Zone Alarm Weirdness

Zone Alarm Weirdness

am 26.09.2006 11:12:39 von Markvr

Recently my computer would lose all outgoing internet access on ONLY
port 80 exactly 10min after rebooting.

After doing a full virus scan which was clean I plugged it into a linux
firewall and sniffed all outgoing traffic to see if anything was going out.

It had outgoing traffic to 209.87.208.60:8083 which reverses to
lockup.zonelabs.com.

Reading the page at http://lockup.zonelabs.com/8083.html (which has a
stuffed up mime type cause it displays the raw html code) and finding
the instructions at http://lockup.zonelabs.com/downloads/SafeMode.doc
seems to have fixed it.

Zone Alarm seemed to think it was broken and so was blocking all
outgoing traffic after 10 min

The only thing is, I have NEVER EVER installed ZoneAlarm on this
machine. It is behind a hardware firewall. I have installed NO
firewall products. I managed to get this working by being fairly IT
savy and having a proxy server I could use to browse the net, hence
bypassing the port 80 restriction but how on earth could Zone Alarm have
got onto my machine? The only thing I have installed recently is the
Win32 version of Apache/PHP.

Has anyone seen this before?

cheers

Mark

Re: Zone Alarm Weirdness

am 21.11.2006 17:46:32 von macdaddy

Mark,

I too just had this happen to me. Most of my HTTP requests were being
sent to 209.87.208.60:8083. Oddly enough I had a few that were not
such as my brokerage accounts (which BTW will have new passwords in a
few minutes). Googling for the IP above I found this very thread as
well as this other thread with useful info:

'SWI Forums > Hijack; sp.html; Spybot affected'
(http://forums.spywareinfo.com/lofiversion/index.php/t9447.h tml)

I'm working on following the steps in that thread right now. I had
ZoneAlarm on this laptop before dropping it during a maintenance
window. That killed my HD. So no I can honestly say that I've never
had ZoneAlarm installed on this hard drive. The link above eludes to a
toolbar. I'm wondering if it's something more sinister. I had to sit
on the public Internet yesterday afternoon with no FW. I wonder if
that did it. I am fully patched but what does that mean nowadays.

J


--
macdaddy
------------------------------------------------------------ ------------
macdaddy's Profile: http://unixadmintalk.com/512
View this thread: http://unixadmintalk.com/showthread.php?t=176230