Constant "attacks" using the Gnutella port

[Terry C.]

Everytime I start my computer ZoneAlarm starts immediately to receive "attacks" from four
different IP-Addresses all using the Gnutella port 6346. I have installed LimeWire and Morpheus
but these aren`t running when those "attacks" appear. Those attacks go on all the time when my
computer is running appearing about 2 times in a minute. Any ideas what might be causing this ?

 

[Facepalm Jeff]

Constant "attacks" using the Gnutella port

I think you closed Limewire or Mopheus a short time ago... your IP is still in the hostcaches and so some other clients try to connect but your firewall blocks them, because your client isn

 

[Tibby H]

Morgwen: Good guess but I think that`s not the issue here because I haven`t been using any Gnutella applications in past 5 days and I have dynamic IP-Address.

 

[confused_blonde]

You should be happy, you must live in a area where everyone uses Gnutella, all IPs of your ISP have been using Gnutella lately.
Or it's more like your "dynamic" IP isn't - you should write it down and see if it really changes.
Ignore the hits, change zonealarm's settings to ignore it, or get a real firewall that doesn't pester you to get you to BUY the "pro" version.
Why do you think it pesters you so much? People have been complaining about this program for months now.

 

[starlove2]

Plus, you can shut of the annoying popups of zonealarm.

 

[Oxl]

Hi all, Ive recently installed XoloX version 112 with the 115 update. I have been using a program called COMMVIEW to see what resources have been used where and when, when running client software. My findings are very disturbing. If you would like to see what I mean, then please take a look at the ip status read out 5 minutes after switching Xolox on, and 5 minutes after switching Xolox off. (both pages were made when nothing was being downloaded by Xolox)
You can find them here:
http://www.mjholdings.com/xolox.HTM (5 mins after on)
http://www.mjholdings.com/xolox turned off.HTM (5 mins after off)

We also performed these tests on Kazaa, and again, you can follow the link below to see the stats we got.
http://www.mjholdings.com/kazaa_5seconds_after_start.HTM

So what have I learned, well firstly, no client software should have access to Port 137, which is used by netbios. And when I dont have any files in my shared folder, why are these people trying to connect to my computer through Xolox??
1ST IP ADDY = WARSZAWA
2ND IP ADDY = NORTH DAKOTA STATE UNIVERSITY
3RD IP ADDY = WARSZAWA
4TH IP ADDY = USA / MEXICO BORDER
5TH IP ADDY = SOMEWHERE NEAR DES MOINES USA
6TH IP ADDY = SOMEWHERE NEAR AYLESBERY VALE ENGLAND
7TH IP ADDY = SANTO DOMINGO
8TH IP ADDY = BALTIMORE USA
The above details are from the Xolox 5 minutes after off page., but still people are trying to connect to our PC. The IP address's have been traced back to the people that are connecting to me here, and sending me data packets, also this is where they reside. Bouncy bouncy, hmmmmm. Thanks Xolox, but no thanks.

 

[Collana]

When you connect to the network your client passes your ip to other clients so they can connect to your client. When the other clients receive your ip they store it. When they need another connection they attempt to connect to one of the ips they have stored. They have no way of knowing if you have shut off your client until they try to connect. That is why you see people connecting to your computer after you have shutdown your client.

As for the connection on port 137, I am guessing that may just be an error with your monitoring software.


Corrected link from above: http://www.mjholdings.com/xolox turned off.HTM (5 mins after off)

 

[Tammy T]

Hi,
but my worry is the fact that I do not have any kind of files in my stored folder as I have not d/l'ed anything. And my network status is going like the clappers, my modem lights are going 10 to the dozen, as if I am downloading something at 150kbps. I really advise you do the same check with Commview software, I think you'll be rather surprised. As for the port 137, it isnt an error in my monitoring software at all, what a stab in the dark! I have had six other people try this on their systems with a range of different software, each and every one of them recieving some kind of a hit against port 137, and I forgot to mention that I have had several bounces from kiddy porn servers whilst this software was running, and NO, that is not normal at all. I shall be finding out from the our ISP what exactly is going on with the porn bounces, and shall post as soon as I know myself. Keep ur eyes open people.
PS: thnx for the corrected link

 

[your awesome]

This is normal behavior for a client. It sends/receives MANY small packets. This is how the network keeps running. Since you say you are not sharing any files and are not downloading any files, they are just basic connection packets ( pings pongs ) and packets related to searches.



These are just queries. As long as you do not share and/or download any child porn, you should just ignore it. No files are actually transferred THROUGH clients. If someone wants to download a file they must go directly to the source.

 

[Gooser]

Basic connection packets???? I have over 240mb of my monthly bandwidth used up by Xolox in less than 1 day of installing. Are you saying that several 10's of pings can add upto this many MB?? Basically no. Thats impossible. I smell a cydoor scenario coming on....network highwaymen at their best, thats what I say.

 

[Lady Jay]

If you doubt theat the connections you are receiving are from queries then capture some of the packets with a packet sniffer and check them out. Many MB of data could be just queries. The reason why is that most Gnutella clients allow you to be a super or ultrapeer which means you handle queries and file indexes for slower connections to shield them from the query storm. The file indexes and queries can add up to a lot of data.

As for the Netbios stuff ... some clients use random ports so unless you get a lot of hits on those ports I'd guess it's just random. On the other hand there are a lot of modified clients out there that collect and scan IPs for know weakness like filesharing being enabled by default over netbios. Then they can take your machine for use in DoS attacks etc. Lots of modified clients return fake results to get you to download bad programs too.

Use a good firewall like Zonealarm or Tiny Personal Firewall.
Use a good script control tool.
Use a registry protection tool.
Use a spyware detection tool.
Use anti-virus protection.

Get a packet sniffer and look closer before you freak out. Could be good .... could be bad.

-Peace-

 

[Reyna M]

I have had problems with Morpheus that started two days ago. I have been using it for months with no problems now I get the message that the program has errors and then stops working.

Has something happened to Morpheus just recently?