Lots of UDP ZoneAlarm firewall blocks

[vecnaa]

Good Evening,

I experienced constant popup windows and ran a scan with Spybot Search and Destroy which ended with issues removing virtumonde. I followed all of the steps in the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions post and attached the following 3 logs:

• Malwarebytes Anti Malware log
• SuperAntiSpyware log
• Hijackthis log

I'm experiencing a lot of UDP Zone Alarm firewall blocks from random IP's which I am worried about. The popup windows have stopped appearing though and now virtumonde is not detected. Please can someone review my results and let me know if I need to take further action?

Thanks for your help in advance!

Thanks,
Grace

 

[DelJo63]

I'm experiencing a lot of UDP Zone Alarm firewall blocks from random IP's which I am worried about. The popup windows have stopped appearing though and now virtumonde is not detected. Please can someone review my results and let me know if I need to take further action?

If you can post some of the UDP Alerts, I'll review them for you

 

[vecnaa]

Thanks! Please see my Zone Alarm log attached.

Thanks,
Grace

 

[DelJo63]

FWOUT 4/14/2009	22:37:18 -4:00 GMT 192.168.2.100:[COLOR="Red"]1645	[/COLOR]192.168.2.102:[COLOR="Blue"]139[/COLOR] TCP (flags:S)

this is an outbound request on port 1645 to the remote filesharing port 139
Usually this is FROM port 139 to 139 or a broadcast on address 192.168.2.225:139

[edit] WRONG!
>>> so the use of port 1645 is suspicious <<<
see below for explanation
[/edit]

lookup the ZA meaning of TCP (flags:S)

the remainder are some form of

FWIN 4/14/2009 22:58:08 -4:00 GMT 94.183.113.171:[COLOR="Blue"]xxxx[/COLOR] 192.168.2.100:[COLOR="Red"]34917[/COLOR] TCP (flags:S)	
or
FWIN 4/14/2009 22:17:12 -4:00 GMT 222.167.4.165:18078 192.168.2.100:[COLOR="Red"]34917[/COLOR] UDP

Looking on the Cisco site I found

Sensor6x# show events alert | include id=5854
evIdsAlert: eventId=1166761098236251265 severity=medium vendor=Cisco
originator:
hostId: R4-IPS4240a
appName: sensorApp
appInstanceId: 380
time: 2007/04/11 05:15:33 2007/04/11 00:15:33 CDT
signature: description=Cisco CUCM/CUPS Denial of Service Vulnerability
id=5854 version=S279
subsigId: 1
sigDetails: SCCP Port Scan Denial of Service Vulnerability
marsCategory: DoS/MiscServer
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: locality=OUT 192.168.208.63
port: 34917
target:
addr: locality=OUT 192.168.132.44
port: 2000
os: idSource=unknown relevance=relevant type=unknown
context:
fromAttacker:​

 

[DelJo63]

[edit] WRONG!
>>> so the use of port 1645 is suspicious <<<
see below for explanation
[/edit]
FWOUT 4/14/2009 22:37:18 -4:00 GMT 192.168.2.100:1645 192.168.2.102:139 TCP (flags:S)
is just fine, sorry. I misquoted the port usage:
port 137 is to a specific lan address OR the broadcast 192.168.2.255:137

port 139 can be from a lan port > 1024 to the target ip:139

sorry for the confusion

 

[vecnaa]

thanks so much!

Thanks so much joebeard! Your analysis was very helpful. I'll remove the port forwarding for port 34917.

Thanks,
Grace

 

[Bobbye]

Warning! Checking the ZoneAlarm firewall log can make you obsessive! Take it from one who knows from experience.

FYI, The FWOUTS are attempts from within your system to contact the internet.
The FWINS are incoming attempts to access your system.

The most important thing you need to know is that if ZA is blocking these attempts, it's doing it's job! I use to worry why I was getting so many scans. Someone finally managed to beat it into my head that thousands and millions of scans are sent every day, looking for unprotected systems. That's 'normal' internet traffic.

I once sat at my computer watching Gnutella (music file sharing which is don't do) try to access my system. My firewall blocked all 200 scans that came in a 10 min. period. Of course it put me in denial of service because they was so much incoming, I couldn't get out! But NONE got into my system.

ZoneAlarm has an excellent Help section. Just go to any of the ZA program sections by opening ZA, then press F1 for each Help screen.

But I will come back and check your logs since you attached them!

 

[DelJo63]

Thanks so much joebeard! Your analysis was very helpful. I'll remove the port forwarding for port 34917.

Thanks,
Grace

YES; never port forward unless you absolutely know your application NEEDS that port