ZoneLog

Discussion in 'other firewalls' started by ljc1174, Mar 16, 2004.

Thread Status:
Not open for further replies.
  1. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I've been trying to use ZoneLog for two days, I turned it off last night because I was tired...I'm running it again now becauze I'm still getting the dns/cannot find errors.
    Yesterday I had over 20 high risk attempts and today they're just medium risk, but it's still annoying not to be able to load simple pages like yahoo and wilders.
    A lot of the hits are coming from my isp, but others are from phone companies and some dial-up connections that I have no clue who they are.

    Oh Yah, my problem with ZoneLog is it's only loading logs for today, it's been running for an hour and hasn't produced any info yet, it says it's still loading... is this normal to take so long?

    I did read the article someone posted about symmatecs problems and saw that this is exactly what i'm going through, but I am not using the three products they have the issue with. I only have the NAV Corp Edition.

    Any thoughts or suggestions would greatly be appreciated!

    Thanks!
    ~Lori
     
  2. Shunned

    Shunned Guest

    Lori

    you may recall last night I mention having the same issue as you are having. Thought I had the problem resolved but today it seems to have return.
    What has been noticed since the problem first began is that the Internet Assigned Numbers Authority is listening on ports 137,,138,,139....at the same time as the isp....normally its just the isp listening on those ports.
    The firewall rules in use are very strict....in fact, after switching rules yesterday it was only the isp on those ports.....now using the same rules but the IANA is again there.
    39% memory free and resources 80% free an still takes forever for any website to load.
    Have had many friends tell me they are experiencing this issue. Took at look at a few other machines...an they too showed the IANA
    About your log issue...have you tryed clearing it ?
     
  3. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Luckily I fixed the ZoneLog issue... I switched to all entries and now it's showing all... including today from march 10 to today, there are 3 trojans coming from my internet provider, I know this isn't where this should be posted, I'm really puzzled as to why they're sending me a trojan...I dunno o_O
     
  4. shunned

    shunned Guest

    Does it show which ports are being used by attempt to install the trogan
     
  5. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    different ports=
    4411
    4414
    4351
    and so on... i am trying to make a screenshot but am having some trouble, i sent lwm a message hoping he can help... i even d/l'd a program called GetScreenshot and I stilll don't get it!

    but they are all coming from the same ip address.
     
  6. Shunned

    Shunned Guest

    Lori

    for now consider putting that one address into the restricted zone.....an make sure that in Advance..."install on demand" is disabled....
    that address..is your isp dns server? if that did you do a trace to see who it is?
     
  7. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Yah, I did a lookup with dsheild, but... honestly, i don't know what i'm reading, it gives me the exact same info as my ip address.
     
  8. shunned

    shunned Guest

    Imho..this is very much a firewall concern because here are two cases where only the firewall is preventing possible hacking....an if others are seeing the same problem perhaps together we can get to the bottom of it.
    I am no newbe...an have been hit by alot an never had results like I am now experiencing....an sure as hell no trogan would cause my system this sort of problem...oh no, this is "streaming"...an not even the dumbest of the dumb is going to stick that long on a backdoor
     
  9. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ok... here's the screenshot, I just pray that it uploads!


    - LWM: Removed unusable image attachment.
     
  10. shunned

    shunned Guest

    Much to blurred to read.....Lori, if your isp number is somewhere in there be sure to darden it out.......LWM may be able to instruct you on that.....just don't post any personal info.....

    I have to leave..but will return later
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    I know you got some other tool, but the best I ever used was a free product IrfanView. It installs clean and easy. You run it. Capture your image and just Paste it in there. Save a GIF or PNG for best quality and they usually are of reasonable size. All my screen shots posted here are from using IrfanView.

    I'll clean out any bad images and unneeded posts after you get a good one posted here, so don't worry about that.
     
  12. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    ok.... i'm going to post three because the one with the most from my isp is on 3/10
     

    Attached Files:

  13. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    these are yesterday... only a few or only what fits on the screen... i get hit A LOT!!!
     

    Attached Files:

  14. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    this is now
     

    Attached Files:

  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Okay, those look pretty normal actually.

    The log review tool is just telling you that those particular probes are coming in to ports that are "known trojan ports". They may or may not actually be access attempts from infected machines or from trojan client users (trying to access already infected machines), but they are not dangerous to you unless you already have the trojan on your system and it is listening for the messages on those ports.

    Since the firewall blocked them, and the log review can report them, you are fine. Also, they are not really coming from your ISP or any other ISP itself. They are coming from users of your ISP and another ISP, which is a big difference. Basically, it isn't your ISP trying to infect anyone, it's just an infected user (most likely) or a really dumb script-kiddie who happens to use the same ISP as you.

    A lot of firewall software (and log view products) will identify the "probable" purpose and type of traffic associated with probes - just for informational purposes. Blocked incoming firewall alerts that happen to say the traffic is most likely related to XYZ trojan does not mean that the trojan is on the system. It's just a probe from outside that is trying to see if that port is available. That's all.
     
  16. Shunned

    Shunned Guest

    Lori's log looks innocent enough.....although made me chuckle to see adelphia listed...which seems to have any un-heard amount of napster users and "others". Say is napster still around?
    But no...I am not experiencing what Lori's logs are showing. I am not really concerned about it...its blocked...doing no harm..an I can be patient...
     
  17. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Thank you LWM and Shunned...
    I feel better knowing its not my ISP but now I still have the question of are all these "attepts" the reason why I'm getting tons of cannot find server/dns errors?

    This was my whole point in wanting to find out who was being blocked in my firewall...
    and shunned, I do not use Napster... never have, never will! My isp is adelphia...hope that wasn't revealing
    to much info on myself! :D

    Can I send him *puppy* to find the cause of my IE problems? He'd probably have better luck then me! hahahahahahaha
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
Thread Status:
Not open for further replies.