UDP Routed traffic on port 5500

["Don Harris" <Don.H () uwkern org>]

Aside from my external Firewall on my LAN I have installed ZoneAlarm Pro on
my personal internal client PC running Win98.  I have a small LAN running NT
Servers and several Windows clients, and a permanent internet connection.

I have started getting this message on my personal client PC with ZoneAlarm
Pro running:

The firewall has blocked routed traffic from a restricted address
(***.***.100.33) (UDP Port 5500) to a restricted address (***.***.100.17)
(UDP Port 5500).

The IP's above are consistent with my internal structure.  But...

No PC's are using those IP's ending with .33 or .17.

I have tracked down the one Client PC that I believe is causing the message
on my PC running ZoneAlarm.  Disconnecting that PC from the network stops
any messages and reconnecting it starts it back up.

I since reinstalled all software on that client PC thinking if it had some
undesirable software or Trojan Horse that it would solve the problem, but it
did not.

I then took that PC and connected it to a switch with no other PC connected
except for my personal PC running ZoneAlarm.  I did this test to confirm
that it was indeed that PC and sure enough, it did just what I expected, I
got the same message, and disconnecting it... no messages.

I also tried to track down the IP's ending with .17 or .33 on my network
just incase some software or hardware was setup and using those IP's. I had
no luck pinging or using other tools to track down, scan, traceroute,
telnet, those IP's ending with .17 or .33. I even scanned for port 5500.

Is this some fluke?... nothing makes sense to me!  Could a bios chip be
infected with something on that PC?  I used a bios flash with an upgrade,
but it did not change anything.

This is out of my realm.

Please Help... anyone...  any ideas?


Don



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards