I am running Zone Alarm on my PC and within the last hour I have received over 100 alerts that ZA has blocked someone trying to gain access to my computer through Telnet. I used NeoTrace and the stuff is coming from my own ISP!
What is Telnet? Should I be concerned? Here is the exact message:
The firewall has blocked Internet access to your computer (Telnet) from 206.191.193.7 (TCP Port 1619).
Telnet is a simple text-based protocol that allows for remote login and/or operation of a computer. Most telnet servers present a command-line interface, sort of like a DOS box, and usually provide some kind of terminal emulation. Telnet can also be used to manually drive other protocols such as POP, IMAP, SMTP, and POP.
Your ISP (SpaceStar Communications) is probably just doing what’s called a “port scan”, basically checking certain ports on your machine to see if it can get in, sort of like a security guard testing doors in an office building. Each type of server has a standard port number – POP is 110, IMAP is 143, etc. If you’re running Windows, look for a file called services somewhere in the c:\windows or c:\winnt directory trees; that gives a list of standard ports for many different servers. Having said that, the file doesn’t contain 1619 – maybe someone else can tell you what server uses that port.
Also, many cable (and a few DSL) providers don’t allow their customers to run their own servers, and this scan may be trying to catch violators.
What do you mean it is coming from your own ISP? Does that mean it is coming from Joe Blow down the street using the same ISP as you, or does it mean that someone at the main office is doing this?
To find out, I’d guess you could compare the source to your own address to see if it is similar (and thus part of the dial-up/DSL group), then it would be Joe Blow. If it is some different address class, it could be the ISP.
Boscibo, I do not know 1% of what Geek knows (he is the geek, after all, but ZA will always give you warnings. There’s not much you can do about them. The best thing is to turn this feature off, i.e., ZA will do its job silently. You will do yours, without interruptions.
I do have the alerts turned off, but I clear them every so often and noticed instead of 8 or 9 there were 103 in the log. Since I’m not much of a geek, I didn’t even know what telnet is.
Just getting so many alerts in a short period of time piqued my curiosity. Whoever was bugging me seems to be leaving me alone now.
Probably a port scanner, like 3waygeek says. This would be supported by checking the messages to see if the port number is walking through a range, instead of always being 1619. I checked the IANA’s port number assignments to see if something common is on 1619, but it’s allocated to something called “xs-openstorage”, whatever that is.
It’s helpful to keep an eye on things like this. For example, if you see someone trying to open a connection to port 139, you can look that up in the IANA list (at http://www.isi.edu/in-notes/iana/assignments/port-numbers) and know that someone is trying to open a NETBIOS (Windows File Sharing) connection to your computer, which should raise an eyebrow.
If they keep doing it, I’d send a message to your ISP’s support staff and just say you’re curious and a little concerned that some machine is repeatedly trying to connect to yours. Provide the IP and port info and they should be able to check it out.
Out of curiosity, I poked at 206.191.193.7 a little, and it appears to be running apache and SSHD (a secure telnet-like service), so it’s most likely a unix machine. I didn’t do a portscan or anything, but I tried telnetting to 23, 22, and 80, and got success on 22 and 80.
If your ISP were deliberately fishing for servers you weren’t supposed to run, it would probably be on the expected ports for FTP, SMTP, HTTP and the like.
BTW, a note on NETBIOS and PCAnywhere pokes (139, 5632). You can worry a lot less about them if they come from your subnet, ie. from an IP address like yours except for the last digit. They are likely inadvertant, and come from people trying to use features intended for LAN’s. In particular, PCAnywhere has a “network neighborhood” that pings the entire subnet on 5632 when the user opens it. I see a constant trickle of 5632’s from other tycho.net customers.
BTW, I’m running BlackIce, and they have a very good knowledge base, which you don’t have to own BlackIce to access. A lot of good material in there:
When I looked 206.191.193.7 up, it resolved specifically to “ipmeter.spacestar.net” rather than something in a block of addresses. ipmeter appears to be a metering and billing application for IP based networks used by service providers.
xs-openstorage appears to refer to a enterprise storage and operations management solution from a company called XuiS. It would make sense that an ISP would be using such a thing, it doesn’t make sense that it would try to find a server for it on your machine. Could be a hiccup because somebody misconfigured something. And it’s possible that something else uses that port number.
Best advice - if you’re curious ask your ISP support.