ZoneAlarm - Port number?

Hi all,
I've noticed in Zonealarm several entries from a source IP in a
port range I don't recognize. The range goes anywhere from
49000-49600. For example, one entry would like like such: 192.x.x.x:
49435.

What program/application is it that is most likely scanning from that
port? I've looked online and seen really ambiguous results like "RPC"
related events. Could it be a keylogger or something along those
lines?


Thanks,
J

Re: ZoneAlarm - Port number?

"Jeremy" wrote in message
news:1177369607.741432.327090@n59g2000hsh.googlegroups.com.. .
> Hi all,
> I've noticed in Zonealarm several entries from a source IP in a
> port range I don't recognize. The range goes anywhere from
> 49000-49600. For example, one entry would like like such: 192.x.x.x:
> 49435.
>
> What program/application is it that is most likely scanning from that
> port? I've looked online and seen really ambiguous results like "RPC"
> related events. Could it be a keylogger or something along those
> lines?
>
>
> Thanks,
> J
>

That 192.x.x.x looks to be a LAN IP on a router. Is the machine behind a
router and what is the full 192.x.x.x as know one cares and is going to use
a LAN IP against you?

Re: ZoneAlarm - Port number?

On Apr 23, 4:32 pm, "Mr. Arnold" wrote:
> "Jeremy" wrote in message
>
> news:1177369607.741432.327090@n59g2000hsh.googlegroups.com.. .
>
> > Hi all,
> > I've noticed in Zonealarm several entries from a source IP in a
> > port range I don't recognize. The range goes anywhere from
> > 49000-49600. For example, one entry would like like such: 192.x.x.x:
> > 49435.
>
> > What program/application is it that is most likely scanning from that
> > port? I've looked online and seen really ambiguous results like "RPC"
> > related events. Could it be a keylogger or something along those
> > lines?
>
> > Thanks,
> > J
>
> That 192.x.x.x looks to be a LAN IP on a router. Is the machine behind a
> router and what is the full 192.x.x.x as know one cares and is going to use
> a LAN IP against you?


The machine is on the same network as mine - I guess I was more
interested in finding out about the port that machine was blocked
using. For instance, could they have been scanning my machine or
trying to access something with a program that uses that port, and was
blocked by Zonealarm? The reason I ask is because I see tons of "1026"
or "1027" errors, which I know to be based on Windows messaging, and
that is normal ("false-positive" in most cases). But the range here
(49000-49600) seems to make me wonder what kind of program or
application is being used...

Re: ZoneAlarm - Port number?

"Jeremy" wrote in message
news:1177436099.980522.223300@t38g2000prd.googlegroups.com.. .
> On Apr 23, 4:32 pm, "Mr. Arnold" wrote:
>> "Jeremy" wrote in message
>>
>> news:1177369607.741432.327090@n59g2000hsh.googlegroups.com.. .
>>
>> > Hi all,
>> > I've noticed in Zonealarm several entries from a source IP in a
>> > port range I don't recognize. The range goes anywhere from
>> > 49000-49600. For example, one entry would like like such: 192.x.x.x:
>> > 49435.
>>
>> > What program/application is it that is most likely scanning from that
>> > port? I've looked online and seen really ambiguous results like "RPC"
>> > related events. Could it be a keylogger or something along those
>> > lines?
>>
>> > Thanks,
>> > J
>>
>> That 192.x.x.x looks to be a LAN IP on a router. Is the machine behind a
>> router and what is the full 192.x.x.x as know one cares and is going to
>> use
>> a LAN IP against you?
>
>
> The machine is on the same network as mine - I guess I was more
> interested in finding out about the port that machine was blocked
> using. For instance, could they have been scanning my machine or
> trying to access something with a program that uses that port, and was
> blocked by Zonealarm? The reason I ask is because I see tons of "1026"
> or "1027" errors, which I know to be based on Windows messaging, and
> that is normal ("false-positive" in most cases). But the range here
> (49000-49600) seems to make me wonder what kind of program or
> application is being used...
>

Why do you even care? ZA is doing its job as a personal FW/personal packet
filter, which is to block unsolicited inbound traffic to the machine, which
is everyday noise on an ISP's LAN or the WAN/Internet.

The only problem here is ZA seems to be doing some unnecessary whining about
it, which most PFW(s) do. It has got you paranoid.

Re: ZoneAlarm - Port number?

On Apr 23, 7:06 pm, Jeremy wrote:
> Hi all,
> I've noticed in Zonealarm several entries from a source IP in a
> port range I don't recognize. The range goes anywhere from
> 49000-49600. For example, one entry would like like such: 192.x.x.x:
> 49435.
>
> What program/application is it that is most likely scanning from that
> port? I've looked online and seen really ambiguous results like "RPC"
> related events. Could it be a keylogger or something along those
> lines?
>
> Thanks,
> J

1. http://www.iana.org/assignments/port-numbers - Gives you a list
of ports that are being used and what programs 'typically' use them.
2. The IP of 192.x.x.x - is a private, internal only IP, that is not
reachable from outside your LAN

ZA is giving you popups about inside traffic, either your machines
have spyware, malware or trojans or a combination of things...

Good luck...

RedForeman

Re: ZoneAlarm - Port number?

"RedForeman" wrote in message
news:1177603787.111893.122330@n15g2000prd.googlegroups.com.. .
> On Apr 23, 7:06 pm, Jeremy wrote:
>> Hi all,
>> I've noticed in Zonealarm several entries from a source IP in a
>> port range I don't recognize. The range goes anywhere from
>> 49000-49600. For example, one entry would like like such: 192.x.x.x:
>> 49435.
>>
>> What program/application is it that is most likely scanning from that
>> port? I've looked online and seen really ambiguous results like "RPC"
>> related events. Could it be a keylogger or something along those
>> lines?
>>
>> Thanks,
>> J
>
> 1. http://www.iana.org/assignments/port-numbers - Gives you a list
> of ports that are being used and what programs 'typically' use them.
> 2. The IP of 192.x.x.x - is a private, internal only IP, that is not
> reachable from outside your LAN
>
> ZA is giving you popups about inside traffic, either your machines
> have spyware, malware or trojans or a combination of things...
>
> Good luck...


The OP has indicated that the ISP has assigned that 192.x.x.x IP which some
ISP's can do that.

Therefore, the traffic is coming from other machines on the ISP network and
not any machines on the OP's LAN. The OP has no LAN of his own.

Re: ZoneAlarm - Port number?

Mr. Arnold wrote:


> The OP has indicated that the ISP has assigned that 192.x.x.x IP which
> some ISP's can do that.
>
> Therefore, the traffic is coming from other machines on the ISP network
> and not any machines on the OP's LAN. The OP has no LAN of his own.

192.0.0.0/8 are public routable addresses except 192.168.0.0/16 which are
private addresses as defined in RfC 1918.

Please read: http://www.faqs.org/rfcs/rfc1918.html

Wolfgang

Re: ZoneAlarm - Port number?

"Wolfgang Kueter" wrote in message
news:f0sa46$6m3$1@news.shlink.de...
> Mr. Arnold wrote:
>
>
>> The OP has indicated that the ISP has assigned that 192.x.x.x IP which
>> some ISP's can do that.
>>
>> Therefore, the traffic is coming from other machines on the ISP network
>> and not any machines on the OP's LAN. The OP has no LAN of his own.
>
> 192.0.0.0/8 are public routable addresses except 192.168.0.0/16 which are
> private addresses as defined in RfC 1918.
>
> Please read: http://www.faqs.org/rfcs/rfc1918.html
>
>

I read it, thanks.