hey there, this post is actually the same post i posted at zonelabs forums but nobody responded as of yet. so i thought i would try here. this post is from a couple days ago but the problem is still going on so anyones suggestions or tips would help. here it is. well its not me its my mom. ok heres the details. today i noticed that was she was getting hit alot with intrusions and some being high rated on zone alarm. the reason why this was odd is because her and my computer are on a network. my computer being the one with the router and dsl modem. and also i have just zone alarm on my computer not the pro version. another reason why this was odd is because i haven't got hit for a long time. but she was getting hit constantly for a good week or so. today it was up around 8,000 intrusions and a good 100 or so high. then tonight i checked it and it was up to 11,000 so we decided to upgrade to zone alarm pro. and after i did this she was still getting hit so i checked to log viewer of all the hits. and mostly all of the hits were aimed at the TCP protocol and it said flags:S next to TCP but i don't know what that means. there were a few hits aimed at UDP but not many. and where it says Destination DNS it said OFFICE for all of them which once again i don't know what that means. and i looked at alot of the IP's that were the source and basically just about all of them started with the number 4. i just checked her intrusions and they were up to 182 and 17 of them were high-rated. and in the firewall settings both levels are on high. we changed this after awhile. and this has never happened to her computer or mine. so whats going on here, basically all of the intrusions happen when nobody is even at the computer. and why i am i not getting hit on my computer. is there a setting or something i need to change on her zone alarm to stop from getting hit. oh and she does have my ip from my computer as a trusted ip in the firewall zone sections so its not my computer doing this. any ideas or suggestions??
thanks, devin

If she is behind a router and still getting hit she needs to run adaware. www.lavasoft.de , look for the free version of adaware six. download it, update it and run it.
Also a trip to www.trendmicro.com to run housecall would be a good idea too.
cat

I suggest windows update also and make sure all the criticals cover all open ports that are vulnerable



amb

ok we both are behind the router. thats the weirdest part about this. that i'm not getting hit at all and she is like crazy. i ran trend micro's scan and it didn't find anything and she is up to date with windows update. ran ad aware yesterday and all it found was a few bad cookies. my brother suggested it could be my computer so i unplugged the ethernet cable from my computer and went to check her computer and she was still getting hit. and as far as the ports go i set the internet zone security to high, so basically the computer is hidden. and i also did the grc's firewall test and it showed all the ports being stealth. i'm gonna check my settings in my firewall and compare them to hers cause like i said i haven't been hit in a few months.

devin

are any of the alerts for outgoing connect attempts? What kind of sites does she visit? Any freebie sites or the like? You have zonealarm, are you using visualzone? It is a log-viewer utility that interfaces with ZA. Get it here (http://visualize.phenominet.com/vz57setup.exe) . Then sign up for dshield. It is attached to the visualzone program. It has a nice IP look-up. More info than the one in ZA. If you are worried about her pc having something on it you could have it re-learn what is ok to connect by going to program control and removing everything and starting over. Anytime something on her pc wants to connect it should have to ask.
cat

ok all of the attempts are incoming, and all she really does is check her e-mail and research stuff about interior design for college. now as far as that visualzone. i downloaded it but should it be on my computer or both?? and i went to sign up for dshield but nothing came up so i'll try later to sign up. and i guess we could try selecting everything in the program list and removing all of them.

devin

you will want it on both computers. I am surprised nothing came up, did you click on the icon in the vizone program? It usually pops up and asks you to sign-up. It is free and is a nice service. The icon you want is a green square with a red center. It is at the top on the toolbar of the program, right side.
cat

ok i got it now. i will put it on my mom's computer next. and should i have this visualzone running all the time?? and in my last post i said that all the attempts are incoming. would it still be a good idea to remove all the programs from my mom's list in zonealarm?

devin

remove programs - no - if you have them set to allow connection with no alert (green check mark) you could change them to a "?" so they have to ask. Some programs will/can masquerade as others and if you have them checked you will not know if they are trying to connect or not. With the help of visualzone you will be able to track down any unknown connections your pc tries to make. If you still have any worries or wonders about spyware (adaware doesn't always get it all) you could go and checkout spy sweeper (http://www.webroot.com/wb/products/spysweeper/index.php) . I have used it with success when adaware would not work. I also use spybot (http://safer-networking.org/index.php?page=spybotsd) . I am wondering what the reason is behind her getting so many probes/scans. What ports and protocol are the scans?
cat

I only run it when I get hit a lot. I haven't used it for quite some time. :D

i know for sure that just about 95% of all the attacks are geared towards the TCP protocol. not sure about the ports. do i just let that visualzone run in the background with zonealarm? i don't have to do anything in ZA do i? and she has ad aware and spybot on her computer. ohh and i tried to submit the report to dshield and it couldn't connect to the hotmail SMTP. i put in outgoing.hotmail.com as the outgoing mail(SMTP). isn't that right? or is it something else?? i'll try that link tomorrow on her computer.

devin

hmm I don't think hotmail is smtp as that is webbased, not sure, I don't use hotmail. I have mine going through a pop account which does use the smtp.myisp.xxx. For now set it run in the background as it will help you to figure out where the attacks are coming from and has more info about port and protocol, a real good whois directory, etc. Once the activity settles down you won't need it open much. The port number is also important in trying to determine what is trying to get in. Diff apps use diff ports.
cat

well it looks like hotmail doesn't support smtp you were right. i'll just have to monitor it and see what ports they are trying to get into. that is soo weird that she is getting attacked and i'm not getting touched. it seems like it would be a setting thats different in my zonealarm from her zonealarm. well thanks for your help man.

devin