interesting alerts on Zonealarm recently - what do I do?

My son came home from college using his laptop on my network with a Netgear
router. Now I regularly get this alert:

"ZoneAlarm blocked traffic to port 2869 on your machine from port 1077 on a
remote computer whose IP address is 192.168.1.1. This communication attempt
may have been a port scan, or simply one of the millions of unsolicited
commercial or network control messages that are routinely sent out over the
Internet. Such unsolicited messages are often called Internet background
noise."

It's being stopped which is good but 192.168.1.1 is my router's address.

What do I do?

Re: interesting alerts on Zonealarm recently - what do I do?

Paul wrote:

>What do I do?

Turn off alerts.

Re: interesting alerts on Zonealarm recently - what do I do?

On Mon, 27 Nov 2006 19:26:10 -0500, Paul wrote:

> My son came home from college using his laptop on my network with a Netgear
> router. Now I regularly get this alert:
>
> "ZoneAlarm blocked traffic to port 2869 on your machine from port 1077 on a
> remote computer whose IP address is 192.168.1.1. This communication attempt
> may have been a port scan, or simply one of the millions of unsolicited
> commercial or network control messages that are routinely sent out over the
> Internet. Such unsolicited messages are often called Internet background
> noise."
>
> It's being stopped which is good but 192.168.1.1 is my router's address.
>
> What do I do?

Remove ZoneAlarm, of course.

Re: interesting alerts on Zonealarm recently - what do I do?

Paul wrote:
> My son came home from college using his laptop on my network with a
> Netgear router. Now I regularly get this alert:
>
> "ZoneAlarm blocked traffic to port 2869 on your machine from port 1077
> on a remote computer whose IP address is 192.168.1.1. This
> communication attempt may have been a port scan, or simply one of the
> millions of unsolicited commercial or network control messages that
> are routinely sent out over the Internet. Such unsolicited messages
> are often called Internet background noise."
>
> It's being stopped which is good but 192.168.1.1 is my router's
> address.
>
> What do I do?

Inspect the traffic with a sniffer (e.g. Wireshark [1]) to find out
what's the payload of these packets. It should suffice if you install
the sniffer on the same machine ZA is installed on, but in case it
doesn't you have to tap the wire.

Also check the configuration of your router. Any port-forwardings? Is
the firmware up-to-date? Run a portscan against the router (from the
outside) to check if there are any ports open on the external interface.
Netgear routers have become infamous for being vulnerable.

[1] http://www.wireshark.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: interesting alerts on Zonealarm recently - what do I do?

Paul wrote:
> My son came home from college using his laptop on my network with a Netgear
> router. Now I regularly get this alert:
>
> "ZoneAlarm blocked traffic to port 2869 on your machine from port 1077 on a
> remote computer whose IP address is 192.168.1.1. This communication attempt
> may have been a port scan, or simply one of the millions of unsolicited
> commercial or network control messages that are routinely sent out over the
> Internet. Such unsolicited messages are often called Internet background
> noise."
>
> It's being stopped which is good but 192.168.1.1 is my router's address.
>
> What do I do?
>
>

You tell ZA to trust the Device IP of the router. The router iss doing
the scanning, which is harmless. It's either that or remove ZA from the
machine.

Duane :)

Re: interesting alerts on Zonealarm recently - what do I do?

Paul wrote:
> My son came home from college using his laptop on my network with a Netgear
> router. Now I regularly get this alert:
>
> "ZoneAlarm blocked traffic to port 2869 on your machine from port 1077 on a
> remote computer whose IP address is 192.168.1.1. This communication attempt
> may have been a port scan, or simply one of the millions of unsolicited
> commercial or network control messages that are routinely sent out over the
> Internet. Such unsolicited messages are often called Internet background
> noise."
>
> It's being stopped which is good but 192.168.1.1 is my router's address.
>
> What do I do?

Set your router addres range ie. for ex. 192.168.1.0/255.255.255.0 to
trusted zone in ZA.

TCP 2869 is used for uPnP framework.
TCP 1077 is IMGames port (instant messanger games).

Did you use some IM software and try to play a game?

I think you should take Ansgar advice and inspect this with WireShark
more carefully. Maybe router is just announcing itself to uPnP framework
interfece, maybe you and/or your son try to play IM game, maybe this is
something else. There is too much maybe. Inspect this.

Re: interesting alerts on Zonealarm recently - what do I do?

"@lf" wrote in message news:ekh5vd$b74$1@ss408.t-com.hr...
> Paul wrote:
>> My son came home from college using his laptop on my network with a
>> Netgear router. Now I regularly get this alert:
>>
>> "ZoneAlarm blocked traffic to port 2869 on your machine from port 1077 on
>> a remote computer whose IP address is 192.168.1.1. This communication
>> attempt may have been a port scan, or simply one of the millions of
>> unsolicited commercial or network control messages that are routinely
>> sent out over the Internet. Such unsolicited messages are often called
>> Internet background noise."
>>
>> It's being stopped which is good but 192.168.1.1 is my router's address.
>>
>> What do I do?
>
> Set your router addres range ie. for ex. 192.168.1.0/255.255.255.0 to
> trusted zone in ZA.
>
> TCP 2869 is used for uPnP framework.
> TCP 1077 is IMGames port (instant messanger games).
>
> Did you use some IM software and try to play a game?
>
> I think you should take Ansgar advice and inspect this with WireShark more
> carefully. Maybe router is just announcing itself to uPnP framework
> interfece, maybe you and/or your son try to play IM game, maybe this is
> something else. There is too much maybe. Inspect this.

Great advice - many thanks to all. It happened when my son came home and
plugged in to the network. But he has left and it is still happening.

Maybe one of MS's "updates" is now doing this.

Re: interesting alerts on Zonealarm recently - what do I do?

Paul wrote:
> "@lf" wrote in message news:ekh5vd$b74$1@ss408.t-com.hr...
>
>>Paul wrote:
>>
>>>My son came home from college using his laptop on my network with a
>>>Netgear router. Now I regularly get this alert:
>>>
>>>"ZoneAlarm blocked traffic to port 2869 on your machine from port 1077 on
>>>a remote computer whose IP address is 192.168.1.1. This communication
>>>attempt may have been a port scan, or simply one of the millions of
>>>unsolicited commercial or network control messages that are routinely
>>>sent out over the Internet. Such unsolicited messages are often called
>>>Internet background noise."
>>>
>>>It's being stopped which is good but 192.168.1.1 is my router's address.
>>>
>>>What do I do?
>>
>>Set your router addres range ie. for ex. 192.168.1.0/255.255.255.0 to
>>trusted zone in ZA.
>>
>>TCP 2869 is used for uPnP framework.
>>TCP 1077 is IMGames port (instant messanger games).
>>
>>Did you use some IM software and try to play a game?
>>
>>I think you should take Ansgar advice and inspect this with WireShark more
>>carefully. Maybe router is just announcing itself to uPnP framework
>>interfece, maybe you and/or your son try to play IM game, maybe this is
>>something else. There is too much maybe. Inspect this.
>
>
> Great advice - many thanks to all. It happened when my son came home and
> plugged in to the network. But he has left and it is still happening.
>
> Maybe one of MS's "updates" is now doing this.
>
>
MS updates have nothing to do with the Device IP of the router making
contact with the machines that are connected to it. ZA has no business
even reporting it.

Duane :)

Re: interesting alerts on Zonealarm recently - what do I do?

Paul wrote:
> Great advice - many thanks to all. It happened when my son came home and
> plugged in to the network. But he has left and it is still happening.

Just follow Ansgar procedure. If you don't have running IM software, and
this is still happening, and it never happened before, you should really
do what Ansgar told you to do.
BTW Check or ask your son did he change anything in your router or your
computer configuration.

> Maybe one of MS's "updates" is now doing this.

No

Re: interesting alerts on Zonealarm recently - what do I do?

Mr. Arnold6 wrote:
> ZA has no business even reporting it.

That is true, ZA shouldn't block that. But the question is why is that
start to happen? If that communication existed before, ZA would probably
block it before as well as now. Why it started after his son connected
with his laptop?
IMHO I belive everything is OK, his son probably reconfigured something,
and now ZA has to be reconfigured as well. But a little inspection
before that conclusion would be nice thing to do. Why? He has "uPnP
communication", what is possible result of that communication? forwarded
port. I belive that sudden possible attempt to forward a port, no metter
how small possibility of port forwarding is, require little attention.

Re: interesting alerts on Zonealarm recently - what do I do?

> You tell ZA to trust the Device IP of the router. The router iss doing
> the scanning, which is harmless. It's either that or remove ZA from the
> machine.

How do you know that nobody captured the router from the outside and is
doing nasty things to the inside?

--
Ulf Leichsenring
ulf@leichsenring.net

Re: interesting alerts on Zonealarm recently - what do I do?

Ulf Leichsenring wrote:
>>You tell ZA to trust the Device IP of the router. The router iss doing
>>the scanning, which is harmless. It's either that or remove ZA from the
>>machine.
>
>
> How do you know that nobody captured the router from the outside and is
> doing nasty things to the inside?
>

Someone from the outside captured the Device IP of the router to do
what, which they cannot do? Someone from the outside has captured the
router, installed firmware on the router, and that firmware is now using
the Device IP of the router to attack, mind you, attack the machines
connected to the router.

You want to explain your thoughts and opinions as to how someone can
capture the router and the Device IP of the router to attack the
machines connected to the router. I will love to hear this, but I am
proably going to regret it.

Re: interesting alerts on Zonealarm recently - what do I do?

Someone from the outside captured the Device IP of the router to do
> what, which they cannot do? Someone from the outside has captured the
> router, installed firmware on the router, and that firmware is now using
> the Device IP of the router to attack, mind you, attack the machines
> connected to the router.
>
> You want to explain your thoughts and opinions as to how someone can
> capture the router and the Device IP of the router to attack the
> machines connected to the router. I will love to hear this, but I am
> proably going to regret it.

You know that many home (DSL) routers running some kind of embedded os
like Linux. Some of them even have management ports (http, ssh or else)
running on the wan side the help the isp managing the device (firmware
updates etc.). If you get access to this routers you are able to connect
to the inside using your favorite tools


--
Ulf Leichsenring
ulf@leichsenring.net

Re: interesting alerts on Zonealarm recently - what do I do?

Ulf Leichsenring wrote:
> Someone from the outside captured the Device IP of the router to do
>
>>what, which they cannot do? Someone from the outside has captured the
>>router, installed firmware on the router, and that firmware is now using
>>the Device IP of the router to attack, mind you, attack the machines
>>connected to the router.
>>
>>You want to explain your thoughts and opinions as to how someone can
>>capture the router and the Device IP of the router to attack the
>>machines connected to the router. I will love to hear this, but I am
>>proably going to regret it.
>
>
> You know that many home (DSL) routers running some kind of embedded os
> like Linux. Some of them even have management ports (http, ssh or else)
> running on the wan side the help the isp managing the device (firmware
> updates etc.). If you get access to this routers you are able to connect
> to the inside using your favorite tools
>
>

I know this, but I would say that it's not happening in the OP's case.
No one is going out of their way to do this on his home user network.