Should a computer user be worried about every port scan? My firewall
for example, has been blocking what it calls ‘attacks’ from three
different ip addresses that all belong to an ISP called Chinanet. My
firewall blocks UDP packets sent from Chinanet through my netbios port
and other ports like port 8000. I also notice that when I
turn on my computer that my computer tries to send UDP packets to the
same IPs from Chinanet, through the netbios -ns port. Is that weird? I
always run virus scans regularly and my computer has nothing. My
computer seems to be fine and has not been acting strangely lately. I
don’t know whether or not it’s a port scan. Are things like port scans
normal? Is every port scan always someone intentionally trying to
access your computer? With all the things hackers can be capable of,
what are the chances of a casual user being targeted? People say that
if something like hacking occurs, to contact your ISP, but is there
really anything to be done? Hacking might not be as common as a
computer being infected with a virus, but how common is it?
Port scans happen all the time. And I do mean all the time. Steve
Gibson of grc.com coined the term “internet background radiation” for
all the random traffic that’s continually happening on the internet due
to unpatched and infected machines, and machines that are continually
scanning the internet for other machines to infect.
And that’s exactly why everyone needs a firewall.
However, there is one aspect of what you describe that is
Certain types of vulnerabilities in Windows – mostly long since patched – allow a remote computer to connect directly to your computer and essentially take control.
In the past “taking control” typically meant just causing problems; deleting data, deliberately crashing your machine and the like – things that you would notice immediately. Today things are much more stealthy. A compromised computer may often show no outward signs of being infected, but may be ready to send spam or continually scan the internet for other machines to be infected.
These machines, along with others purposely set up to do this, go out and scan the internet looking for other machines to infect. They pick an IP address, and try to connect to the machine that might be at that address. They try connecting to different ports on that machine, particularly those known to have exposed vulnerabilities in the past, and see if the machine responds. This “port scan” is nothing more than a remote machine poking at your machine to see if it has any weak spots that can be exploited for infection.
That’s why a firewall is so critical. A firewall, particularly a hardware firewall like a router, prevents these probes from ever even reaching your machine.
So as long as you’re protected by a firewall and you’re keeping Windows up to date, then you’re probably in pretty good shape. Given that there are lots of port scans and other vulnerability probes happening all the time, you can still rest easy if you’re behind a firewall.
Now, as we know, these types of infections certainly aren’t the only way your computer can be compromised. Infected attachments and phishing attempt via email, for example, aren’t something that a firewall will stop, so a firewall certainly isn’t enough by itself, but it’s an important part of the mix.
But something you said has me a tad concerned that perhaps you still have an issue:
I also notice that when I turn on my computer that my computer tries to send UDP packets to the same IPs from Chinanet …
That’s not good.
Make sure that’s what your firewall is really telling you (it’s often easy to misinterpret), but if your computer is sending out to an IP address in China that you don’t expect, know or want – well, that’s not good. It’s not a port scan (those are incoming only), but it does seem like it’s an infection of some sort trying to “phone home” and let some computer over there know that your system has been compromised and is ready to receive instructions remotely.
Yes, even though your anti-virus scan is showing nothing, I’d be more likely to believe that it missed something and that your system has been compromised.
Like I said, though, make sure your firewall is telling you what you think it is. An incoming connection attempt that’s blocked is nothing to really worry about. An outgoing attempt, however, is a concern.
In your shoes, I would immediately backup (if you haven’t been doing so already) and then run additional anti-virus and anti-spyware scans from different vendors than whatever you’re already running. I’ll point out that anti-spyware scans are necessary in addition to anti-virus, as they are different things, and the scanners for each operate differently.
Hopefully those will catch and eradicate the problem.
If not – well, as long as your firewall is blocking the outbound connection attempt you’re technically safe, but I wouldn’t be particularly comfortable, particularly not knowing exactly how you came to be infected.
I’d definitely be sure to review the steps to stay safe on the internet.