Jump to content


Photo

constant firewall blocks from same ip range


  • Please log in to reply
3 replies to this topic

#1 jjimbo

jjimbo

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 08 April 2008 - 04:41 AM

Please , please can someone help me with this problem.
Ive had lots of advice but none of it rectifies the problem.
My zone alarm firewall blocks access attempts from ip always beginning 24.64....
and these happen about 3 per minute every 5 minutes. They are from a company called shaw communications in Canada. On zone alarm forum they posted a statement to another user saying it wasnt them who was causing the alerts but some other party.
Ive been told to block the ip range which i did but the attempts persist. Also, can someone tell me is it my pc specifically that is targeted or am i being paranoid?
Im not computer savvy so i need advice in laymans terms please.
One advisor actually said i just need to put up with it!!! but surely this is like saying " someones trying to break down my front door whilst im inside but its okay ive got good locks!" .Its not very reassuring. Ive listed some of the attempts below. I hope ive posted them correctly.Any advice is much appreciated . Thank you


ZoneAlarm Logging Client v7.0.470.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
FWOUT,2008/04/07,14:10:46 +1:00 GMT,86.11.168.147:1026,194.168.4.100:53,UDP
AV/update,2008/04/07,14:11:18 +1:00 GMT,,Update Install Completed,Auto
FWIN,2008/04/07,14:13:54 +1:00 GMT,24.64.248.88:21892,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:13:54 +1:00 GMT,24.64.248.88:21892,86.11.168.147:1028,UDP
FWIN,2008/04/07,14:14:06 +1:00 GMT,24.64.32.143:14513,86.11.168.147:1028,UDP
FWIN,2008/04/07,14:14:06 +1:00 GMT,24.64.32.143:14513,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:20:12 +1:00 GMT,24.64.66.17:28959,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:20:12 +1:00 GMT,24.64.66.17:28959,86.11.168.147:1028,UDP
FWOUT,2008/04/07,14:28:48 +1:00 GMT,86.11.168.147:1108,194.168.4.100:53,UDP
FWIN,2008/04/07,14:33:46 +1:00 GMT,24.64.238.55:16426,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:33:46 +1:00 GMT,24.64.238.55:16426,86.11.168.147:1028,UDP
FWIN,2008/04/07,14:34:22 +1:00 GMT,24.64.102.191:9749,86.11.168.147:1028,UDP
FWIN,2008/04/07,14:34:22 +1:00 GMT,24.64.102.191:9749,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:35:20 +1:00 GMT,201.12.180.184:64481,86.11.168.147:5901,TCP (flags:S)
FWIN,2008/04/07,14:35:52 +1:00 GMT,24.64.121.166:33470,86.11.168.147:1028,UDP
FWIN,2008/04/07,14:35:52 +1:00 GMT,24.64.121.166:33470,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:36:54 +1:00 GMT,221.208.208.99:47879,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:45:36 +1:00 GMT,24.64.95.242:3577,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:45:36 +1:00 GMT,24.64.95.242:3577,86.11.168.147:1028,UDP
