Hello,All

First to all have a great Thanksgiving
now for about 4 days now my ZAP keeps
blocking this Port 1243 it just keeps coming
& coming how do i stop this thing anyone
at all please it's making me nut's

Thanks to all

Hey,Paul

Have a great Thanksgiving &
the best to your Family

Are they incoming or outgoing ?
According to The Internet Ports Database (http://www.portsdb.org/bin/portsdb.cgi?portnumber=1243&protocol=ANY&String=) it could be Subseven. Either someone probing if it's on your computer or it really is and trying to get out.

Regards,

Pieter

Hello,Pieter_Arntz

Thanks for the help & Reply
all incoming it is driving me nut's
how do i stop this thing please

Good luck

I presume you've got a fixed IP address.
Can you check in your logs if it's always the same IP bothering you?
You could try to inform the user or his ISP, since in that case he's most likely infected himself and acting as a "slave" scanner looking for more victims.
Maybe our firewall experts have some tricks up their sleeves to make it go away.

Regards,

Pieter

Nothing you can do about others probing a range of IP's.
You can block, but can't stop them for trying.
Once satisfied that your firewall is successful in blocking this type of intrusion, you can always disable logging of events or as in some firewalls like LNS the anti flood takes over and stop loggin by itself to prevent sys from crashing.

:) Hi AAP!

Once you have their IP, try to report this to their ISP, if possible. If not, do the other people here remember an application called "Slap?" ;D But that has drawbacks too.

Best regards.

AAP,

As others have said, short of notifying the ISP of the system or systems that are probing you, you can't in any way stop the probes from coming. Assuming you can't change your IP address, you are stuck with the probes. (Many people can change their IP address. They have dynamic addresses that change frequently, such as every time they reconnect to their ISP.)

It would really help if you posted a segment of the log showing a few of these alert messages (blanking out only your own IP address). There is a lot more to a probe than just the port on your system it's trying to access. More can be explained if we see the source port, source IP address, TCP flags and time stamps on several of these alerts.

Here's a sample of what I mean. This was taken from my own ZA+ log:

FWIN,2002/11/27,02:32:10 -5:00 GMT,65.31.18.130:1405,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:34:16 -5:00 GMT,172.146.145.3:2081,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:34:22 -5:00 GMT,24.141.194.241:64691,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:34:24 -5:00 GMT,141.154.144.208:3647,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:35:32 -5:00 GMT,24.141.194.241:64728,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:37:08 -5:00 GMT,141.154.144.208:3674,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:39:24 -5:00 GMT,24.141.194.241:64843,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:40:14 -5:00 GMT,141.154.144.208:3730,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:41:28 -5:00 GMT,141.154.144.208:3765,(my addr):2874,TCP (flags:S)
FWIN,2002/11/27,02:41:40 -5:00 GMT,209.23.63.71:1278,(my addr):137,UDP

What can be seen from this was that multiple source systems were trying to get to port 2874 on my system. These were close enough in time that I knew they all thought my system had some sort of server running and they wanted to connect to it. Since my IP address changes every time I connect, I knew the person who had this IP address before me probably had the server these people wanted to connect to. I "stopped" all this by changing my IP address (I rebooted my system and reconnected).

The suggestion to stop alerting or logging these events is also a good option, too. Since you have Zone Alarm Pro (ZAP), you could just ignore that port if you'd like. So long as you are not running any service on port 1243, you can tell ZAP to ignore it. How you do this is explained in this thread:

http://www.wilderssecurity.com/showthread.php?t=5036

Try posting some of your logged events here, as I described. If you can change your IP address, definitely do that. If not, and you have questions about changing the alerting of this event in ZAP, just ask.

Best Wishes,
LowWaterMark

Not sure if I'm out of order here but 1243 is used by Kazza lite. If your IP address has changed it could be that the previous user of that address used Kazza.

Just guessing - Pilli

That would be my guess to, Pilli. ;)

Correct me if I'm wrong here guys, but I thought the port KaZaa Lite uses to probe if your on-line and sharing is the same as that of the normal KaZaa (1214)

Regards,

Pieter

Hmmm. I'm trying to find a thread I saw once that said Kazaa used that port because it is the same port as sub seven uses, 1243.
It is quite possible I have mis remembered this. Wouldn't be the first time.
Can't find what I'm thinking of, so scratch my comment. Maybe Pilli has the info.

I was helping a friend set up Kazza lite yesterday & I am pretty sure it asked that that be the default port for his install during the set up.
It was the latest version on the net.

kazaa lite 2.0.0 opens up 1214 by default