I think the "telling" point here is the source port of 1214 which is used for Kazaa, Morpheus and Grokster. It almost seems as if you had a similar app that had been sending or listening on 1133. Is that possible?

oops, meneer beat me to it (I was rambling to myself)

Nope, never had KaZaa neither Grokster nor Morpheus.

It started this morning - I'm on cable.

Yeah, very often when I get hit with a large number of connection attempts, from a wide range of IP addresses, they invariably turn out to be related to some file sharing application. I generally confirm this by catching a few of the packets with Port Peeker.

>> Nope, never had KaZaa neither Grokster nor Morpheus.

Capture a few of the packets and see.

Marianna, do you have a static IP or is it leased by the provider. If the latter, was the IP recently changed during a lease renewal?

And I bet it dies down in a few hours/days :)

Yes, I have a static IP - I'm not worried for my computer - have nothing to hide ;D - thought there was something "brewing" in the internet.

But if you guys don't "see" this "knocking" yet - well, maybe you get it Father's Day?? ::)

Here is the trend map for port 1214 (the one for 1133 was negligeable) Note that the 1214 scans were most significant when viewed on the source port side.

http://isc.incidents.org/port_details.html?port=1214

Thanks, Dan !

I appreciate it !

I had another look this morning - well, I guess, I can't really look for for port "1214" - destination port is still 1133 and it is coming from:

1214, 1332, 1391, 1824, 62698, 1749, 3323, 11680, 1886 etc.

plus this morning a LOT more on port 80.

So "something" is "strange" ;D

Well, it appears that the 1133 activity is fairly unique to your system/network

http://isc.incidents.org/port_details.html?port=1133

Have you tried the PortPeeker app that LowWaterMark mentioned earlier in the thread. If you have, did you notice any typical packet payload?

And your sure that you have nothing listening on 1133 and have had your public IP for a significant amount of time?

???

thanks Dan,

didn't have time yesterday to download the program, I just did - will be "in" and "out" today again, will install it now - I believe I have the same IP since I started with cable and that was over 2 years ago. Checked all the ports and they show ALL stealth. I'm only running Zone alarm free as I want to know what wants to go out of my computer.

I have WinMe is there "something" I have to know running PortPeeker??

Thanks so much ;)

Hey,

Actually I hadn't heard of the PortPeeker program til it was mentioned in the thread and I haven't tried it myself but the interface seems pretty nice and the developer is reputable.

I was curious about the IP change as that is the simplest reason for the activity (the previous user of that IP was a heavy user of Kazaa) but that only fits if your IP changed recently. Also, it is quite uncommon for cable providers to issue static IPs (as they tend to have frequent network topology changes to redistribute load, etc)

HI again, Dan ;)

will give it a try - will give "smoke signals" if I don't "understand" ;D

Maybe the cable companies in Canada are different?? As far as I know, it is still the same IP I have. Ah well, I still guess, "something" is "brewing" in the internet. I'm still "curious" what these many hits are all about.

It's 10.51 am (PDT) and I already have 321 hits ..... meaning it did NOT slow down.

Ah well, thanks again :)

Yes, definitely let us know if there is something you need help with.

I REALLY think it was an IP change. If something was brewing on the Internet there would be signs elsewhere and doing a little research I found on your ISP's homepage (I changed the ISP's name in the quote to "<ISP>" )

"To ensure reliable service to all customers, <ISP>'s Residential Internet network does not currently support Static IP's. Since <ISP> is designed for the average home Internet user, Static IP's provided little or no benefit while making network management difficult. Dyanmic IP brings a higher level of customer service, and many find that a long term IP is usually assigned. Using Dynamic IP, customers do not experience connection loss during network upgrades, while Static IP's can result in a temporary loss of service. "

Hope this helps,

Dan

Interesting what you found ! I must say, I am having problems in the time they "update" or "maintain". Have just written them an e-mail - hope I'll get an answer "soon" :) Maybe they can explain WHY I always "see" the same IP ??

Have installed PortPeeker - this is weird - until now I got the most "hits" on UDP 1133 - now it has changed to TCP 1133 ?? Am I "dreaming" or what ::)

Are you sure you set PortPeeker to listen on UDP 1133? It sounds as if it might be set to TCP 1133

FYI - You can run as many copies of Port Peeker as you'd like, so run two and have one collect from 1133/UDP and another from 1133/TCP.

Thanks - have to leave now - will make some copies - so I can see "MORE" .

BTW I just got a reply from my cable company:

"Unless you are subscribed to one of our Business Internet packages, and are specifically paying for a static IP address, then you would have a dynamic one. Though they are considered dynamic, they don't tend to change too often; they usually only change when we conduct an upgrade in the area which requires the addition of new IP addresses for new customers."

Well, this "sais" it all - there was NO upgrade in our area - and that's why I still "see" the same IP . Good to know -

Will catch up later....... have to run !

In the meantime big THANKS :D

I can't tell your level of knowledge on Networking so please do not be offended by the question but... the same IP that you are using, is that an IP that begins with any of the following?

192.168.

or

172.16.

or

10.

If that is the case, this is not the public IP given by the ISP. Sorry to be pedantic about this but this is so apt a reason for the activity :'(

Dan,

to tell the truth - I do NOT have a lot of knowledge on networking. Hey, we are never to "old" to learn more ;D

No, my IP doesn't start with the numbers you mentioned.

As I mentioned the "destination" port 1133 but the "source port" is different -

I just got this:

The firewall has blocked Internet access to your computer (TCP Port 1133) from 80.51.44.18 (TCP Port 4069) [TCP Flags: S].

Time: 14/06/2003 2:30:20 PM

is it still "correct" to look for port 1133 or do I have to change to 4069??

What I also found is:

ZoneAlarm blocked traffic to port 1133 on your machine from port 1214 on a remote computer whose IP address is 212.21.245.124. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.

O.k. if I assume it is "Internet background noise" why so many hits in the last 2 days - can't remember I have ever see so many hits on destination port 1133 ??

Thanks for your help ;)

Marianna, you want Port Peeker to listen on 1133 because that's what the packets are hitting on your system. Port Peeker can be run twice, bringing up two separate instances of it, so you can listen on 1133/UDP and 1133/TCP. (Your above log entry was indeed TCP, but, on the first page of this thread your log showed a lot of hits on UDP 1133.)

If this is file sharing, then you will be able to tell that by looking at packets it captures. Please note, Port Peeker will need to "act as a server" from the Zone Alarm perspective - that's how it will be able to see that traffic. If you block all server access, Port Peeker won't see anything.

When you run it, hit the [configure] button and enter 1133 as shown. Run it a second time and select 1133 and flag UDP instead. Then sit back and wait for it to capture the traffic.

Thanks LWM :)

good you told me PortPeeker needs to act as a server ! Well, now it is several hours later and Port Peeker is listening ........... guess what??

Have a look:

http://members.shaw.ca/schmudlach/PortPeeker9pm.jpg

not ONE entry of port 1133, What I show here is a partial log after I allowed it to run as server.

The rest you can't see here also has not ONE entry with port 1133 - is the devil playing with me ???

Thanks to ALL for your help - I have learned again something new PortPeeker !

Have a great Father's Day!

Hey,

Your setting ZoneAlarm to allow PortPeeker as a service will allow thos connections to evade ZoneAlarms logging since, as far as ITS concerned, it is legitimate. You SHOULD be getting packets in the PortPeeker logs however. :)

Dan,

I didn'get anything - PortPeeker was empty !

Since I closed it - now the alerts for port 1133 are coming again:

http://members.shaw.ca/schmudlach/PortPeeker%20around%209pm.jpg

Am I doing something wrong?? I'm "baffled" :o

Of course, I don't have anything coming in on UDP port 1133 to show, but, here is what Port Peeker shows when I capture packets on UDP 137 for those constant scans we all get now thanks to the recent viruses out there.

Then what am I doing wrong?? I also have at the bottom "UDP listening on port 1133" and there is nothing \ zero - all blanc. Am I missing something?

Hmm, so your firewall no longer logs attempts of 1133 when PortPeeker is running, (that makes sense, as Dan said, now that something is listening on that port and it's allowed to act as server in ZA, your firewall is no longer blocking the packets), and yet, nothing is actually being logged in Port Peeker, either... :-\ ::err:: I'm sorry, I can't hazard a guess as to where the packets are going now.

Curiouser and curiouser...