FWIN,2008/04/07,14:45:56 +1:00 GMT,77.222.236.114:4445,86.11.168.147:5901,TCP (flags:S)
FWIN,2008/04/07,14:46:42 +1:00 GMT,24.64.22.147:9678,86.11.168.147:1027,UDP
FWIN,2008/04/07,14:46:42 +1:00 GMT,24.64.22.147:9678,86.11.168.147:1028,UDP
FWIN,2008/04/07,15:03:12 +1:00 GMT,24.64.205.240:27906,86.11.168.147:1027,UDP
FWIN,2008/04/07,15:03:12 +1:00 GMT,24.64.205.240:27906,86.11.168.147:1028,UDP
FWIN,2008/04/07,15:04:08 +1:00 GMT,78.131.80.159:3511,86.11.168.147:5901,TCP (flags:S)
FWIN,2008/04/07,15:10:18 +1:00 GMT,24.64.120.160:33932,86.11.168.147:1027,UDP
FWIN,2008/04/07,15:10:18 +1:00 GMT,24.64.120.160:33932,86.11.168.147:1028,UDP
FWIN,2008/04/07,15:12:42 +1:00 GMT,24.64.193.251:26440,86.11.168.147:1027,UDP
FWIN,2008/04/07,15:12:42 +1:00 GMT,24.64.193.251:26440,86.11.168.147:1028,UDP
FWIN,2008/04/07,15:23:24 +1:00 GMT,24.64.169.112:20710,86.11.168.147:1028,UDP
FWIN,2008/04/07,15:23:24 +1:00 GMT,24.64.169.112:20710,86.11.168.147:1027,UDP
FWIN,2008/04/07,15:25:20 +1:00 GMT,24.64.96.74:17057,86.11.168.147:1027,UDP
FWIN,2008/04/07,15:25:20 +1:00 GMT,24.64.96.74:17057,86.11.168.147:1028,UDP
FWIN,2008/04/07,15:27:20 +1:00 GMT,24.222.68.39:4553,86.11.168.147:5901,TCP (flags:S)
FWIN,2008/04/07,15:40:10 +1:00 GMT,24.64.44.12:34962,86.11.168.147:1028,UDP
FWIN,2008/04/07,15:40:10 +1:00 GMT,24.64.44.12:34962,86.11.168.147:1027,UDP
FWIN,2008/04/07,15:53:34 +1:00 GMT,24.64.17.51:26125,86.11.168.147:1027,UDP
FWIN,2008/04/07,15:53:34 +1:00 GMT,24.64.17.51:26125,86.11.168.147:1028,UDP
OSFW,2008/04/07,15:58:50 +1:00 GMT,UNKNOWN(0),Revo Uninstaller,C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\system32\cmd.exe,eeb024f2-c81f0d55-936fb825-d21a91d6,21a91d6,9aab67-f160988a
FWIN,2008/04/07,16:01:48 +1:00 GMT,24.64.144.224:16110,86.11.168.147:1027,UDP
FWIN,2008/04/07,16:01:48 +1:00 GMT,24.64.144.224:16110,86.11.168.147:1028,UDP
FWIN,2008/04/07,16:01:48 +1:00 GMT,24.64.144.224:16110,86.11.168.147:1026,UDP
FWIN,2008/04/07,16:05:20 +1:00 GMT,24.64.210.228:19703,86.11.168.147:1028,UDP
FWIN,2008/04/07,16:05:20 +1:00 GMT,24.64.210.228:19703,86.11.168.147:1027,UDP
FWIN,2008/04/07,16:10:28 +1:00 GMT,24.64.126.83:34724,86.11.168.147:1027,UDP
FWIN,2008/04/07,16:10:28 +1:00 GMT,24.64.126.83:34724,86.11.168.147:1028,UDP
FWIN,2008/04/07,16:14:44 +1:00 GMT,24.64.222.206:19461,86.11.168.147:1027,UDP
FWIN,2008/04/07,16:14:44 +1:00 GMT,24.64.222.206:19461,86.11.168.147:1028,UDP
FWIN,2008/04/07,16:15:24 +1:00 GMT,24.64.156.240:25305,86.11.168.147:1027,UDP
FWIN,2008/04/07,16:15:24 +1:00 GMT,24.64.156.240:25305,86.11.168.147:1028,UDP
FWIN,2008/04/07,16:16:34 +1:00 GMT,24.64.72.201:34518,86.11.168.147:1028,UDP
FWIN,2008/04/07,16:16:34 +1:00 GMT,24.64.72.201:34518,86.11.168.147:1027,UDP
FWIN,2008/04/07,16:18:02 +1:00 GMT,24.64.38.133:26283,86.11.168.147:1028,UDP
FWIN,2008/04/07,16:18:02 +1:00 GMT,24.64.38.133:26283,86.11.168.147:1027,UDP
FWIN,2008/04/07,16:21:34 +1:00 GMT,24.64.62.243:12073,86.11.16

