Is this a software intrusion or a normal circumstance

Is this a software intrusion or a normal circumstance

am 03.01.2006 07:12:49 von kdeb

Is this warning below normal or a software intrusion?

ZoneAlarm Security Alert
ADVANCED PROGRAM
Windows NT Logon Application is trying to use
Generic Host Process for Win32 services to act as a server.
Application: winlogon.exe
Source IP 0.0.0.0 Port 135

I googled for this error before asking but I did not find anyone else with
this error so I am forced to ask you for help. I did see that I should close
port 135 with the dcombobulator program so I will do that if you advise.

Is this a normal ZoneAlarm error or evidence of a spyware intrusion?
What would YOU do if you saw this on your WinXP machine?

Debbie

Re: Is this a software intrusion or a normal circumstance

am 03.01.2006 07:51:24 von kdeb

> Windows NT Logon Application is trying to use
> Generic Host Process for Win32 services to act as a server.
> Application: winlogon.exe
> Source IP 0.0.0.0 Port 135

Since this is the first time I've run ZoneAlarm, I'm confused
as to what this firewall program is trying to tell me when it
also reports:

ZoneAlarm Security Alert
Blocked
Windows NT Logon Application not allowed to use cssauth
to connect to 127.0.0.1 Port 6060.
Program: Windows NT Logon Application

Again, I don't find anyone with this particular error when I google.
Why would I have these alerts that nobody else has?

Are they so common that nobody else bothered to ask?
Or are they so rare that I got a bug that nobody else got?

If you saw these two alerts on your machine, what would you do?
I need your advice & help.

Debbie

Re: Is this a software intrusion or a normal circumstance

am 03.01.2006 09:35:34 von Volker Birk

Debbie Kwarta wrote:
> Is this warning below normal or a software intrusion?
> ZoneAlarm Security Alert
> ADVANCED PROGRAM
> Windows NT Logon Application is trying to use
> Generic Host Process for Win32 services to act as a server.
> Application: winlogon.exe
> Source IP 0.0.0.0 Port 135

Your Windows box is trying to offer DCE-RPC to the rest of the world
for authentication purposes. You should filter that, if your Windows
box is not a member of a domain.

> Is this a normal ZoneAlarm error or evidence of a spyware intrusion?

This is, what Zone Alarm usually does - showing useless popups. Maybe
it would be a good idea for you to remove Zone Alarm and just use the
Windows firewall.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Is this a software intrusion or a normal circumstance

am 03.01.2006 09:42:55 von Volker Birk

Debbie Kwarta wrote:
> Since this is the first time I've run ZoneAlarm, I'm confused
> as to what this firewall program is trying to tell me when it
> also reports:
> ZoneAlarm Security Alert
> Blocked
> Windows NT Logon Application not allowed to use cssauth
> to connect to 127.0.0.1 Port 6060.
> Program: Windows NT Logon Application

Is this an IBM/Lenovo computer? Then this is part of the client software
there.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Is this a software intrusion or a normal circumstance

am 03.01.2006 10:08:47 von John Hyde

On 1/3/2006 12:35 AM, Volker Birk wrote:
> Debbie Kwarta wrote:
>
>>Is this warning below normal or a software intrusion?
>>ZoneAlarm Security Alert
>>ADVANCED PROGRAM
>>Windows NT Logon Application is trying to use
>>Generic Host Process for Win32 services to act as a server.
>>Application: winlogon.exe
>>Source IP 0.0.0.0 Port 135
>
>
> Your Windows box is trying to offer DCE-RPC to the rest of the world
> for authentication purposes. You should filter that, if your Windows
> box is not a member of a domain.

Would the windows firewall filter this? Without an annoying popup?

But agree that the general rule is don't offer services you don't need
to offer.

>
>
>>Is this a normal ZoneAlarm error or evidence of a spyware intrusion?
>
>
> This is, what Zone Alarm usually does - showing useless popups. Maybe
> it would be a good idea for you to remove Zone Alarm and just use the
> Windows firewall.
>
> Yours,
> VB.

Debbie, you might want to wait for other replies before you chuck Z.A.
Volker's opinion on it is not universally accepted.

John

Re: Is this a software intrusion or a normal circumstance

am 03.01.2006 19:00:29 von Volker Birk

John Hyde wrote:
> >>Is this warning below normal or a software intrusion?
> >>ZoneAlarm Security Alert
> >>ADVANCED PROGRAM
> >>Windows NT Logon Application is trying to use
> >>Generic Host Process for Win32 services to act as a server.
> >>Application: winlogon.exe
> >>Source IP 0.0.0.0 Port 135
> > Your Windows box is trying to offer DCE-RPC to the rest of the world
> > for authentication purposes. You should filter that, if your Windows
> > box is not a member of a domain.
> Would the windows firewall filter this?

Yes.

> Without an annoying popup?

Yes.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Is this a software intrusion or a normal circumstance

am 04.01.2006 02:25:51 von John Hyde

on 1/3/2006 10:00 AM Volker Birk said the following:
> John Hyde wrote:
>
>>>>Is this warning below normal or a software intrusion?
>>>>ZoneAlarm Security Alert
>>>>ADVANCED PROGRAM
>>>>Windows NT Logon Application is trying to use
>>>>Generic Host Process for Win32 services to act as a server.
>>>>Application: winlogon.exe
>>>>Source IP 0.0.0.0 Port 135
>>>
>>>Your Windows box is trying to offer DCE-RPC to the rest of the world
>>>for authentication purposes. You should filter that, if your Windows
>>>box is not a member of a domain.
>>
>>Would the windows firewall filter this?
>
>
> Yes.
>
>
>>Without an annoying popup?
>
>
> Yes.
>
> Yours,
> VB.

So wouldn't it also filter it if you did need to "offer DCE-RPC to the
rest of the world . . ."? And without an "annoying popup", you would
need to track down the reason why something did not work. What am I
missing here?

JH

Re: Is this a software intrusion or a normal circumstance

am 10.01.2006 13:27:39 von Volker Birk

John Hyde wrote:
> >>>>Is this warning below normal or a software intrusion?
> >>>>ZoneAlarm Security Alert
> >>>>ADVANCED PROGRAM
> >>>>Windows NT Logon Application is trying to use
> >>>>Generic Host Process for Win32 services to act as a server.
> >>>>Application: winlogon.exe
> >>>>Source IP 0.0.0.0 Port 135
> >>>Your Windows box is trying to offer DCE-RPC to the rest of the world
> >>>for authentication purposes. You should filter that, if your Windows
> >>>box is not a member of a domain.
> >>Would the windows firewall filter this?
> > Yes.
> >>Without an annoying popup?
> > Yes.
> So wouldn't it also filter it if you did need to "offer DCE-RPC to the
> rest of the world . . ."?

No-one needs this. It's not a good idea at all.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r