My firewall blocks hundreds of hacking attempts every day all from the same ip range beginning 24.64.***
listed as shaw communications in Canada.
Okay my zass is doing its job but thats a bit like saying someones trying to kick my door down whilst im at home but its okay because ive got good locks ! Somethings not right.
This company posted a reply to someone on za forums saying it wasnt them but someone using their ip( im a novice so i aint got a clue).


If someone can tell me how to copy/paste or capture the logs i shall post them for you to look at

The net range listed in smart defense advisor is
24.64.0.0 - 24.71.255.255

Ive put this range in my blocked zone in firewall>zones
on the advice of za own forum,but the attempts persist


Just to make clear i need assistance on how these attempts can be made to go away and stop altogether,not just blocking advice( sorry about the jargon but i aint computer literate)

Below is the comment from another concerned user and the response she got from shaw communications.








I emailed Shaw abuse concerning the multiple alerts originating from internet addresses connected to their company, and received the reply below. Hopefully it will help others. Supposedly the attacks are not "intentional", but I'm unsure why Shaw is unable to stop this advertiser's activity. I'm also unsure why probing of their customers would result in alerts on our end. Oh well...

From Shaw Internet Abuse Department:

__________________________
"Hello,

Thank you for your report of abuse but in this case there are some details you should be aware of.

The “attacks” you are seeing on your system are not attacks per se. We have seen dozens of similar reports over the past few months with exactly the same symptoms.

Most of the IP addresses reported to us are not currently in use nor have they even been assigned to any device in the past 90+ days. You are likely also seeing probes from many other random IPs within the 24.64.X.X range. All of these probes will be UDP. All of the probes will be directed at ports 1026, 1027 & 1028 on your computer. All of them are spoofing their origin.

This traffic is NOT originating from Shaw's network.

What is actually happening is that there is an unscrupulous advertiser which is spoofing Shaw IP addresses in the 24.64.0.0/16 range and is trying to send messenger pop-ups to computers in order to dupe people into buying a product. It has been quite a thorn in our side because it is falsely indicating Shaw customers at are fault for the traffic.

Your security software is smart enough to deflect these probes but not smart enough to know what is really going on. Each probe it sees is interpreted as an attack on your system and you are notified accordingly. Understandably, this can be quite alarming but, in this case, is actually nothing to be concerned with. In the future, any UDP probes you see from 24.64.X.X IPs on ports 1026, 1027 & 1028 can be ignored. Please do keep us apprised of ANY other attacks you may see from Shaw IP addresses.

If you have any further questions or comments please do not hesitate to contact us.

Regards,

Acceptable Use Policy Management Team
Shaw High-Speed Internet Service
Shaw Cablesystems G.P.
2400 - 32nd Avenue N.E.
Calgary , Alberta , T2E 9A7
Telephone: (403)750-7420
Facsimile: (403)539-6831
____________________________

Me again.
I think i found some of the alerts i mentioned. Ifound them in windows > internet logs>zalog.txt Hope it helps.

ZoneAlarm Logging Client v7.0.462.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
FWIN,2008/03/10,18:26:32 +0:00 GMT,24.64.205.145:15602,86.11.168.147:1026,UDP
FWIN,2008/03/10,18:26:32 +0:00 GMT,24.64.205.145:15602,86.11.168.147:1027,UDP
FWIN,2008/03/10,18:26:32 +0:00 GMT,24.64.205.145:15602,86.11.168.147:1028,UDP
FWIN,2008/03/10,18:26:42 +0:00 GMT,24.64.64.182:17701,86.11.168.147:1028,UDP
FWIN,2008/03/10,18:26:42 +0:00 GMT,24.64.64.182:17701,86.11.168.147:1026,UDP
FWIN,2008/03/10,18:26:42 +0:00 GMT,24.64.64.182:17701,86.11.168.147:1027,UDP
ZLUpdate,2008/03/10,18:27:16 +0:00 GMT,,,Manual
AV/update,2008/03/10,18:30:26 +0:00 GMT,,Update Install Completed,Manual
ZLUpdate,2008/03/10,18:31:50 +0:00 GMT,,,Manual

Unfortunately there isn't a whole lot you can do about incoming requests. If you don't have a static IP address from your ISP, you can turn off your internet connection, and then turn it back on again. This will give you a new IP address. This may get you out of their sights, but probably not. The next thing you can do is to file a complaint with your ISP about this traffic, and see if they can do anything. You can also keep complaining to Shaw, and eventually they may get off their high horse and figure out who is doing this. Also sending your logs to http://www.dshield.org will help in the long run, but not short term. They collect logs from folks all over, and file huge reports with offending organizations.

The only other thing you can do is try to get your ISP to shut down those ports. But in my opinion in the long run that is a bad idea. ISP's continue to block more and more ports, which just causes the bad guys to change ports.

Sorry I couldn't give you better news.

By the way, if you need it
Shaw Communications Inc.
Suite 900
630–3rd Avenue S.W.
Calgary, Alberta
Canada T2P4L4

Thanks for taking the time to reply and your advice Hoov.
I will just make sure my zass is always up to date and i willl certainly ook into some of your suggestions in the near future. goodbye.

(correction) * look .
lol

Check Cryptome to find out...these are NSA Affiliated IP Addresses and the NSA in the USA is using them to do their business from abroad.

Cryptome broke this news almost 2 years ago, thats why Shaw responds that these IPs are not assigned, or they respond someone is using them, but its not us

BLOCK THE ENTIRE IP RANGE....

Hello,

I just found this discussion by doing a Google search and registered to the forum.

I've had this same problem with Shaw Communication alerts and it's been going on for years. It's constant. I always get 3 at a time and they start immediately when I boot up. I sent them an email and am still awaiting a response. I imagine that I'll get a similar one as to what's been posted above.

It seems to me that if it's someone using their servers that they're responsible for alleviating the problem regardless of whether or not it's one of their customers or anyone else who may be doing it. As far as the response you got about ignoring it, I don't know about you all, but I prefer to see the alerts that come through on my firewall. It's just a personal preferance. As I said, these alerts from Shaw Communications are constant so that makes it a little bit tough to ignore. I hope this thread is still active because I would like to get some feedback on this.

Are they from the same IP as the post above?

Thanks Hoov for your quick response. Yes the I.P.'s from Shaw are in the same range, 24.64.0.0 - 24.71.255.255.

Can you post up some of these entries? I need some new data, so that I can run this by some folks I know that know much more about this kind of thing.

Thank you. I went to Alerts/Logs on ZA and from there to Log Viewer, but the copy/paste function doesn't work. Is this what you need to see and if so do you know how I can copy them to post?

Go to c:\windows\internet logs and open the file named zalog.txt That is where you can do a copy and paste.

Go to c:\windows\internet logs and open the file named zalog.txt That is where you can do a copy and paste.

Go to c:\windows\internet logs and open the file named zalog.txt That is where you can do a copy and paste.