cancel
Showing results for 
Search instead for 
Did you mean: 

Zone Alarm stats. Can I help you?

N/A

Zone Alarm stats. Can I help you?

I'm looking through my alerts and logs on Zone Alarm.
Scrolling down the list, the following users (amongst others) are high rated attempts to gain entry to my computer which ZA blocked:

mattbarnes.plus.com
rsveg.plus.com
shiver.plus.com
csdnet.plus.com
nicklettin.plus.com
skhagram.plus.com

Are they plusnet employees?
Can I help you people?
Are you looking for something?
Why are you trying to get into my computer without askingHuh?

I can provide screenshots of the ZA alert log.
18 REPLIES
N/A

Zone Alarm stats. Can I help you?

I think people are generally just checking if you have a website.

username.plus.com when put into a browser will point to either a website or your router/computer.

For example:
http://www.username.plus.com/ is your website
http://username.plus.com/ is your computer/router

I wouldnt consider them attacks.

The funny thing is if you go down your list and check if the users themselves have a website, most do.

http://www.rsveg.plus.com/
http://www.shiver.plus.com/
http://www.csdnet.plus.com/

So I guess it is possible that they typed "username.plus.com" without the "www." and this caused the zonealarm alert.

If I hosted a website on my computer, generally by default it would use port ":80" will point to "username.plus.com" whereas my Plusnet hosted website would be "www.username.plus.com". If you can recheck your log maybe look and see if they were trying to gain access to port 80, this meaning they are looking if you have a website. Nothing malacious.
ady
Grafter
Posts: 289
Registered: 25-09-2007

Zone Alarm stats. Can I help you?

ahh nice that was a question i hadnt got round to asking ;p
N/A

Zone Alarm stats. Can I help you?

Do you know what port they were trying to connect to?
carrot63
Grafter
Posts: 599
Registered: 12-07-2007

Zone Alarm stats. Can I help you?

I frequently make this mistake; I see a fellow PN user in my site logs and look out of curiosity to see if they have a site, but forget to add the www and so obviously hit their router.
N/A

Zone Alarm stats. Can I help you?

I thought there could be an explanation, that's why I didn't start screaming.

shiver, mattbarnes, rsveg and csdnet is port 139
skhagram is port 135
nicklettin is port 445

What concerned me was the actual number of times they appear on my ZA list, maybe 20-30 except for skhagram who is just once. If they are "generally just checking if I have a website" then 20-30 times is a bit strange.
N/A

Zone Alarm stats. Can I help you?

139/TCP,UDP NetBIOS NetBIOS Session Service
445/TCP Microsoft-DS (Active Directory, Windows shares, Sasser-worm, Agobot, Zobotworm)
445/UDP Microsoft-DS SMB file sharing

A quick google brought this up:
TCP Port 135
Common Use
Microsoft Remote Procedure Call (RPC) service.

Inbound Scan
Currently inbound scans are likely the Nachi or MSBlast worms.

Outbound Scan
Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated
N/A

Zone Alarm stats. Can I help you?

If your internet is connected directly to your computer instead of via NAT, then it could just be Windows on similar configured machines trying to look for shares to add to it's collection in the My Network Places folder. Ports 139 & 445 are the common ports for this.

If your worried about them, then purchase a router with NAT capability, then your PC will not be accessible from the internet (username.plus.com will point to the router instead).
Cat
Dabbler
Posts: 18
Registered: 30-07-2007

Zone Alarm stats. Can I help you?

I also have the same on my zone alarm log,
showing up many times,
and all the same addresses as above.most are port 139
but there are others port 445,135,137,and more.
Mattbarnes and csdnet sure have been busy :shock:
Are you sure there is nothing to worry about ?
N/A

Zone Alarm stats. Can I help you?

I will also ask that...
Are you *sure* there is nothing to worry about?
If those PN ones were "generally just checking if I have a website" then why do they appear more than any on my list and why is their ZA rating "HIGH"Huh?

PN can we have an assurance or investigation here please?
carrot63
Grafter
Posts: 599
Registered: 12-07-2007

Zone Alarm stats. Can I help you?

The ones you are referring to lostboyuk are more likely than not worm infections or perhaps viruses scanning for other computer to infect. During the big spate of worm attacks in 2003 I was overseas and I saw massive numbers of probes to port 135 from those on the same network and ISP as me. It seemed as if the infected machines simply scanned IP numbers within a similar "local" range to themselves.

I think there is/was a known vulnerability with windows and port 135 for which patches have been issued, but if infected machines arent patched (and a lot of people dont bother doing it) they will keep scanning for more victims. So the PN users you mention are probably just sloppy with patching and may well be unaware of any infection.
N/A

Zone Alarm stats. Can I help you?

Good explanation, that's possible. Thanks.
It is also possible these users are using illegal port scanners which is why I have now raised a ticket with the abuse team asking them to investigate.

Is it also a coincidence that today I have been disconnected 6 times, every time it has frozen my PC, when I press reset, I have to re-install my modem each time. I rarely get disconnections, I'm not on LLU.
I am also getting 'no socket error' when I try to send email. I can receive them but they won't send today.
Something is not right here PN.
Cat
Dabbler
Posts: 18
Registered: 30-07-2007

Zone Alarm stats. Can I help you?

lostboyuk ..as well as the same zone alarm queries its
Funny you should mention constant disconnections.
I have an ongoing question to plusnet to sort out
why I am being disconected 20 times a night
and each time takes 6 tries before I get
connected again,first it tells me no dial tone,
although there plainly is !
then my password is not recognised on the domain
and my PPP protocols are ungodly..or something like that :shock:
then it finally lets me back on.
I am not on LLU either and although i was maxed a
while ago( gone from 1.1Mbps to 2.2Mbps..big deal) Sad
this problem had started weeks before that !
It dosent freeze my PC though,and I never use
PN for emails so I cant comment on that.
anyone else having any mysteries like this happening
to them I wonder
N/A

Zone Alarm stats. Can I help you?

I get the full spectrum of error messages every time I try to connect. On average I click redial 6 times, EVERY time.

This is my third attempt to reply now, got disconnected yet again. This is unusal for me, rare disconnections happen. Also email still won't send. By the time I have connected to hotmail page I will have been disconnected again!

The service tonight is a bigger joke than usual.

Now, I have just got this pop-up box, never seen this before. Screenshot:

http://www.lostboyuk.plus.com/Secscr.jpg

Can you investigate the subject of this thread please PN?Huh
N/A

Zone Alarm stats. Can I help you?

Artical from Dec 2005

Phishing schemes are all about deception, and recently some clever phishers have added a new layer of subterfuge called the secure phish. It uses the padlock icon indicating that your browser has established a secure connection to a Web site to lull you into a false sense of security. According to Internet security company SurfControl, phishers have begun to outfit their counterfeit sites with self-generated Secure Sockets Layer certificates. To distinguish an imposter from the genuine article, you should carefully scan the security certificate prompt for a reference to either "a self-issued certificate" or "an unknown certificate authority."

Original found here:-
http://www.schneier.com/blog/archives/2005/12/new_phishing_tr.html