Just curious - port 1133

I can't tell your level of knowledge on Networking so please do not be offended by the question but... the same IP that you are using, is that an IP that begins with any of the following?

192.168.

or

172.16.

or

10.

If that is the case, this is not the public IP given by the ISP. Sorry to be pedantic about this but this is so apt a reason for the activity

 

Dan,

to tell the truth - I do NOT have a lot of knowledge on networking. Hey, we are never to "old" to learn more

No, my IP doesn't start with the numbers you mentioned.

As I mentioned the "destination" port 1133 but the "source port" is different -

I just got this:

The firewall has blocked Internet access to your computer (TCP Port 1133) from 80.51.44.18 (TCP Port 4069) [TCP Flags: S].

Time: 14/06/2003 2:30:20 PM

is it still "correct" to look for port 1133 or do I have to change to 4069??

What I also found is:

ZoneAlarm blocked traffic to port 1133 on your machine from port 1214 on a remote computer whose IP address is 212.21.245.124. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.

O.k. if I assume it is "Internet background noise" why so many hits in the last 2 days - can't remember I have ever see so many hits on destination port 1133 ??

Thanks for your help

 

Thanks LWM

good you told me PortPeeker needs to act as a server ! Well, now it is several hours later and Port Peeker is listening ........... guess what??

Have a look:

http://members.shaw.ca/schmudlach/PortPeeker9pm.jpg

not ONE entry of port 1133, What I show here is a partial log after I allowed it to run as server.

The rest you can't see here also has not ONE entry with port 1133 - is the devil playing with me

Thanks to ALL for your help - I have learned again something new PortPeeker !

Have a great Father's Day!

 

Hey,

Your setting ZoneAlarm to allow PortPeeker as a service will allow thos connections to evade ZoneAlarms logging since, as far as ITS concerned, it is legitimate. You SHOULD be getting packets in the PortPeeker logs however.

 

Dan,

I didn'get anything - PortPeeker was empty !

Since I closed it - now the alerts for port 1133 are coming again:

http://members.shaw.ca/schmudlach/PortPeeker%20around%209pm.jpg

Am I doing something wrong?? I'm "baffled"

 

Then what am I doing wrong?? I also have at the bottom "UDP listening on port 1133" and there is nothing \ zero - all blanc. Am I missing something?

 

Curiouser and curiouser...

One test you can make is (assuming you have a PortPeeker app listening on TCP 1133) Open up a web browser and for a URL type in

http://127.0.0.1:1133

be sure to put in the colon before 1133

You should get stuff in that portpeeker window (you can't use a web browser to test the UDP port)

 

Well, I was digging in my logs from MyNetWatchman and I also found port 1133 this way under Port\Issue Description:

AnalogX Proxy Server

Does this tell you something??

 

Do you have that program listed in your Add/Remove programs? Also, do you have multiple machines that access the Internet?

 

Dan,

your tip is working !

This is what I get:

http://members.shaw.ca/schmudlach/PP%20log.jpg

Can you translate it

 

LOL,

This was just to test if PortPeeker was working okay on your system. I do'nt know why it is not catching the stuff that ZoneAlarm was catching before you let it through.

Which version ZoneAlarm are you using?

 

I have the "old" ZA free version as the newer one didn't work well for my winME computer, didn't get restore points anymore.

No, I don't have that program on my computer and I have 2 computers on the internet - only one is running today.

Dan, I guess I have to close for today, as I am getting really tired.

Thanks so much for your help ! I really appreciate !

 

Glad to help. Go Rest!

 

HI, I'm back

I'm still getting "hammered" on the one computer with destination port 1133 - the other computer I have, which also runs on cable has NO hits on port 1133 at all - isn't that "weird" ??

Well, in the meantime I have again 929 hits

One in particular was "interesting":

http://members.shaw.ca/schmudlach/uniweb.jpg

Any clues??

 

Hey ,

Given all we have gone through I must admit I am a bit mystified. The only two alternatives I see are that

1. The impacted system has a kazaa type application on that port (not necessarily running all the time but often enough to generate this volume of return traffic)

2. That another PC used by someone else was using Kazaa and that IP was recently assumed by your system via DHCP lease acquisition.

