Should a computer user be worried about every port scan? My firewall
for example, has been blocking what it calls âattacksâ from three
different ip addresses that all belong to an ISP called Chinanet. My
firewall blocks UDP packets sent from Chinanet through my netbios port
and other ports like port 8000. I also notice that when I
turn on my computer that my computer tries to send UDP packets to the
same IPs from Chinanet, through the netbios -ns port. Is that weird? I
always run virus scans regularly and my computer has nothing. My
computer seems to be fine and has not been acting strangely lately. I
donât know whether or not itâs a port scan. Are things like port scans
normal? Is every port scan always someone intentionally trying to
access your computer? With all the things hackers can be capable of,
what are the chances of a casual user being targeted? People say that
if something like hacking occurs, to contact your ISP, but is there
really anything to be done? Hacking might not be as common as a
computer being infected with a virus, but how common is it?
Port scans happen all the time. And I do mean all the time. Steve
Gibson of grc.com coined the term âinternet background radiationâ for
all the random traffic thatâs continually happening on the internet due
to unpatched and infected machines, and machines that are continually
scanning the internet for other machines to infect.
And thatâs exactly why everyone needs a firewall.
However, there is one aspect of what you describe that is
troubling.
]]>
Certain types of vulnerabilities in Windows â mostly long since patched â allow a remote computer to connect directly to your computer and essentially take control.
In the past âtaking controlâ typically meant just causing problems; deleting data, deliberately crashing your machine and the like â things that you would notice immediately. Today things are much more stealthy. A compromised computer may often show no outward signs of being infected, but may be ready to send spam or continually scan the internet for other machines to be infected.
These machines, along with others purposely set up to do this, go out and scan the internet looking for other machines to infect. They pick an IP address, and try to connect to the machine that might be at that address. They try connecting to different ports on that machine, particularly those known to have exposed vulnerabilities in the past, and see if the machine responds. This âport scanâ is nothing more than a remote machine poking at your machine to see if it has any weak spots that can be exploited for infection.
Thatâs why a firewall is so critical. A firewall, particularly a hardware firewall like a router, prevents these probes from ever even reaching your machine.
So as long as youâre protected by a firewall and youâre keeping Windows up to date, then youâre probably in pretty good shape. Given that there are lots of port scans and other vulnerability probes happening all the time, you can still rest easy if youâre behind a firewall.
Now, as we know, these types of infections certainly arenât the only way your computer can be compromised. Infected attachments and phishing attempt via email, for example, arenât something that a firewall will stop, so a firewall certainly isnât enough by itself, but itâs an important part of the mix.
But something you said has me a tad concerned that perhaps you still have an issue:
I also notice that when I turn on my computer that my computer tries to send UDP packets to the same IPs from Chinanet âŠ
Thatâs not good.
Make sure thatâs what your firewall is really telling you (itâs often easy to misinterpret), but if your computer is sending out to an IP address in China that you donât expect, know or want â well, thatâs not good. Itâs not a port scan (those are incoming only), but it does seem like itâs an infection of some sort trying to âphone homeâ and let some computer over there know that your system has been compromised and is ready to receive instructions remotely.
Yes, even though your anti-virus scan is showing nothing, Iâd be more likely to believe that it missed something and that your system has been compromised.
Like I said, though, make sure your firewall is telling you what you think it is. An incoming connection attempt thatâs blocked is nothing to really worry about. An outgoing attempt, however, is a concern.
In your shoes, I would immediately backup (if you havenât been doing so already) and then run additional anti-virus and anti-spyware scans from different vendors than whatever youâre already running. Iâll point out that anti-spyware scans are necessary in addition to anti-virus, as they are different things, and the scanners for each operate differently.
Hopefully those will catch and eradicate the problem.
If not â well, as long as your firewall is blocking the outbound connection attempt youâre technically safe, but I wouldnât be particularly comfortable, particularly not knowing exactly how you came to be infected.
Iâd definitely be sure to review the steps to stay safe on the internet.
For those who might want to run a couple of free scans, Iâd recommend Housecall from Trend Micro (housecall .trendmicro .com) and Microsoftâs Windows Live OneCare safety scanner (onecare .live .com/scan). Both products perform deep scans that often uncover malware missed by antivirus and antispyware products. Depending on hard disk size, total number of files (including temp files), etc each scan could take from just a few minutes to a few hours.
This is something, I too have been worried about a lot. Although, everythingâs alright with my PC at the moment â I have been looking since a long time for a software or utility that continuously monitors my Internet connection and displays the IP addresses (and associated names) with which any kind of data is exchanged. Does any one know of anything like it?
My computers are connected through a router to the Internet. How do I see the attacks against open ports that may be coming in to my system? How do I see any outgoing signals that may be occurring without my knowledge?
Is there a specific program to do this for me?
Thanks
When I ran Win98, I used PC Signal 9 firewall which was the best in the universe; until they sold out and it wonât run on XP. Using PeerGuardian2, I get hundreds of malicious attempts to get into my PC. Some sites try every port [ all 65,000 of them ] to try and get in. Some sites have virus embedded in their front page and about this time I had, had enough. Savvis URLâs in particular [ rogue users ] really cheesed me off. I got âTHUNDERFLOOD.EXEâ and started giving back to these lowlifes, what they were sending me. Didnât take too long before the rogue URLâs got the message. One Savvis URL in particular kept hitting my ports for days [ hundreds / min ] so I set Thunderflood to run 24/7 in the background aimed at this sit. What I like about this program is 1. It sniffs every port on the target and Sync floods all of them.
2. You can open up multiple copies of the program and hit other criminal sites simultaneously
3. It uses Jack **** overhead in resources so even with 6 to 10 windows running, there is no slow down â in fact there is a SPEED UP in accessing sites because my PC now does not have to spend resources blocking these rogue URLâs.
Ethical ??? maybe not, but it does the job and then some
The latest version of Avast (free) Antivirus scans all incoming and outgoing connections/ports. And, I think most other popular antivirus software have also incorporated this facility (of monitoring ports for suspicious activity).