Thanks for the explanation Art. Charles From: dolphin213 <dolphin213@cox.net> Reply-To: GEN-COMP-TIPS-L@rootsweb.com To: GEN-COMP-TIPS-L@rootsweb.com Subject: Re: [Gen-Comp-Tips] Firewall Date: Fri, 13 Aug 2004 00:34:56 -0700 Charles, >I have recently installed Zone Alarm as my firewall. It is very efficient >at letting me know that it has blocked access to my computer. > >A typical message is as follows. > >The firewall has blocked Internet Access to your computer (TCP Port 445) >from 213.78.60.143 (TCP Port 4097)(TCP Flags:S) 1st of 9 alerts. > >It would appear that there is a need, apart from a mischevious one, for the >access. > >Where can I find out what program, if any, does the Source IP address >relate to? What does TCP Flags: S mean? The IP address relates to where the connection was coming from or going to. A program (such as IE or others) would connect to this address. I did lookup the IP address and it is in London, England. The TCP Flags: S means the following: S : SYN - Synchronize; indicates request to start session You didn't say if the port it was trying to access was in incoming or outgoing request for the connection. I did a search for the port 445 and below is what I found. TCP Port 445 Common Use Microsoft-DS Service is used for resource sharing on Windows 2000, XP, 2003, and other samba based connections. This is the port that is used to connect file shares for example. Inbound Traffic Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share. If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet. Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example. Lately TCP Port 445 has become the target of LSASS exploiting worms like Sasser and Korgo. Outbound Traffic Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs so that future authorized events will be logged as normal traffic. Hope this is of some help? Art ==== GEN-COMP-TIPS Mailing List ==== DO NOT open unexpected file attachments from people, even if you know them. Verify with the sender first. This may be your only line of defence, other than AV Software, against mail "viruses" ============================== Gain access to over two billion names including the new Immigration Collection with an Ancestry.com free trial. Click to learn more. http://www.ancestry.com/rd/redir.asp?targetid=4930&sourceid=1237 _________________________________________________________________ Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/