Lots of UDP ZoneAlarm firewall blocks

By vecnaa ยท 7 replies
Apr 15, 2009
  1. Good Evening,

    I experienced constant popup windows and ran a scan with Spybot Search and Destroy which ended with issues removing virtumonde. I followed all of the steps in the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions post and attached the following 3 logs:
    • Malwarebytes Anti Malware log
    • SuperAntiSpyware log
    • Hijackthis log

    I'm experiencing a lot of UDP Zone Alarm firewall blocks from random IP's which I am worried about. The popup windows have stopped appearing though and now virtumonde is not detected. Please can someone review my results and let me know if I need to take further action?

    Thanks for your help in advance!

  2. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    If you can post some of the UDP Alerts, I'll review them for you :)
  3. vecnaa

    vecnaa TS Rookie Topic Starter

    Thanks! Please see my Zone Alarm log attached.

  4. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    FWOUT 4/14/2009	22:37:18 -4:00 GMT[COLOR="Red"]1645	[/COLOR][COLOR="Blue"]139[/COLOR] TCP (flags:S)	
    this is an outbound request on port 1645 to the remote filesharing port 139
    Usually this is FROM port 139 to 139 or a broadcast on address

    [edit] WRONG!
    >>> so the use of port 1645 is suspicious <<<
    see below for explanation

    lookup the ZA meaning of TCP (flags:S)

    the remainder are some form of
    FWIN 4/14/2009 22:58:08 -4:00 GMT[COLOR="Blue"]xxxx[/COLOR][COLOR="Red"]34917[/COLOR] TCP (flags:S)	
    FWIN 4/14/2009 22:17:12 -4:00 GMT[COLOR="Red"]34917[/COLOR] UDP
    Looking on the Cisco site I found
    Sensor6x# show events alert | include id=5854
    evIdsAlert: eventId=1166761098236251265 severity=medium vendor=Cisco
    hostId: R4-IPS4240a
    appName: sensorApp
    appInstanceId: 380
    time: 2007/04/11 05:15:33 2007/04/11 00:15:33 CDT
    signature: description=Cisco CUCM/CUPS Denial of Service Vulnerability
    id=5854 version=S279
    subsigId: 1
    sigDetails: SCCP Port Scan Denial of Service Vulnerability
    marsCategory: DoS/MiscServer
    interfaceGroup: vs0
    vlan: 0
    addr: locality=OUT
    port: 34917
    addr: locality=OUT
    port: 2000
    os: idSource=unknown relevance=relevant type=unknown
  5. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    [edit] WRONG!
    >>> so the use of port 1645 is suspicious <<<
    see below for explanation
    FWOUT 4/14/2009 22:37:18 -4:00 GMT TCP (flags:S)
    is just fine, sorry. I misquoted the port usage:
    port 137 is to a specific lan address OR the broadcast

    port 139 can be from a lan port > 1024 to the target ip:139

    sorry for the confusion
  6. vecnaa

    vecnaa TS Rookie Topic Starter

    thanks so much!

    Thanks so much joebeard! Your analysis was very helpful. I'll remove the port forwarding for port 34917.

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Warning! Checking the ZoneAlarm firewall log can make you obsessive! Take it from one who knows from experience.

    FYI, The FWOUTS are attempts from within your system to contact the internet.
    The FWINS are incoming attempts to access your system.

    The most important thing you need to know is that if ZA is blocking these attempts, it's doing it's job! I use to worry why I was getting so many scans. Someone finally managed to beat it into my head that thousands and millions of scans are sent every day, looking for unprotected systems. That's 'normal' internet traffic.

    I once sat at my computer watching Gnutella (music file sharing which is don't do) try to access my system. My firewall blocked all 200 scans that came in a 10 min. period. Of course it put me in denial of service because they was so much incoming, I couldn't get out! But NONE got into my system.

    ZoneAlarm has an excellent Help section. Just go to any of the ZA program sections by opening ZA, then press F1 for each Help screen.

    But I will come back and check your logs since you attached them!
  8. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    YES; never port forward unless you absolutely know your application NEEDS that port :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...