At 12:11 AM 4/29/01 -0400, Jeff Dougherty wrote the following:
>I am still trying to figure the info Zonealarm sends me.
>Below is a site that tried to access my computer. Could someone tell me why
>this place is trying to access my computer?
>Massachusetts Institute of Technology (NET-MIT-TEMP)
[snip]
What port and protocol from this IP address? How many attempts?
Just because ZoneAlarm shows an alert means nothing at all. The combination
of the number of alerts, the port and protocol of the attempt means more. In
fact, the number of attempts is really the key factor.
An example: Earthlink has the block of IP addresses (netblock) 207.217.0.0 -
207.217.255.255. Any address of a virtual domain hosted by Earthlink or DSL
connection (like me) will be covered by this range of addresses. So if you
use a network tool like ping, dig, traceroute, nslookup, etc. or you use a
protocol like http, ftp, etc. then you could conceivably hit my IP address
and I would see the alert. Why?, because my DSL connection is within the
range of IP addresses (netblock). Also, every business or home site that
Earthlink hosts (called virtual domains, like my site expita.com) also will
have an IP address that is in this same range.
Another example: Let's say I want to contact my geocities.com site via ftp
so I can upload a web page. I initiate ftp and open a connection to
ftp.geocites.com (NOTE: the misspelled site name). FTP will obligingly open
the connection. If this site was your virtual domain and you were running
ZomeAlarm then you would see an alert and wonder who the heck at Earthlink
was contacting you via ftp. It turns out that Earthlink is NOT contacting
you but somebody with a DSL connection provided by Earthlink (me) is
contacting you and it is by accident.
C:\WINDOWS> ftp
ftp> open ftp.geocites.com
Connected to geocites.com.
220 ProFTPD 1.2.0pre9 Server () [216.149.86.218]
User (geocites.com:(none)): anonymous
[snip]
C:\WINDOWS> ftp
ftp> open ftp.geocities.com
Connected to ftp.geocities.com.
220-Welcome to the Yahoo! GeoCities FTP server.
220-Need help? Get all details at:
220-http://help.yahoo.com/help/us/geo/gftp/
220-
220-No anonymous logins accepted.
220 Yahoo!
User (ftp.geocities.com:(none)):
[snip]
And another example: I wish to ping a site to see if it is up and working. I
want to ping club.com but I ping chub.com instead -- typical typo that many
users make.
C:\WINDOWS> ping chub.com
Pinging chub.com [207.155.252.14] with 32 bytes of data:
Reply from 207.155.252.14: bytes=32 time=39ms TTL=243
Reply from 207.155.252.14: bytes=32 time=33ms TTL=243
Reply from 207.155.252.14: bytes=32 time=34ms TTL=243
Reply from 207.155.252.14: bytes=32 time=31ms TTL=243
Ping statistics for 207.155.252.14:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 39ms, Average = 34ms
C:\WINDOWS> ping club.com
Pinging club.com [209.208.200.120] with 32 bytes of data:
Reply from 209.208.200.120: bytes=32 time=89ms TTL=238
Reply from 209.208.200.120: bytes=32 time=90ms TTL=238
Reply from 209.208.200.120: bytes=32 time=91ms TTL=238
Reply from 209.208.200.120: bytes=32 time=89ms TTL=238
Ping statistics for 209.208.200.120:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 89ms, Maximum = 91ms, Average = 89ms
Now if either or both of these sites are running ZoneAlarm, they might
wonder who the heck from Earthlink is pinging their site. In this case,
it is some person with a DSL connection to Earthlink generating pings to
make a point in reply to a posting on a mailing list.
So, any user at MIT for any reason under the sun might have generated the
alert that ZoneAlarm picked up and that you see.
--
Gerry Boyd -- [EMAIL PROTECTED]
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/rules.htm
Contact list owner <[EMAIL PROTECTED]>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
