Port 1025 is getting lotsa traffic

  • Thread starter Thread starter Fox
  • Start date Start date
F

Fox

Hi,

Windows 2000 Server w/ZoneAlarm Pro
All of a sudden port 1025 is getting
a lot of traffic. I've done a lot of searching
and have not found anything of consequence
to lead me to know why this is happening.
I am concerned that my system was breeched.
Port Detective says its active, but cannot name
a program listening there. If I telnet I get a black
screen and no announcement. As a rule, the IPs
that hit that port do not end up accessing anything
else. I tried tracert on many of them and only
one so far was at all identifiable, no others will
resolve. I cannot shut the port down and I cannot
block out the IPs that are hitting it. This has never
been a problem with ZoneAlarm before, it always
seems to do what I ask it to do.

The port is identified as Back Jack ICQ as I am
sure many already have heard about. But I have
found no solutions and no reason for the constant
activity. Even when there is no one else on my WebServer
there are still 10 or 12 IPs accessing port 1025.
My CPU is running normal and my RAM is normal.
What are they doing?

I want to shut this down befor my head explodes !!!!!

Can anyone give me any idea why this could be
happening?

Thanks,
Fox.
 
1) Zone Alarm is reporting traffic on Port 1025 or reporting access
attempts?

2) Don't open the port if you don't want access on it. (You
naturally have everything blocked except for what you need, correct?)

Jeff
 
ZoneAlarm is ineffective at blocking port 1025 access.
I am told this is because these dynamic ports were added
after the rest of the port structure was written and is different.
But for me this is just heresay, I do not know anything!

I have only seen one or two times that 1025 showed up blocked
in ZoneAlarm and this was probably blocked by a different rule
since it was the exception.

Meanwhile what I did was reset my ports vi the OS
to start at 1026. So far no problems with anything that
I run. Although it stop media services from being able
to login to start up. I don't use this so it did not matter.
Note that at first I eliminated both 1025 and 1026.
This had a bad result in that it effected access to the
master browser and killed some network comps from
being able to see the network. With all the confusion,
I am not sure I remember correctly, but this might have
involved the RPC. I am sure someone who knows more
would know much better how to handle this. But this
was a starter and is working decently for me.

Regards,
Fox
 
Back
Top