Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3869
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Why am I being pinged, probed or attacked on this port?  (Read 5256 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
    • SCforum.info
 Your firewall is recording "events," not "probes." Events can really only be called probes after an investigation shows an intent to enter computers without proper authorization.

1. Provided the destination ports the events are occurring on are closed or stealthed, nobody is getting into your computer.

Repeated activity from a source IP address on closed or stealthed ports usually indicates a worm or virus or a script kiddie using a simple trojan kit.

Beware of attackers who try dozens of ports looking for an open port with an unpatched vulnerability.

2. Determine how long you have had your IP address. You can do this by examining your firewall log for the destination address of inbound events.

Most surges in events are caused by inheriting an IP address that was formerly used by a busy server. In this case, the events commonly taper off over a period of 1 to 72 hours.

These are not probes; these are legitimate attempts to contact the server that formerly held that IP address.

3. Gather information on the ports concerned and their common uses here:

http://isc.incidents.org/

Enter a port number in the "Port Look" box on the left, and click the "details" button.

Using ports 6667 and 6668 as examples you get:

isc.incidents.org/port_details.html?port=6667

isc.incidents.org/port_details.html?port=6668

Scroll down to read the well-known uses and vulnerabilities of the port.

Using ports 6667 and 6668 as examples:
- 6667 is used by a variety of trojans, and
- 6668 is used by IRC and IRCU.

Keep in mind that many software packages can be configured to use different ports than the standard. Port usage lists do not include ports used by uncommon software and malware. Neophasis and other port usage lists merely suggest the common software and malware that use a port.

If your software isn't using the ports described, and you don't have a trojan using the port described, or if the events are blocked by a firewall, you have no immediate concern.

4. You can use the Security Scan in the Tools section of BBR, "Shields Up" at grc.com or the port scan at »security.symantec.com to see what ports are open on your computer.

5. If you are concerned about events occurring on ports on your system, you can use the free services of myNetWatchman and DShield. Both of these organizations collect, anonymize and analyze firewall logs.

http://www.mynetwatchman.com
MNW focuses on filtering out false alarms and reporting infected machines and hacking attempts to the ISP responsible for the IP address they originate from.

http://www.dshield.org
DShield focuses on gathering statistics on abnormal Internet activity. DShield feeds the Internet Storm Center.

6. If you are still concerned about what is going on, feel free to post a question in a new topic in the BBR Security Forum.

Please include these details in your post:

a) Have you had your current IP address for less than 72 hours (3 days)? If less, roughly how long?

b) What are the first two parts of your IP address? (e.g. 123.123.xxx.xxx)

c) What source and destination ports (number and TCP/UDP) are involved?

d) Do the events occur in clusters or one at a time? Roughly how many do you get in an hour (a few, dozens, hundreds)?

e) Is it just one source IP address or many? List some of the source IPs (they aren't secret).

f) An extract of your firewall logs would be very useful. (It is okay to obscure the last 2 parts of your IP address, but do not obscure anything else.)

7. If you are a business, organization or professional that depends on the security of your computer system, we strongly urge you to consider using the services of an IT security professional to review the security of your system.
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising