TechSpot

Firewall detecting intrusions

By bolun
Mar 23, 2008
  1. Hi,

    My computer was having a lot of problems lately, viruses, spyware all that gunk. So, I decided to format my computer today. I installed ZA security suite right after I installed my OS, and within the first 10 minutes (of connecting to internet), the firewall detected 23 intrusions which it blocked. I did not have any browsers open, or using any programs accessing the internet. I was installing some drivers from the installation CD.

    Should I be concerned about these intrusions? I plan on doing some online banking, is it safe?


    Thanks,
     
  2. Starcruiser322

    Starcruiser322 TS Rookie

    That's the internet for you. at least the spyware was bocked. as long as your computer doesn't have a keylogger or other active invaders, your safe for banking. Of course, a firewall can't block everything, so try to get and keep an antivirus up-to-date. I'd say run frequent anti-malicious software checks and scans at least once a week in your case.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is not correct:
    "the firewall detected 23 intrusions which it blocked."

    Scanning is a part of the internet. It goes on minute by minute. If your firewall blocks it, it is NOT an intrusion. Instead if is an attempt to access AKA scan. The firewall i doing it job.

    ZoneAlarm listens at both incoming AND outgoing ports. Look at the ZA log- if you see 'FWOUT' that means something in your system is attempting to access the internet. IF you do have any spyware on the system, hopefully ZA will block it.

    Get at least one more spyware/adware program, scan wit AV and the spyware programs, updating each right before the scans.
     
  4. raybay

    raybay TS Evangelist Posts: 7,241   +9

    This is what Zone Alarm does... But you get reports on intrusions and high risk intrusions... there is a big difference. With the cookies and software security that are about necessary nowadays, the intrusions are always going to be there. Zone Alarm just lets you know. If they are known as "bad" they are blocked, and if they are "normal" intrusions, at least you know about them.
    I suspect some of it is marketing. Zone Alarm is just reminding you it is doing its job, and might be worth getting one of the paid versions.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    "Zone Alarm is just reminding you it is doing its job, and might be worth getting one of the paid versions."

    The Zone Alarm Security Suite IS the paid version. I would also like to-again-direct you to a meaning of "intrusion":
    "an illegal act of entering, seizing, or taking possession of another's property."

    It is NOT an intrusion if the firewall stops it!
     
  6. bolun

    bolun TS Rookie Topic Starter Posts: 18

    Hi, thanks everyone for your help

    I've been getting a ton more access attempts which the firewall has blocked. The source DNS from these attempts were recorded in the firewall's log. Heres some of them:

    d5153C3DD.access.telenet.be
    208-59-135-23.c3-0.43d-ubr4.qens-43d.ny.cable.rcn.com
    staticline18826.toya.net.pl

    Also, in the last hour, I've gotten 6 highrated attempts, and the source ip is from another computer on my router. That computer is turned on right now, but no one is using it. Does that mean theres viruses on that computer and it is trying to attack my computer?


    ps. sorry for using 'intrusion' improperly. Thanks for correcting me.
     
  7. jobeard

    jobeard TS Ambassador Posts: 9,351   +622

    all depends; the log should contain the IP address and Port of the 'attack or intrusion attempt'.

    post some of those and I can help you there.
     
  8. bolun

    bolun TS Rookie Topic Starter Posts: 18

    Source Ip: 192.168.1.101: (1063, 1061, 1057, 1055, 1053, 1051) Theres 6 of them
    Destination Ip: 192.168.1.100: 139 (same for all 6)

    101 is the other computer, and 100 is my computer.
     
  9. jobeard

    jobeard TS Ambassador Posts: 9,351   +622

    SUPER -- Well done.

    Port 139 is a file/print sharing port. You may also see 445

    the Source ports from 101 don't tell you anything, it's the destination ports that matter.

    If you would like to avoid these entries in the log, just add
    allow in/out udp source-ip 192.168.1.100-192.168.1.101 dest port 139 nolog​

    it would appear that there is some rule that is allowing ANY connection with LOGGING;
    ie without the rule above, all access should have been DENIED.
    Find the bad rule and delete it. If not found, then add
    DENY ALL FROM ALL nolog​
    and move it to the bottom of the rule list
     
  10. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Gimme a break. Go to the Zone Alarm site. Go to your Zone Alarm list of intrusions. That is not they way they define it. Or do a Gurgle search for the errors in "intrusions" that Zone Alarm has made over time.
     
  11. jobeard

    jobeard TS Ambassador Posts: 9,351   +622

    I can't possibly have every known firewall installed nor all user's guides.

    the rule is the generic form for any firewall; the specifics are determined by the
    product itself.

    sorry; I haven't learned to walk on water quiet yet.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...