Port 1243 What is this

Discussion in 'other firewalls' started by AAP, Nov 27, 2002.

Thread Status:
Not open for further replies.
  1. AAP

    AAP Guest

    Hello,All

    First to all have a great Thanksgiving
    now for about 4 days now my ZAP keeps
    blocking this Port 1243 it just keeps coming
    & coming how do i stop this thing anyone
    at all please it's making me nut's

    Thanks to all

    Hey,Paul

    Have a great Thanksgiving &
    the best to your Family
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Are they incoming or outgoing ?
    According to The Internet Ports Database it could be Subseven. Either someone probing if it's on your computer or it really is and trying to get out.

    Regards,

    Pieter
     
  3. AAP

    AAP Guest

    Hello,Pieter_Arntz

    Thanks for the help & Reply
    all incoming it is driving me nut's
    how do i stop this thing please

    Good luck
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    I presume you've got a fixed IP address.
    Can you check in your logs if it's always the same IP bothering you?
    You could try to inform the user or his ISP, since in that case he's most likely infected himself and acting as a "slave" scanner looking for more victims.
    Maybe our firewall experts have some tricks up their sleeves to make it go away.

    Regards,

    Pieter
     
  5. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Nothing you can do about others probing a range of IP's.
    You can block, but can't stop them for trying.
    Once satisfied that your firewall is successful in blocking this type of intrusion, you can always disable logging of events or as in some firewalls like LNS the anti flood takes over and stop loggin by itself to prevent sys from crashing.
     
  6. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hi AAP!

    Once you have their IP, try to report this to their ISP, if possible. If not, do the other people here remember an application called "Slap?" :D But that has drawbacks too.

    Best regards.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    AAP,

    As others have said, short of notifying the ISP of the system or systems that are probing you, you can't in any way stop the probes from coming. Assuming you can't change your IP address, you are stuck with the probes. (Many people can change their IP address. They have dynamic addresses that change frequently, such as every time they reconnect to their ISP.)

    It would really help if you posted a segment of the log showing a few of these alert messages (blanking out only your own IP address). There is a lot more to a probe than just the port on your system it's trying to access. More can be explained if we see the source port, source IP address, TCP flags and time stamps on several of these alerts.

    Here's a sample of what I mean. This was taken from my own ZA+ log:

    FWIN,2002/11/27,02:32:10 -5:00 GMT,65.31.18.130:1405,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:34:16 -5:00 GMT,172.146.145.3:2081,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:34:22 -5:00 GMT,24.141.194.241:64691,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:34:24 -5:00 GMT,141.154.144.208:3647,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:35:32 -5:00 GMT,24.141.194.241:64728,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:37:08 -5:00 GMT,141.154.144.208:3674,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:39:24 -5:00 GMT,24.141.194.241:64843,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:40:14 -5:00 GMT,141.154.144.208:3730,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:41:28 -5:00 GMT,141.154.144.208:3765,(my addr):2874,TCP (flags:S)
    FWIN,2002/11/27,02:41:40 -5:00 GMT,209.23.63.71:1278,(my addr):137,UDP

    What can be seen from this was that multiple source systems were trying to get to port 2874 on my system. These were close enough in time that I knew they all thought my system had some sort of server running and they wanted to connect to it. Since my IP address changes every time I connect, I knew the person who had this IP address before me probably had the server these people wanted to connect to. I "stopped" all this by changing my IP address (I rebooted my system and reconnected).

    The suggestion to stop alerting or logging these events is also a good option, too. Since you have Zone Alarm Pro (ZAP), you could just ignore that port if you'd like. So long as you are not running any service on port 1243, you can tell ZAP to ignore it. How you do this is explained in this thread:

    http://www.wilderssecurity.com/showthread.php?t=5036

    Try posting some of your logged events here, as I described. If you can change your IP address, definitely do that. If not, and you have questions about changing the alerting of this event in ZAP, just ask.

    Best Wishes,
    LowWaterMark
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Not sure if I'm out of order here but 1243 is used by Kazza lite. If your IP address has changed it could be that the previous user of that address used Kazza.

    Just guessing - Pilli
     
  9. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    That would be my guess to, Pilli. ;)
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Correct me if I'm wrong here guys, but I thought the port KaZaa Lite uses to probe if your on-line and sharing is the same as that of the normal KaZaa (1214)

    Regards,

    Pieter
     
  11. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hmmm. I'm trying to find a thread I saw once that said Kazaa used that port because it is the same port as sub seven uses, 1243.
    It is quite possible I have mis remembered this. Wouldn't be the first time.
    Can't find what I'm thinking of, so scratch my comment. Maybe Pilli has the info.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I was helping a friend set up Kazza lite yesterday & I am pretty sure it asked that that be the default port for his install during the set up.
    It was the latest version on the net.
     
  13. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    kazaa lite 2.0.0 opens up 1214 by default
     
Thread Status:
Not open for further replies.