Just curious - port 1133

Discussion in 'other security issues & news' started by Marianna, Jun 13, 2003.

Thread Status:
Not open for further replies.
  1. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I can't tell your level of knowledge on Networking so please do not be offended by the question but... the same IP that you are using, is that an IP that begins with any of the following?

    192.168.

    or

    172.16.

    or

    10.

    If that is the case, this is not the public IP given by the ISP. Sorry to be pedantic about this but this is so apt a reason for the activity :'(
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Dan,

    to tell the truth - I do NOT have a lot of knowledge on networking. Hey, we are never to "old" to learn more :D

    No, my IP doesn't start with the numbers you mentioned.

    As I mentioned the "destination" port 1133 but the "source port" is different -

    I just got this:

    The firewall has blocked Internet access to your computer (TCP Port 1133) from 80.51.44.18 (TCP Port 4069) [TCP Flags: S].

    Time: 14/06/2003 2:30:20 PM

    is it still "correct" to look for port 1133 or do I have to change to 4069??

    What I also found is:

    ZoneAlarm blocked traffic to port 1133 on your machine from port 1214 on a remote computer whose IP address is 212.21.245.124. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.

    O.k. if I assume it is "Internet background noise" why so many hits in the last 2 days - can't remember I have ever see so many hits on destination port 1133 ??

    Thanks for your help ;)
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,201
    Location:
    New England
    Marianna, you want Port Peeker to listen on 1133 because that's what the packets are hitting on your system. Port Peeker can be run twice, bringing up two separate instances of it, so you can listen on 1133/UDP and 1133/TCP. (Your above log entry was indeed TCP, but, on the first page of this thread your log showed a lot of hits on UDP 1133.)

    If this is file sharing, then you will be able to tell that by looking at packets it captures. Please note, Port Peeker will need to "act as a server" from the Zone Alarm perspective - that's how it will be able to see that traffic. If you block all server access, Port Peeker won't see anything.

    When you run it, hit the [configure] button and enter 1133 as shown. Run it a second time and select 1133 and flag UDP instead. Then sit back and wait for it to capture the traffic.
     

    Attached Files:

  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Thanks LWM :)

    good you told me PortPeeker needs to act as a server ! Well, now it is several hours later and Port Peeker is listening ........... guess what??

    Have a look:

    http://members.shaw.ca/schmudlach/PortPeeker9pm.jpg

    not ONE entry of port 1133, What I show here is a partial log after I allowed it to run as server.

    The rest you can't see here also has not ONE entry with port 1133 - is the devil playing with me o_O

    Thanks to ALL for your help - I have learned again something new PortPeeker !

    Have a great Father's Day!
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey,

    Your setting ZoneAlarm to allow PortPeeker as a service will allow thos connections to evade ZoneAlarms logging since, as far as ITS concerned, it is legitimate. You SHOULD be getting packets in the PortPeeker logs however. :)
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,201
    Location:
    New England
    Of course, I don't have anything coming in on UDP port 1133 to show, but, here is what Port Peeker shows when I capture packets on UDP 137 for those constant scans we all get now thanks to the recent viruses out there.
     

    Attached Files:

  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Then what am I doing wrong?? I also have at the bottom "UDP listening on port 1133" and there is nothing \ zero - all blanc. Am I missing something?
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,201
    Location:
    New England
    Hmm, so your firewall no longer logs attempts of 1133 when PortPeeker is running, (that makes sense, as Dan said, now that something is listening on that port and it's allowed to act as server in ZA, your firewall is no longer blocking the packets), and yet, nothing is actually being logged in Port Peeker, either... :doubt: ::err:: I'm sorry, I can't hazard a guess as to where the packets are going now.
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Curiouser and curiouser...

    One test you can make is (assuming you have a PortPeeker app listening on TCP 1133) Open up a web browser and for a URL type in

    http://127.0.0.1:1133

    be sure to put in the colon before 1133

    You should get stuff in that portpeeker window (you can't use a web browser to test the UDP port)
     
  11. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Well, I was digging in my logs from MyNetWatchman and I also found port 1133 this way under Port\Issue Description:

    AnalogX Proxy Server

    Does this tell you something??
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Do you have that program listed in your Add/Remove programs? Also, do you have multiple machines that access the Internet?
     
  13. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  14. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    LOL,

    This was just to test if PortPeeker was working okay on your system. I do'nt know why it is not catching the stuff that ZoneAlarm was catching before you let it through.

    Which version ZoneAlarm are you using?
     
  15. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    I have the "old" ZA free version as the newer one didn't work well for my winME computer, didn't get restore points anymore.

    No, I don't have that program on my computer and I have 2 computers on the internet - only one is running today.

    Dan, I guess I have to close for today, as I am getting really tired.

    Thanks so much for your help ! I really appreciate !
     
  16. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Glad to help. Go Rest!
     
  17. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI, I'm back :D

    I'm still getting "hammered" on the one computer with destination port 1133 - the other computer I have, which also runs on cable has NO hits on port 1133 at all - isn't that "weird" ??

    Well, in the meantime I have again 929 hits :'(

    One in particular was "interesting":

    http://members.shaw.ca/schmudlach/uniweb.jpg

    Any clues??
     
  18. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey :D ,

    Given all we have gone through I must admit I am a bit mystified. The only two alternatives I see are that

    1. The impacted system has a kazaa type application on that port (not necessarily running all the time but often enough to generate this volume of return traffic)

    2. That another PC used by someone else was using Kazaa and that IP was recently assumed by your system via DHCP lease acquisition.

    Arguing against the first possibility is your assertion that you have not used Kazaa type apps before. Arguing against the second is that you have been using the same public IP on that system for a considerable period of time.

    If you do not have DiamondCSs PortExplorer, I would recommend you download their demo version at

    http://www.diamondcs.com.au/portexplorer/index.php?page=download

    Once you have this installed change to the UDP tab and look to see if anything is on that port. Definitely something is up if you find something there but keep in mind it may be something that may run only sporadically so you should check periodically

    Also, I take it that you were never able to get any data logged by PortKeeper. When we first started discussing this I started full packet logging of all port 1214 (TCP and UDP) and in that interval have captured only one packet. Now this is probably part of a Kazaa-specific scan and not regular Kazaa activity but in case anyone wants to have the packet payload it was as follows

    2700 0000 2980 4b61 5a61 4100 2483 ec19 0000

    Which contains an ASCII string of "KaZaA" (minus quotes)

    HTH,

    Dan
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,201
    Location:
    New England
    Yes, the traffic certainly looks like it's related to file sharing alright. Too bad we haven't been able to capture any packets to confirm it. :doubt:

    The thing I hate about some file sharing apps is that they don't clean up their host lists very well or very quickly. They keep trying on an IP address for what seems like an enormous amount of time. If the host is running stealth, I'm guessing they just keep trying pretty much endlessly in hopes that the system is just offline and will be coming back sooner or later.

    Obviously, the best solution is usually to force a change of IP address, but, given the ISP service involved, that doesn't seem possible. Another option might be to drop stealth, and let the system return closed responses for a day or two. This might trigger the remotes to stop trying.

    Not being overly concerned about stealth myself, I have ZAP set up to allow closed responses on all normal file sharing ports all the time.
     
  20. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi :D

    No, my PortKeeper doesn't show anything - nothing. Can write it down again - I NEVER had filesharing - As you saw in the reply of my cable company - they hardly change the IP's. As far as I know I still have the "old" IP. I'm now more curious as the source ports are different - the screenprint I showed you in the above post - doesn't give a "clue" o_O

    I'll have a look at the Port Explorer - anything "special" I have to do??

    Thanks :cool:
     
  21. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Regarding PortExplorer, its real easy to use. You will be prompted to do a reboot after the install. Once it comes backup your primary area of interest will be the UDP tab to look for 1133.

    Regarding the ISP's response, Cable ISPs ALWAYS say that they change IPs infrequently (and to some extent that is usually true) but the necessary point is that they DO change. If PortExplorer does not bring anything to the surface, my recommendation would be to call your ISP's support number and explain the recent surge of this activity and ask them if your IP has changed recently (forget for a moment that you are unaware of any change, there are perfectly valid reasons why the IP of your computer would not change but the IP provided by the ISP would). You might also want to see if they are amenable to LWM's recommendation on forcing a change of your current IP to see if the activity goes away (as I am pretty sure it will).

    Let us know if you have any questions with PE
     
  22. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Dan,

    Thanks again !
     
  23. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    To clarify things:

    You run 2 computers?
    One of them acts like a gateway to the internet and the other one connects to the internet via the gateway?
    Your gateway is running Analogx Proxy in order for the second one to be abke to connect to the internet?

    If this is the case, could it be that this is local network traffic from Analogx Proxy, that's configured to listen to 1133 instead of 3128 (default port)?
     
  24. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi meneer,

    nope, both are connected via a hub. There is also NOTHING shared between the 2 computers.

    Dan, I have to laugh, sorry ..... as soon as I enabled PortExplorer - I had to give it permission......right? Well, after that - as it was listening, I got nothing anymore! As soon as I closed it, the "hammering" started again.

    I guess, I either have to ignore all this stuff or I have to have a "friendly word" with my cable company? :D
     
  25. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Marianna, Yes that is a bit funny but oddly consistent with the situation we found with PortPeeker. I believe that either there is a problem with Zone Alarm in allowing permitted traffic or you are not permitting the traffic correctly (I mean here "permitting" in the sense of allowing for the purpose of handling by PortPeeker or PortExplorer). I have had ZA Pro from the first version through 3.x but I haven't used it in a while. In addition to allowing application access through the firewall you can also specify specific inbound (or outbound) ports to pass through but I don't recall the interface well enough to walk you through it. I would recommend (in addition to your well-anticipated discussion with the cable company) that you go through the Help File for ZoneAlarm, and see if it has a troubleshooting section that talks about allowing or denying specific ports. Alternatively, you can use the help's find function to search for "ports".

    Meneer, yes it is rather hard to clarify things, we have gone through so many ! Keep in mind though that even if she had a proxy setup, the great majority of traffic destined for local UDP 1133 is sourced from the main kazaa/grokster/etc port and this had not been happening previously. ;)
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.