Dodgy or just paranoia?

[~Lazarus~]

Guys,

Was playing CS last night and it was unbearable for me, although others on the server reported no issues.

Examined my PC to try and find out why my connection was so bad. After finding the initial culprit (the fact I have a 56k modem installed ) i started looking on the PC.

I had no other programs running in the b/ground that should affect the connection.
I scanned for virii.
I downloaded 2 virii fixes (just in case) but they reported no problems.

At this point I was lost until I noticed z/a flickering in the corner. Opening this up and examining the logs I found that during the course of ALL of last night, Zonealarm had blocked 349 "attacks" on my pc.

I have NEVER known this figure to be so high.

Below is an extract from the Z/A log :


type , date, time, source, destination,transport
FWIN,2003/08/25,21:57:24 +1:00 GMT,62.253.13.60:3172,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:57:38 +1:00 GMT,62.253.4.232:2445,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:57:40 +1:00 GMT,62.252.37.153:3345,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:57:44 +1:00 GMT,62.255.136.59:4429,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:58:10 +1:00 GMT,62.251.3.251:5000,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:58:26 +1:00 GMT,62.252.176.165:4151,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:58:40 +1:00 GMT,62.253.4.87:1094,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:58:50 +1:00 GMT,62.253.133.51:1419,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:58:56 +1:00 GMT,62.253.130.9:1501,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:59:20 +1:00 GMT,62.252.206.90:3880,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,21:59:42 +1:00 GMT,62.252.53.130:3833,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,22:00:46 +1:00 GMT,62.252.248.135:1429,62.253.8.167:135,TCP (flags:S)
FWIN,2003/08/25,22:09:26 +1:00 GMT,62.253.52.10:3410,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:09:32 +1:00 GMT,62.253.37.215:3381,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:09:34 +1:00 GMT,62.253.37.215:3381,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:09:40 +1:00 GMT,62.255.13.5:1709,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:09:40 +1:00 GMT,62.253.109.220:3687,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:09:40 +1:00 GMT,62.253.9.147:4085,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:09:40 +1:00 GMT,62.255.13.5:1709,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:09:40 +1:00 GMT,62.253.109.220:3687,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:10:50 +1:00 GMT,62.253.116.41:2672,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:11:12 +1:00 GMT,62.252.40.33:3016,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:11:40 +1:00 GMT,62.253.8.195:4567,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:12:04 +1:00 GMT,62.253.40.10:4134,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:12:06 +1:00 GMT,62.252.204.24:1519,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:12:08 +1:00 GMT,62.253.12.27:1200,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:12:56 +1:00 GMT,62.255.68.88:3807,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:13:08 +1:00 GMT,62.255.224.36:3530,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:14:54 +1:00 GMT,62.255.188.34:4729,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:15:24 +1:00 GMT,62.253.116.41:1571,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:15:36 +1:00 GMT,62.253.4.196:3551,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:15:40 +1:00 GMT,62.255.12.167:3890,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:16:16 +1:00 GMT,62.252.4.145:4636,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:16:18 +1:00 GMT,62.253.111.185:3491,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:16:20 +1:00 GMT,62.253.133.51:1602,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:16:56 +1:00 GMT,62.253.194.227:3033,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:17:12 +1:00 GMT,62.252.8.174:4922,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:19:10 +1:00 GMT,62.253.116.41:1541,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:23:50 +1:00 GMT,62.252.242.205:4673,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:26:54 +1:00 GMT,62.252.180.131:4304,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:26:58 +1:00 GMT,62.252.208.168:4968,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:28:20 +1:00 GMT,62.252.200.250:4749,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:31:38 +1:00 GMT,62.252.202.67:3162,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:32:52 +1:00 GMT,62.253.12.120:3182,62.253.12.134:135,TCP (flags:S)
FWIN,2003/08/25,22:34:02 +1:00 GMT,216.133.140.2:29342,62.253.12.134:135,TCP (flags:S)


Any ideas from anyone?

 

[Testin da Cable]

there are several different source IPs there, and they're all trying to access port 135 on your computer. port 135, as per iana is something called "epmap" for both tcp and udp. to hazard a guess there may be a DNS mistake somewhere causing computers to wrongly connect to your dialup IP.
keep an eye on it to see if it comes back in a periodic fashion. my guess is it will go away. pity it messed up your game mate :/

 

[vofflujarnid]

Port 135 TCP: DCE endpoint resolution. Port 135 is also used to attack by that Microsoft Remote Procedure Call (MSRPC) virus. Block port 135 both TCP and UDP with your ZoneAlarm.

 

[Testin da Cable]

there you have it

 

[Xavier]

Actually it would be a good idea if you didn't block port 135 like that but instead installed the MSBlaster patch - you'll need port135 working for all manner of apps which use RPC. Blocking it won't free your line up as the traffic has to still pass down your connection to be bounced by your firewall, in essence addressing the symptoms rather than the problem itself.

 

[~Lazarus~]

thanks guys.

Not really keen on BLOCKING the port - afaik the "port" is blocked through Zonealarm. Logically blocking the port wont remove the problem (I think).

I have applied the blaster patch already so this should not be a problem

 

[Testin da Cable]

a handy way to have a quick look at what ports are listening and which have established connections is to type netstat -a |more into a dosbox

 

[vofflujarnid]

I've blocked ports 1434, 445, 139, 137 and 135 both TCP/UDP and I haven't had single problem. So it should be ok to block the ports.

 

[doh_boy]

ok I did that td

but there are a load of connections at the end with *:* in the foreign address field


should I go around closing these ports?

UDP doh:microsoft-ds *:*
UDP doh:1154 *:*
UDP doh:1305 *:*
UDP doh:ntp *:*
UDP doh:1041 *:*
UDP doh:1515 *:*
UDP doh:1541 *:*
UDP doh:1608 *:*
UDP doh:1698 *:*
UDP doh:1900 *:*
UDP doh:discard *:*
UDP doh:ntp *:*
UDP doh:netbios-ns *:*
UDP doh:netbios-dgm *:*
UDP doh:1900 *:*
UDP doh:2579 *:*
UDP doh:7224 *:*

 

[Testin da Cable]

Originally posted by doh_boy
ok I did that td

but there are a load of connections at the end with *:* in the foreign address field


should I go around closing these ports?

UDP doh:microsoft-ds *:*
UDP doh:1154 *:*
UDP doh:1305 *:*
UDP doh:ntp *:*
UDP doh:1041 *:*
UDP doh:1515 *:*
UDP doh:1541 *:*
UDP doh:1608 *:*
UDP doh:1698 *:*
UDP doh:1900 *:*
UDP doh:discard *:*
UDP doh:ntp *:*
UDP doh:netbios-ns *:*
UDP doh:netbios-dgm *:*
UDP doh:1900 *:*
UDP doh:2579 *:*
UDP doh:7224 *:*

good lad those little bang/star/asterix signs means that the whatever-it-is is listening for packets from whereever. TdC follows the school of -brace for it windows users- lock down and/or uninstall everything that you're not using and open/reinstall it only if you ever find a need. you *may* want to keep ntp -that's what your computer is using to keep it's time adjusted properly, and perhaps the netbios nameservice and datagram ports -but only if you're on a network that uses such things. no doubt some well-adjusted windows user can help you out more than I can. good luck!

 

[xane]

My firewalls are filling up with 135 attacks, if you check DShield you'll see its been the number one port for a few weeks now.