One test you can make is (assuming you have a PortPeeker app listening on TCP 1133) Open up a web browser and for a URL type in

http://127.0.0.1:1133

be sure to put in the colon before 1133

You should get stuff in that portpeeker window (you can't use a web browser to test the UDP port)

Well, I was digging in my logs from MyNetWatchman and I also found port 1133 this way under Port\Issue Description:

AnalogX Proxy Server

Does this tell you something??

Do you have that program listed in your Add/Remove programs? Also, do you have multiple machines that access the Internet?

Dan,

your tip is working !

This is what I get:

http://members.shaw.ca/schmudlach/PP%20log.jpg

Can you translate it :o

LOL,

This was just to test if PortPeeker was working okay on your system. I do'nt know why it is not catching the stuff that ZoneAlarm was catching before you let it through.

Which version ZoneAlarm are you using?

I have the "old" ZA free version as the newer one didn't work well for my winME computer, didn't get restore points anymore.

No, I don't have that program on my computer and I have 2 computers on the internet - only one is running today.

Dan, I guess I have to close for today, as I am getting really tired.

Thanks so much for your help ! I really appreciate !

Glad to help. Go Rest!

HI, I'm back ;D

I'm still getting "hammered" on the one computer with destination port 1133 - the other computer I have, which also runs on cable has NO hits on port 1133 at all - isn't that "weird" ??

Well, in the meantime I have again 929 hits :'(

One in particular was "interesting":

http://members.shaw.ca/schmudlach/uniweb.jpg

Any clues??

Hey :D ,

Given all we have gone through I must admit I am a bit mystified. The only two alternatives I see are that

1. The impacted system has a kazaa type application on that port (not necessarily running all the time but often enough to generate this volume of return traffic)

2. That another PC used by someone else was using Kazaa and that IP was recently assumed by your system via DHCP lease acquisition.

Arguing against the first possibility is your assertion that you have not used Kazaa type apps before. Arguing against the second is that you have been using the same public IP on that system for a considerable period of time.

If you do not have DiamondCSs PortExplorer, I would recommend you download their demo version at

http://www.diamondcs.com.au/portexplorer/index.php?page=download

Once you have this installed change to the UDP tab and look to see if anything is on that port. Definitely something is up if you find something there but keep in mind it may be something that may run only sporadically so you should check periodically

Also, I take it that you were never able to get any data logged by PortKeeper. When we first started discussing this I started full packet logging of all port 1214 (TCP and UDP) and in that interval have captured only one packet. Now this is probably part of a Kazaa-specific scan and not regular Kazaa activity but in case anyone wants to have the packet payload it was as follows

2700 0000 2980 4b61 5a61 4100 2483 ec19 0000

Which contains an ASCII string of "KaZaA" (minus quotes)

HTH,

Dan

Yes, the traffic certainly looks like it's related to file sharing alright. Too bad we haven't been able to capture any packets to confirm it. :-\

The thing I hate about some file sharing apps is that they don't clean up their host lists very well or very quickly. They keep trying on an IP address for what seems like an enormous amount of time. If the host is running stealth, I'm guessing they just keep trying pretty much endlessly in hopes that the system is just offline and will be coming back sooner or later.

Obviously, the best solution is usually to force a change of IP address, but, given the ISP service involved, that doesn't seem possible. Another option might be to drop stealth, and let the system return closed responses for a day or two. This might trigger the remotes to stop trying.

Not being overly concerned about stealth myself, I have ZAP set up to allow closed responses on all normal file sharing ports all the time.

Hi :D

No, my PortKeeper doesn't show anything - nothing. Can write it down again - I NEVER had filesharing - As you saw in the reply of my cable company - they hardly change the IP's. As far as I know I still have the "old" IP. I'm now more curious as the source ports are different - the screenprint I showed you in the above post - doesn't give a "clue" ???

I'll have a look at the Port Explorer - anything "special" I have to do??

Thanks 8)

Regarding PortExplorer, its real easy to use. You will be prompted to do a reboot after the install. Once it comes backup your primary area of interest will be the UDP tab to look for 1133.

Regarding the ISP's response, Cable ISPs ALWAYS say that they change IPs infrequently (and to some extent that is usually true) but the necessary point is that they DO change. If PortExplorer does not bring anything to the surface, my recommendation would be to call your ISP's support number and explain the recent surge of this activity and ask them if your IP has changed recently (forget for a moment that you are unaware of any change, there are perfectly valid reasons why the IP of your computer would not change but the IP provided by the ISP would). You might also want to see if they are amenable to LWM's recommendation on forcing a change of your current IP to see if the activity goes away (as I am pretty sure it will).