----------------------------------------------

Below is the reply Shaw Communications gave to the above mentioned user on the Zone alarm forum.Its over my head so can someone tell me whats going on and more importantly, how to get these attempts to stop

I emailed Shaw abuse concerning the multiple alerts originating from internet addresses connected to their company, and received the reply below. Hopefully it will help others. Supposedly the attacks are not "intentional", but I'm unsure why Shaw is unable to stop this advertiser's activity. I'm also unsure why probing of their customers would result in alerts on our end. Oh well...

From Shaw Internet Abuse Department:

__________________________
"Hello,

Thank you for your report of abuse but in this case there are some details you should be aware of.

The “attacks” you are seeing on your system are not attacks per se. We have seen dozens of similar reports over the past few months with exactly the same symptoms.

Most of the IP addresses reported to us are not currently in use nor have they even been assigned to any device in the past 90+ days. You are likely also seeing probes from many other random IPs within the 24.64.X.X range. All of these probes will be UDP. All of the probes will be directed at ports 1026, 1027 & 1028 on your computer. All of them are spoofing their origin.

This traffic is NOT originating from Shaw's network.

What is actually happening is that there is an unscrupulous advertiser which is spoofing Shaw IP addresses in the 24.64.0.0/16 range and is trying to send messenger pop-ups to computers in order to dupe people into buying a product. It has been quite a thorn in our side because it is falsely indicating Shaw customers at are fault for the traffic.

Your security software is smart enough to deflect these probes but not smart enough to know what is really going on. Each probe it sees is interpreted as an attack on your system and you are notified accordingly. Understandably, this can be quite alarming but, in this case, is actually nothing to be concerned with. In the future, any UDP probes you see from 24.64.X.X IPs on ports 1026, 1027 & 1028 can be ignored. Please do keep us apprised of ANY other attacks you may see from Shaw IP addresses.

If you have any further questions or comments please do not hesitate to contact us.

Regards,

Acceptable Use Policy Management Team
Shaw High-Speed Internet Service
Shaw Cablesystems G.P.
2400 - 32nd Avenue N.E.
Calgary , Alberta , T2E 9A7
Telephone: (403)750-7420
Facsimile: (403)539-6831
____________________________

#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 April 2008 - 10:21 AM

You don't really have a problem, as your firewall has prevented the probes from gaining access. We all get many of those attempts every day, from various IP apparent addresses.

It is probably a nuisance to be constantly alerted. It's a long time since I used Zone Alarm, but as I remember you can configure it not to pop up with info about successful blocks.

You can get a test for open ports here: http://www.pcflank.com/test.htm
But don't be too alarmed by the results. Just ask any further questions here.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#3 jjimbo

jjimbo

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 08 April 2008 - 12:35 PM

Thanks for the reply. I have to say i do feel reassured and i did a port scan and all ports are closed.
One last thing if i may. Will i always have these alerts or could they just stop all of a sudden and what if my firewall was off by mistake, could these attempts, if successful, infect my pc?
Once again thank you for your time and assistance.

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 April 2008 - 01:07 PM

Thanks for the reply. I have to say i do feel reassured and i did a port scan and all ports are closed.
One last thing if i may. Will i always have these alerts or could they just stop all of a sudden and what if my firewall was off by mistake, could these attempts, if successful, infect my pc?
Once again thank you for your time and assistance.

They might temporarily stop, but such scans of the internet are an ongoing thing. Most are probably harmless, just looking to see who's out there. However there is a very real possibility of infection via ill-intentioned scans if your firewall is not running. The UDP scan itself probably couldn't do anything bad, but it might detect vulnerabilities in your software that could then be exploited to obtain your passwords or to load malware onto your PC.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE




Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!