Portscan Intrusion?

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Prevent this computer from having access to your's: Open Norton > N.I.S. tab > Settings > N.AV Options (?) > Firewall > Program Control > Trust > Add > Enter computer "192.168.0.1" > "Ok" > Click on Computer > Restrict > "Yes".

 

I would also Block Ports 8 and 53: After you have done the above, click on Advanced > Configure > Add > Block > Connections to and from other computers > Any computer > Click the second one and select U.D.P. and then click on Add > Filer by: Click the middle one and enter the Ports; click on Local > "Ok" > Add Rule: Enter the Rule Name you want > That's you done!

 

Not sure what options N.AV has, so if someone knows, then you can correct where I am wrong; it should something roughly like that anyway; just treat this as a Guide.

 

I would also Update your Virus Definitions and then do a Full System Scan in Safe Mode.

Message Edited by Floating_Red on 08-09-2008 12:20 AM
Message Edited by Floating_Red on 08-09-2008 12:24 AM

This is a false positive intrusion detection. Frequently when browsing the web, some pages will have many links to many different sites. Looking up all of these addresses can make it look like your router (192.168.0.1) is attacking your machine. The inbound UDP latter the next morning was probably some other background application going out and looking for more updates. You probably will see some connection entries in your logs occurring at or very shortly after that same time.

Floating_Red. Thanks. But I think if I block that address I’d lose my internet access.

Reese, thansk you sir. It has happened again several times since I posted this question. I notice that when on go on some of my favorite sites such as sporting news.com, the connection log shows many entries. The site has lots of sports news links adn scores, etc. So that supports the idea that the site itself has many pages to link to.  So false positive sounds right, eh? Plus it indicates that it is blocked when it does this, so Norton is on it either way :slight_smile:

Reese-  One last point of clarification

 

You don't think I need to block 192.168.0.1, do you? I'm thinking I need that since it is part of my DSL connection. let me know. Thanks

Hi,

 

No, you will not want to block your gateway address.

 

Thanks,

 

/Chester 

wow should he have blocked his address?

We have some measures in there to prevent "shooting yourself in the foot" if you happen to restrict your own gateway.  Therefore, you should still have internet access.  However, it would be good to remove the restriction on the gateway.

 

Thanks,

 

/Chester 

Oh I meant showing his address in the post :slight_smile:

THock, a question for you, what operating system are you running on?

Glad I found this site. I looked through the questions people posted and I don’t really see an answer for my question. So here it is

 

From thime to time (most recently 8/7/08 in the morning) I will get the following notice in my history (this is not the exact wording but close)

Details:

Attempted Intrusion "Portscan" against your machine was detected and blocked.
Intruder: 192.168.0.1(domain(53)).
Risk Level: Medium.
Protocol: UDP.
Attacked IP: MY-PC.
Attacked Port: 52***

 

Of course I'm happy that this is blocked.

However later ( Last night) some Microsoft had some updates that required the computer to shut down and restart. So it restarted around 1:30am or so on its own.

We have the two account options on our computer- Admin and User. So when I woke up this morning the computer was on, but the screen showed that we had to “log in” under one of the two accounts. After logging in as  user (which we always do), I checked on updates and all, and  the Norton logs. Well the Norton Activity log showed the following in 'activity" for early early this morning.

 

 

Inbound UDP packet allowed.
Local address,service is (My-PC,601**).
Remote address,service is (192.168.0.1,domain(53)).
 

So I'm concerned that some how the Portscan intrusion now made its way on my comp.

I did a full system Norton scan and nothing showed except tracking cookies.. Also used SpyBot and nothing showed.

 

Now I know in my activity logs that Port Blocking allowed 192.168.0.1(8) happens all the time, for the last year, so I know thats not a problem. Just that the Portscan blocks appear to be the same as the UDP packet that was allowed. I use Norton Antivirus 2008. I have Vista Home Premium. And of course  a DSL connection (anyone still on dial up??)

I appreciate any comments and help.

If I need to post any other details, just let me know. I look forward to responses. Thanks all