• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Portscan Intrusion?

Glad I found this site. I looked through the questions people posted and I don’t really see an answer for my question. So here it is

 

From thime to time (most recently 8/7/08 in the morning) I will get the following notice in my history (this is not the exact wording but close)

Details:

Attempted Intrusion "Portscan" against your machine was detected and blocked.
Intruder: 192.168.0.1(domain(53)).
Risk Level: Medium.
Protocol: UDP.
Attacked IP: MY-PC.
Attacked Port: 52***

 

Of course I'm happy that this is blocked.

However later ( Last night) some Microsoft had some updates that required the computer to shut down and restart. So it restarted around 1:30am or so on its own.

We have the two account options on our computer- Admin and User. So when I woke up this morning the computer was on, but the screen showed that we had to “log in” under one of the two accounts. After logging in as  user (which we always do), I checked on updates and all, and  the Norton logs. Well the Norton Activity log showed the following in 'activity" for early early this morning.

 

 

Inbound UDP packet allowed.
Local address,service is (My-PC,601**).
Remote address,service is (192.168.0.1,domain(53)).
 

So I'm concerned that some how the Portscan intrusion now made its way on my comp.

I did a full system Norton scan and nothing showed except tracking cookies.. Also used SpyBot and nothing showed.

 

Now I know in my activity logs that Port Blocking allowed 192.168.0.1(8) happens all the time, for the last year, so I know thats not a problem. Just that the Portscan blocks appear to be the same as the UDP packet that was allowed. I use Norton Antivirus 2008. I have Vista Home Premium. And of course  a DSL connection (anyone still on dial up??)

I appreciate any comments and help.

Replies

Kudos0

Re: Portscan Intrusion?

Glad I found this site. I looked through the questions people posted and I don’t really see an answer for my question. So here it is

 

From thime to time (most recently 8/7/08 in the morning) I will get the following notice in my history (this is not the exact wording but close)

Details:

Attempted Intrusion "Portscan" against your machine was detected and blocked.
Intruder: 192.168.0.1(domain(53)).
Risk Level: Medium.
Protocol: UDP.
Attacked IP: MY-PC.
Attacked Port: 52***

 

Of course I'm happy that this is blocked.

However later ( Last night) some Microsoft had some updates that required the computer to shut down and restart. So it restarted around 1:30am or so on its own.

We have the two account options on our computer- Admin and User. So when I woke up this morning the computer was on, but the screen showed that we had to “log in” under one of the two accounts. After logging in as  user (which we always do), I checked on updates and all, and  the Norton logs. Well the Norton Activity log showed the following in 'activity" for early early this morning.

 

 

Inbound UDP packet allowed.
Local address,service is (My-PC,601**).
Remote address,service is (192.168.0.1,domain(53)).
 

So I'm concerned that some how the Portscan intrusion now made its way on my comp.

I did a full system Norton scan and nothing showed except tracking cookies.. Also used SpyBot and nothing showed.

 

Now I know in my activity logs that Port Blocking allowed 192.168.0.1(8) happens all the time, for the last year, so I know thats not a problem. Just that the Portscan blocks appear to be the same as the UDP packet that was allowed. I use Norton Antivirus 2008. I have Vista Home Premium. And of course  a DSL connection (anyone still on dial up??)

I appreciate any comments and help.

Kudos0

Re: Portscan Intrusion?

If I need to post any other details, just let me know. I look forward to responses. Thanks all
Kudos0

Re: Portscan Intrusion?

Prevent this computer from having access to your's: Open Norton > N.I.S. tab > Settings > N.AV Options (?) > Firewall > Program Control > Trust > Add > Enter computer "192.168.0.1" > "Ok" > Click on Computer > Restrict > "Yes".

I would also Block Ports 8 and 53: After you have done the above, click on Advanced > Configure > Add > Block > Connections to and from other computers > Any computer > Click the second one and select U.D.P. and then click on Add > Filer by: Click the middle one and enter the Ports; click on Local > "Ok" > Add Rule: Enter the Rule Name you want > That's you done!

Not sure what options N.AV has, so if someone knows, then you can correct where I am wrong; it should something roughly like that anyway; just treat this as a Guide.

I would also Update your Virus Definitions and then do a Full System Scan in Safe Mode.

Message Edited by Floating_Red on 08-09-2008 12:20 AMMessage Edited by Floating_Red on 08-09-2008 12:24 AM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Portscan Intrusion?

This is a false positive intrusion detection. Frequently when browsing the web, some pages will have many links to many different sites. Looking up all of these addresses can make it look like your router (192.168.0.1) is attacking your machine. The inbound UDP latter the next morning was probably some other background application going out and looking for more updates. You probably will see some connection entries in your logs occurring at or very shortly after that same time.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Portscan Intrusion?

Floating_Red. Thanks. But I think if I block that address I'd lose my internet access.
Kudos0

Re: Portscan Intrusion?

Reese, thansk you sir. It has happened again several times since I posted this question. I notice that when on go on some of my favorite sites such as sporting news.com, the connection log shows many entries. The site has lots of sports news links adn scores, etc. So that supports the idea that the site itself has many pages to link to.  So false positive sounds right, eh? Plus it indicates that it is blocked when it does this, so Norton is on it either way :)
Kudos0

Re: Portscan Intrusion?

Reese-  One last point of clarification

 

You don't think I need to block 192.168.0.1, do you? I'm thinking I need that since it is part of my DSL connection. let me know. Thanks

Kudos0

Re: Portscan Intrusion?

Hi,

No, you will not want to block your gateway address.

Thanks,

/Chester 

Kudos0

Re: Portscan Intrusion?

wow should he have blocked his address?
Kudos0

Re: Portscan Intrusion?

We have some measures in there to prevent "shooting yourself in the foot" if you happen to restrict your own gateway.  Therefore, you should still have internet access.  However, it would be good to remove the restriction on the gateway.

Thanks,

/Chester 

Kudos0

Re: Portscan Intrusion?

Oh I meant showing his address in the post :)
Kudos0

Re: Portscan Intrusion?

THock, a question for you, what operating system are you running on?
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation

Replies are locked for this thread.