An intrusion attempt by localhost was blocked

fisher · ‎05-20-2012

Recently I just restored my computer and installed this norton anti virus 60 day free trial. However, everytime I start my computer it pop up a message, which had never happened before, saying "An intrusion attempt by localhost was blocked". Therefore, I want to see if anyone has ever had this kind of message before, or what it means by that.. Is my computer being attacked or what? Thanks in advanced.

SendOfJive · ‎02-07-2009

Hi fisher,

Can you provide the complete contents of the alert showing the name of the threat detected, etc.?

fisher · ‎05-20-2012

Thanks for your response, SendOfJive

I am not with my computer right now. Therefore, I am not able to provide you the complete info.

It is similar to the following, which I googled:

Risk level: medium
Default action: Block
Attacking computer: localhost (127.0.0.1, 48000)
Destination address: localhost (127.0.0.1, 48009)
Traffic Description: UDP, 48000

No path is given, so I have no idea what caused it. It only pops up at the beginning every time I start or restart my computer. Norton only suggests to leave it blocked or stop notifying me.

I can upload a screenshot of it later.

SendOfJive · ‎02-07-2009

If you could just get the name of the attack signature that Norton is alerting to, that would be helpful. IPS detects outbound connections as well as inbound, so knowing what the threat is would shed some light on things.

fisher · ‎05-20-2012

In the security history, it does not mention what attack signature it is. It only says:

"Network traffic from localhost matches the signature of a known attack. To stop being notified for this type of traffic, in the Actions drop-down, click Stop notifying me, and then click Apply".

Risk Name: PortScan

Risk Level: Medium

Default Action: Block

Action Taken: Block

Attacking Computer: localhost

Destination Address: localhost

Traffic Description: UDP, 48000

SendOfJive · ‎02-07-2009

Is the traffic always on port 48000? Nimbus Controller uses that port. A portscan is not necessarily an attack - it is traffic that is blocked because it was not requested. Is your Norton Firewall set to its defaults, or have you created any custom rules? A program like TCPView, free from Microsoft, might allow you to see what is going on.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

fisher · ‎05-20-2012

It is not always 48000. Another one is 60757.

Attacking computer and destination address sometimes are different as well.

MagnusLindh · ‎05-09-2011

Hey

A Question, do you experiencing any other problems with your computer that can be related to the problem you are having right now?

Are you using a router, DSL modem to connect to the internet, is your router, DSL Modem secure, meaning that, is it password protected, have you activated wpa/wpa2 on the devices?

Thanks

Sweman

Bombastus · ‎11-16-2009

Do you have a web server or something similar installed? Such programs register themselves on a certain port when you boot, scan it to see if it is free, and this process is detected, falsely, by the firewall as an intrusion attempt.