Let us know if you have any questions with PE

Dan,

Thanks again !

To clarify things:

You run 2 computers?
One of them acts like a gateway to the internet and the other one connects to the internet via the gateway?
Your gateway is running Analogx Proxy in order for the second one to be abke to connect to the internet?

If this is the case, could it be that this is local network traffic from Analogx Proxy, that's configured to listen to 1133 instead of 3128 (default port)?

Hi meneer,

nope, both are connected via a hub. There is also NOTHING shared between the 2 computers.

Dan, I have to laugh, sorry ..... as soon as I enabled PortExplorer - I had to give it permission......right? Well, after that - as it was listening, I got nothing anymore! As soon as I closed it, the "hammering" started again.

I guess, I either have to ignore all this stuff or I have to have a "friendly word" with my cable company? ;D

Marianna, Yes that is a bit funny but oddly consistent with the situation we found with PortPeeker. I believe that either there is a problem with Zone Alarm in allowing permitted traffic or you are not permitting the traffic correctly (I mean here "permitting" in the sense of allowing for the purpose of handling by PortPeeker or PortExplorer). I have had ZA Pro from the first version through 3.x but I haven't used it in a while. In addition to allowing application access through the firewall you can also specify specific inbound (or outbound) ports to pass through but I don't recall the interface well enough to walk you through it. I would recommend (in addition to your well-anticipated discussion with the cable company) that you go through the Help File for ZoneAlarm, and see if it has a troubleshooting section that talks about allowing or denying specific ports. Alternatively, you can use the help's find function to search for "ports".

Meneer, yes it is rather hard to clarify things, we have gone through so many ! Keep in mind though that even if she had a proxy setup, the great majority of traffic destined for local UDP 1133 is sourced from the main kazaa/grokster/etc port and this had not been happening previously. ;)

Hi Dan,

you are such a "sweet guy" ;D

I had a "friendly" word with the cable company - wow they had " great advice":

"Hello,
My name is Ken.

We suggest you use a firewall to block port entry. You may change network cards on your own which will result in a new ip granted. The ip address in most cases will not change on the shaw side until upgrades are done in your area.


We hope this information has been useful to you. "

Guess, I have to read again the HELP file of ZoneAlarm- is a LONG time ago I did it - there goes my "spring cleaning and painting" LOL

Thanks again for ALL the help -

We are always glad to help!

Regarding the ISP, you will probably get better support from them if you actually phone their support staff (they will find it more difficult to slip away so easily ;D

Marianna, since you said you have the old Zone Alarm Free product, (I guess you mean a version 2.6), I'm afraid that means you won't have any of the advanced features such as configuring system wide ports to be allowed in, or allowing/blocking specific ports on a per application basis.

The only option in ZAF that controls if a program is allowed to listen for unsolicited traffic on some port is granting that program server rights. I suspect when you first ran each of these programs (PortPeeker and Port Explorer) that you answered Yes to the pop-up alert asking for them to act as server?

However, there is one thing in ZAF that can interfere with your ability to grant server rights to an individual program and that is the option in the Firewall (Security) section called "Block Internet Servers". This is a global setting that overrides the granting of server rights to a program. If you don't have this checked, and you gave permission to those programs to act as server, then there isn't anything else to do in ZAF. :-\

Hi LWM ;)

Right, I clicked "yes" granting that program server rights. I had "Block Internet Servers" checked first and ran then PortPeeker or PortExplorer - I also tried it the other way around - nothing checked in "block Internet Servers" and both results are the same - I do NOT see any traffic anymore.

Guess, I have to go on vacation so my computer can get a rest from the "hammering" ???

I am the "lucky one" again today with 902 hits so far ::)

Thanks LWM :)

Hi guys ;D

ONLY an "update" ::)

Just got this in my mail from my ISP:

"Important notice - Please be advised that we will be performing maintenance and network
upgrades for your area on Sunday, June 22nd, 2003 between 2:00AM and 4:00AM PT. "

........hmm.....network upgrade for my area ........ maybe I am "lucky" and get a new IP ?? Hammering is still going on -

Have a great weekend :)

I hope you have good luck at the draw ;D