Can TDS knock out your Firewall?

Discussion in 'Trojan Defence Suite' started by tepi, Dec 8, 2003.

Thread Status:
Not open for further replies.
  1. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    Hi All:

    Yesterday I decided to test the Network > TCP Port Listen > Bind to Port function and set it to listen to Port 137. After noting that port blocking seemed to be working I turned it off and a little later went to check my Zone Alarm (free version) log. To my surprise it seemed to be frozen at the entry for TDS. Normally it records on average about one 'intruder' or hit or ping per minute, most of them from Yahoo BBS, but the hits had just stopped coming. Even after rebooting, and even after reinstalling ZA, it wasn't working. Since I'd been thinking of shifting to Sygate anyway, I uninstalled ZA and installed Sygate. To my relief it seemed to be working, although it wasn't recording anywhere near the number of hits I'm used to getting. A little later I also received an alert from it and, having had enough for one day, shut down the computer. But today, just after turning it back on, a similar alert arrived: 'Somebody is scanning your computer. Your computer's TCP ports: 81, 8888, 3128, 8080 and 80 have been scanned from 64.132.100.254.' Does anyone have any idea what's going on?

    My apologies in advance if a similar matter has already been treated in another thread, and my thanks for everyone's kind help with problems in the past.
     
  2. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    tepi,

    I'm sorry that I don't have an answer to your problem. However, I'm curious why you went away from Zone Alarm to Sygate?

    dallen
     
  3. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I cannot see how the port listen utility can crash your ZA.
    TCP Port Listen is does exactly what it says: listening on a given port and can only do this while no other process is listening on that port.
    Dolf
     
  4. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    Hi Dallen:

    Because, even after a reinstall, ZA wasn't working. And I'd been thinking of shifting to Sygate anyway as I did get the impression around here that in some ways it can be a bit better than ZA. Small point, but I'm finding that I like the layout of its log better. Anyway, something definitely knocked out ZA, whether it was TDS or a virus or a Trojan, and I don't want to be without a firewall.

    Cheers
     
  5. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    I don't see how either. That's why I wrote my post. The title is 'Can TDS knock out your Firewall?' not 'TDS knocked out my Firewall.' But it's odd that ZA's last log entry was about TDS.
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    :rolleyes: in that case the answer is no it cannot :)
     
  7. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    Then I wonder why the TDS operation was ZAs last long entry before it expired and could not be resuscitated.... Seems very strange, especially as Sygate is working OK.
     
  8. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Well I don't know what the log said, but knowing how many port 137 probes are being launched and ZA knows TDS is listening on that port, I can imagine that ZA mentions TDS as the listening application on a blocked probe.
    Dolf

    edit: read TCP Port Listen for TDS
     
  9. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    Yes o_O
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    When i went completely crazy from the miles long longs with 137 probes, i was very happy to use a little TDS script --didn't you write it Dollefie or was it another TDS family member?-- which kept listening on port 137 all time, thus the port was occupied and nobody could scan there or if they would be it was no longer logged with ZAPro. In later versions of ZAPro this was not working anymore that way and all the probes were logged again so i stopped using that nice little script.
    I used that little script just because i didn't want to put up the port listen all time, and this way i could have permanet listening on more ports if i liked.
    You have not to forget to close that function as ZA(pro) might like it so much it doesn't log the 137 at all anymore :)

    For firewalls...... theer is a special forum for that which is best or better, i read so many good things about several but you must always have the one protecting you the best to your satisfaction on your own system, as you must work with it and do some testing if it is really safe.

    But TDS didn't knock down your fw, it just helped stopping the log of the portscans, which should make you really happy :)
    In fact you let them in, acting as an emulator, but since you're not really infected with the bugbear or whatever nocks there, it can't harm your system.
     
  11. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    Hi Jooske:

    Well the good news is that everything is back to normal now, with full TDS and NAV scans showing the computer as clean and Sygate working fine.

    Cheers
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds good!
    In the later ZA(pro) 4.x versions the listen port 137 trick didn't work anymore to keep them from the logs just like that, so maybe sygate makes you more happy with that.
     
  13. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    You can create an Expert Rule in ZAP 4.x to not log certain events, such as inbound port 137 probes. ;-)
     
Thread Status:
Not open for further replies.