Zone Alarm
Kurt Hudson
plug-discuss@lists.plug.phoenix.az.us
Fri, 12 Apr 2002 14:34:32 -0700
This log shows that your local system has configured for an APIPA range
address 169.254.x.x and it is trying to communicate with 192.168.200.x
over port 139, which is the Microsoft end-point mapper. Read this CERT
article http://www.kb.cert.org/vuls/id/32650
ZoneAlarm Log text:
type,date,time,source,destination,transport
FWIN,2002/04/11,10:12:00 -7:00
GMT,169.254.101.152:4335,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,10:13:55 -7:00
GMT,169.254.101.152:4615,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,10:13:55 -7:00
GMT,169.254.101.152:4618,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,10:13:55 -7:00
GMT,169.254.101.152:4621,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,12:59:47 -7:00
GMT,169.254.101.152:4995,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,12:59:47 -7:00
GMT,169.254.101.152:4998,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,16:28:38 -7:00
GMT,169.254.101.152:3626,192.168.200.xxx:139,TCP (flags:S)
FWIN,2002/04/11,16:28:38 -7:00
GMT,169.254.101.152:3632,192.168.200.xxx:139,TCP (flags:S)
As for tools that you can use to monitor such activities, visit:
http://www.sysinternals.com for TCPView for your Windows boxes
Look here for security tools
http://www.cert.org/tech_tips/security_tools.html
http://216.60.197.200/Help/Sections/Security.htm
http://ciac.llnl.gov/ciac/ToolsUnixNetSec.html
http://razor.bindview.com/tools/index.shtml
For a list of Security information that I have been able to compile,
visit http://www.hudlogic.com/tips.html (security)
I haven't heard of Zone Alarm, so I obviously could use some more links
on that Security tips location. If you have suggestions, please send
them.
Kurt Hudson
kurt@hudlogic.com