TechSpot

Lots of UDP ZoneAlarm firewall blocks

By vecnaa
Apr 15, 2009
Topic Status:
Not open for further replies.
  1. Good Evening,

    I experienced constant popup windows and ran a scan with Spybot Search and Destroy which ended with issues removing virtumonde. I followed all of the steps in the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions post and attached the following 3 logs:
    • Malwarebytes Anti Malware log
    • SuperAntiSpyware log
    • Hijackthis log

    I'm experiencing a lot of UDP Zone Alarm firewall blocks from random IP's which I am worried about. The popup windows have stopped appearing though and now virtumonde is not detected. Please can someone review my results and let me know if I need to take further action?

    Thanks for your help in advance!

    Thanks,
    Grace
     
  2. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    If you can post some of the UDP Alerts, I'll review them for you :)
     
  3. vecnaa

    vecnaa TS Rookie Topic Starter

    Thanks! Please see my Zone Alarm log attached.

    Thanks,
    Grace
     
  4. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    Code:
    FWOUT 4/14/2009	22:37:18 -4:00 GMT 192.168.2.100:[COLOR="Red"]1645	[/COLOR]192.168.2.102:[COLOR="Blue"]139[/COLOR] TCP (flags:S)	
    this is an outbound request on port 1645 to the remote filesharing port 139
    Usually this is FROM port 139 to 139 or a broadcast on address 192.168.2.225:139

    [edit] WRONG!
    >>> so the use of port 1645 is suspicious <<<
    see below for explanation
    [/edit]

    lookup the ZA meaning of TCP (flags:S)

    the remainder are some form of
    Code:
    FWIN 4/14/2009 22:58:08 -4:00 GMT 94.183.113.171:[COLOR="Blue"]xxxx[/COLOR] 192.168.2.100:[COLOR="Red"]34917[/COLOR] TCP (flags:S)	
    or
    FWIN 4/14/2009 22:17:12 -4:00 GMT 222.167.4.165:18078 192.168.2.100:[COLOR="Red"]34917[/COLOR] UDP
    Looking on the Cisco site I found
    Sensor6x# show events alert | include id=5854
    evIdsAlert: eventId=1166761098236251265 severity=medium vendor=Cisco
    originator:
    hostId: R4-IPS4240a
    appName: sensorApp
    appInstanceId: 380
    time: 2007/04/11 05:15:33 2007/04/11 00:15:33 CDT
    signature: description=Cisco CUCM/CUPS Denial of Service Vulnerability
    id=5854 version=S279
    subsigId: 1
    sigDetails: SCCP Port Scan Denial of Service Vulnerability
    marsCategory: DoS/MiscServer
    interfaceGroup: vs0
    vlan: 0
    participants:
    attacker:
    addr: locality=OUT 192.168.208.63
    port: 34917
    target:
    addr: locality=OUT 192.168.132.44
    port: 2000
    os: idSource=unknown relevance=relevant type=unknown
    context:
    fromAttacker:​
     
  5. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    [edit] WRONG!
    >>> so the use of port 1645 is suspicious <<<
    see below for explanation
    [/edit]
    FWOUT 4/14/2009 22:37:18 -4:00 GMT 192.168.2.100:1645 192.168.2.102:139 TCP (flags:S)
    is just fine, sorry. I misquoted the port usage:
    port 137 is to a specific lan address OR the broadcast 192.168.2.255:137

    port 139 can be from a lan port > 1024 to the target ip:139

    sorry for the confusion
     
  6. vecnaa

    vecnaa TS Rookie Topic Starter

    thanks so much!

    Thanks so much joebeard! Your analysis was very helpful. I'll remove the port forwarding for port 34917.

    Thanks,
    Grace
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Warning! Checking the ZoneAlarm firewall log can make you obsessive! Take it from one who knows from experience.

    FYI, The FWOUTS are attempts from within your system to contact the internet.
    The FWINS are incoming attempts to access your system.

    The most important thing you need to know is that if ZA is blocking these attempts, it's doing it's job! I use to worry why I was getting so many scans. Someone finally managed to beat it into my head that thousands and millions of scans are sent every day, looking for unprotected systems. That's 'normal' internet traffic.

    I once sat at my computer watching Gnutella (music file sharing which is don't do) try to access my system. My firewall blocked all 200 scans that came in a 10 min. period. Of course it put me in denial of service because they was so much incoming, I couldn't get out! But NONE got into my system.

    ZoneAlarm has an excellent Help section. Just go to any of the ZA program sections by opening ZA, then press F1 for each Help screen.

    But I will come back and check your logs since you attached them!
     
  8. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    YES; never port forward unless you absolutely know your application NEEDS that port :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.