Access attempts on port 0

Discussion in 'other firewalls' started by bluekey23, May 5, 2004.

Thread Status:
Not open for further replies.
  1. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hello,
    Just a quick question. I use ZA pro 4.5.594 with internet and trusted zones set at "high." I check activity using visualzone, but rarely does anything unusual show up. Usual pings/port scans on 445, 135, 139 ,etc. But the last few days I am getting a lot of access attempts and pings on port 0, which is something I've never seen before. They all are coming from bellsouth, level3 or somewhere in China. Maybe this is nothing to worry about? My question is this: does ZA block port 0 with my settings mentioned above? If not, how do I block this port?
    Thanks
     
  2. dog

    dog Guest

    Hi BlueKey, :)

    CrazyM is the resident firewall expert ... well one of them at least ;) . I'm not that knowledgable about firewalls myself ... but I'd though I'd post this link for you ... as added info GRC - Steve Gibson's Shields Up Seeing as CrazyM's not around ATM.

    HTH a bit.

    dog - *puppy*
     
  3. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Dog,
    Thanks for the link. I followed up on this and am still not convinced that my box is safe from attacks on this port. Yes, grc shows it as "stealth," but I've learned in the past(as well as on another forum) that isn't always reliable. Maybe someone else knows something more about this?
    Long live the classics. :)
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi bluekey23

    Can you post a couple these log entries, just xxx your public IP.
    - protocol, source IP/port, destination IP/port

    Regards,

    CrazyM
     
  5. TheSnowGuy

    TheSnowGuy Guest

    BLUE

    friend there is a massive Worm invasion on the internet an you can expect to see some not so usual things
    If you are asking can port 0 be exploited.....yes

    If you are seeking assurance that ZA is protecting port 0.....you can take the exploit test at pcflank (see: wilders free services page for link)

    Your caution is admirable....definitely understandable....your question of is ZA protecting port 0.......it should be protecting ALL your ports....now for your own peace of mind you need to see that it is doing that.....I think most everyone would want to do the same.......so, do several port tests.
     
  6. TheSnowGuy

    TheSnowGuy Guest

    CM...sorry there buddy..we posted at the same time....will get out your way now and let you do a much better job than I possible could...seeya..
     
  7. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Crazy M,
    Thanks for your offer to help. I've posted a portion of the ZA log from yesterday. I spent some time going over the past week's logs(severe eyestrain). It looks like the pings on port 0 occur in small bursts. I also went over my logs from the previous two weeks and couldn't find any pings on port 0. Looks like these pings started on 5-3. Perhaps I'm being paranoid?

    General comment: I'm pretty new to this forum, but I'm very much impressed with the helpfulness and expertise of the people who post here. Your efforts(and those of many others) have taught me much and are greatly appreciated!

    FWIN,2004/05/04,19:36:52 -7:00 GMT,4.178.90.84:2476,4.178.xxx.xxx:445,TCP (flags:S)
    FWIN,2004/05/04,19:37:46 -7:00 GMT,4.178.63.98:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:37:52 -7:00 GMT,4.178.87.199:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:37:58 -7:00 GMT,68.93.245.86:4299,4.178.xxx.xxx:1434,UDP
    FWIN,2004/05/04,19:39:04 -7:00 GMT,4.178.60.236:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:41:16 -7:00 GMT,4.138.60.188:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    ACCESS,2004/05/04,19:43:22 -7:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (209.244.0.3:DNS).,N/A,N/A
    ACCESS,2004/05/04,19:43:22 -7:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (209.244.0.4:DNS).,N/A,N/A
    FWIN,2004/05/04,19:43:38 -7:00 GMT,4.157.32.107:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:44:26 -7:00 GMT,4.178.72.229:3704,4.178.xxx.xxx:135,TCP (flags:S)
    FWIN,2004/05/04,19:45:52 -7:00 GMT,4.160.171.47:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:46:12 -7:00 GMT,4.178.87.215:4682,4.178.xxx.xxx:135,TCP (flags:S)
    FWIN,2004/05/04,19:46:48 -7:00 GMT,4.16.108.146:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:49:24 -7:00 GMT,4.178.150.5:3569,4.178.xxx.xxx:445,TCP (flags:S)
    FWIN,2004/05/04,19:49:28 -7:00 GMT,4.178.60.236:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:50:04 -7:00 GMT,4.178.96.39:2822,4.178.xxx.xxx:445,TCP (flags:S)
    FWIN,2004/05/04,19:50:40 -7:00 GMT,4.179.46.178:4055,4.178.xxx.xxx:445,TCP (flags:S)
    FWIN,2004/05/04,19:52:36 -7:00 GMT,4.178.60.79:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:52:40 -7:00 GMT,4.15.109.177:3477,4.178.xxx.xxx:445,TCP (flags:S)
    FWIN,2004/05/04,19:53:32 -7:00 GMT,4.178.138.89:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    ACCESS,2004/05/04,19:54:26 -7:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (209.244.0.3:DNS).,N/A,N/A
    FWIN,2004/05/04,19:54:26 -7:00 GMT,4.178.33.4:2847,4.178.xxx.xxx:445,TCP (flags:S)
    ACCESS,2004/05/04,19:54:26 -7:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (209.244.0.4:DNS).,N/A,N/A
    FWIN,2004/05/04,19:54:38 -7:00 GMT,4.46.65.158:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/04,19:55:34 -7:00 GMT,4.178.132.110:0,4.178.xxx.xxx:0,ICMP (type:8/subtype:0)
     
    Last edited by a moderator: May 6, 2004
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Those aren't really "port 0", in fact ICMP doesn't use a port for its communication. But Zone Alarm's logging routine has a field for port right along side IP address, so when there is no port involved, it simply puts a zero (0) there instead of leaving it blank. It's always done that, though they really ought to change the logging routine to suppress that.

    Now, all of those entries are blocked events, so you are being protected. The default when set to High security is to block those, so everything is alright there.
     
  9. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    LM,
    Thanks for your help.
    (thanks for the editing too; have no idea how the smilies got there, but will be more careful in the future)
     
Loading...
Thread Status:
Not open for further replies.