Arguing against the first possibility is your assertion that you have not used Kazaa type apps before. Arguing against the second is that you have been using the same public IP on that system for a considerable period of time.

If you do not have DiamondCSs PortExplorer, I would recommend you download their demo version at

http://www.diamondcs.com.au/portexplorer/index.php?page=download

Once you have this installed change to the UDP tab and look to see if anything is on that port. Definitely something is up if you find something there but keep in mind it may be something that may run only sporadically so you should check periodically

Also, I take it that you were never able to get any data logged by PortKeeper. When we first started discussing this I started full packet logging of all port 1214 (TCP and UDP) and in that interval have captured only one packet. Now this is probably part of a Kazaa-specific scan and not regular Kazaa activity but in case anyone wants to have the packet payload it was as follows

2700 0000 2980 4b61 5a61 4100 2483 ec19 0000

Which contains an ASCII string of "KaZaA" (minus quotes)

HTH,

Dan

 

Hi

No, my PortKeeper doesn't show anything - nothing. Can write it down again - I NEVER had filesharing - As you saw in the reply of my cable company - they hardly change the IP's. As far as I know I still have the "old" IP. I'm now more curious as the source ports are different - the screenprint I showed you in the above post - doesn't give a "clue"

I'll have a look at the Port Explorer - anything "special" I have to do??

Thanks

 

Regarding PortExplorer, its real easy to use. You will be prompted to do a reboot after the install. Once it comes backup your primary area of interest will be the UDP tab to look for 1133.

Regarding the ISP's response, Cable ISPs ALWAYS say that they change IPs infrequently (and to some extent that is usually true) but the necessary point is that they DO change. If PortExplorer does not bring anything to the surface, my recommendation would be to call your ISP's support number and explain the recent surge of this activity and ask them if your IP has changed recently (forget for a moment that you are unaware of any change, there are perfectly valid reasons why the IP of your computer would not change but the IP provided by the ISP would). You might also want to see if they are amenable to LWM's recommendation on forcing a change of your current IP to see if the activity goes away (as I am pretty sure it will).

Let us know if you have any questions with PE

 

Dan,

Thanks again !

 

To clarify things:

You run 2 computers?
One of them acts like a gateway to the internet and the other one connects to the internet via the gateway?
Your gateway is running Analogx Proxy in order for the second one to be abke to connect to the internet?

If this is the case, could it be that this is local network traffic from Analogx Proxy, that's configured to listen to 1133 instead of 3128 (default port)?

 

Hi meneer,

nope, both are connected via a hub. There is also NOTHING shared between the 2 computers.

Dan, I have to laugh, sorry ..... as soon as I enabled PortExplorer - I had to give it permission......right? Well, after that - as it was listening, I got nothing anymore! As soon as I closed it, the "hammering" started again.

I guess, I either have to ignore all this stuff or I have to have a "friendly word" with my cable company?

 

Marianna, Yes that is a bit funny but oddly consistent with the situation we found with PortPeeker. I believe that either there is a problem with Zone Alarm in allowing permitted traffic or you are not permitting the traffic correctly (I mean here "permitting" in the sense of allowing for the purpose of handling by PortPeeker or PortExplorer). I have had ZA Pro from the first version through 3.x but I haven't used it in a while. In addition to allowing application access through the firewall you can also specify specific inbound (or outbound) ports to pass through but I don't recall the interface well enough to walk you through it. I would recommend (in addition to your well-anticipated discussion with the cable company) that you go through the Help File for ZoneAlarm, and see if it has a troubleshooting section that talks about allowing or denying specific ports. Alternatively, you can use the help's find function to search for "ports".

Meneer, yes it is rather hard to clarify things, we have gone through so many ! Keep in mind though that even if she had a proxy setup, the great majority of traffic destined for local UDP 1133 is sourced from the main kazaa/grokster/etc port and this had not been happening previously.