Port Scan

Malware detection, cleaning and prevention
Post Reply
kirkc
Posts: 42
Joined: Tue Apr 07, 2009 7:02 pm
Location: Perth

Port Scan

Post by kirkc » Fri Nov 27, 2009 12:15 am

This isn't specifically Exetel related so i hope I'm not breaking the rules...

I'm reasonably computer savvy but a noob when it comes to networking stuff. Recently decided to be a little less complacent about security and set my Netgear DG834GV modem/router thingy to alert me to any "known DDOS attacks or port scans".

Tonight it alerted me tto the following: "UDP Packet - Source:203.206.181.99 Destination:115.xx.xxx.xx - [PORT SCAN]"

Whois.net says the source IP is belongs to iinet and that is about the exent of my expertise!

Is it a problem? Googling it was a bit confusing. I also noticed the light flashing to indicate traffic on my router I had nothing running and even unplugged the network cables but it kep on flashing so I unplugged the power for a bit. It is still going but not as fast now.

I use Windows XP Pro with all updates. Windows firewall is on with utorrent as the only exception. Utorrent may have been running at the time the router sent the alert, but not when the light kept flashing...

Any advice would be much appreciated. Thanks in advance.

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Port Scan

Post by CoreyPlover » Fri Nov 27, 2009 12:22 am

I don't think it is a problem.

What it is saying is that your modem is being probed by another computer, but that the modem's firewall is doing it's job and blocking the attempt. Happens pretty frequently as compromised computers often send out these probes to see if they are find other unprotected computers to infect.

kirkc
Posts: 42
Joined: Tue Apr 07, 2009 7:02 pm
Location: Perth

Re: Port Scan

Post by kirkc » Fri Nov 27, 2009 12:44 am

hehe, it was easier to find an app and do a port scan of my own on the source Ip than to make sense of the wikipedia article. I'm still none the wiser but I figure if it was intentional on the part of the person who owns that ip then they'd know I know lol. The port scan i did gave me sources name as "dangerous.homeip.net" Googling that wasn't too helpful.

Thankyou for your reply.

JasonM

Re: Port Scan

Post by JasonM » Fri Nov 27, 2009 8:04 am

I'd ignore it, your modem is doing it's job against the irresponsible iiNet user.
dangerous.homeip.net is the dynamic host name they've set for the iiNet IP in the log.

kirkc
Posts: 42
Joined: Tue Apr 07, 2009 7:02 pm
Location: Perth

Re: Port Scan

Post by kirkc » Tue Apr 20, 2010 5:40 pm

My Netgear modem/router was killed recently by a lightning strike so I have replaced it with a Billion 7404VNPX http://www.billion.com/product/voip/BiP ... -PSTN.html

I've been messing with settings and tryimg to get familiar with it and noticed lots of items in the firewal log some of which I haven't been able to make sense of. If anyone could enlighten me it would be much appreciated.

One is an Exetel IP address which continually reoccurs:
Apr 20 14:53:36 home.gateway:firewall:info: 2571.327 Blocked Prot=88, 58.96.1.204 > 224.0.0.10 -Default Defense
Is that perhaps something to do with my usage meter?

There have been a few other ones including this:
Apr 20 14:53:32 home.gateway:firewall:info: 2567.244 Blocked Prot=6, 58.251.129.143:6000 > 115.70.xxx.xxx:1433, S Seq=1280376832, Ack=0 -Disallowed Destination IP
A whois says tthis is a Chinese IP?! I don't have any torrents running or anythiong else that I can think of. I changed my IP yesterday and wonder if maybe I have inherited a "used" one.

Whilst I am asking sily questons, I've noticed that with both this new modem and the old, the internet light often flashes despite the fact that there is nothing running to cause this. I've even disconnedted the LAN (wifi off) yet the light seems to have a mind of it's own. I also have a VOIP service with Engin and wonder if that is the cause...?

Thanks in advance.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Port Scan

Post by Dazzled » Tue Apr 20, 2010 5:50 pm

As JasonM says, your modem is doing its job. Mine gets many probes pretty well every hour from some very exotic places. Sometimes it feels as though the east Asian national hobby is router probing. It doesn't reply (the built-in firewall just drops the packet), and the pests move on.

A lot of software is devoted to penetration testing. Needless to say it can be used to penetrate also. See for example, http://www.backtrack-linux.org/faq/ I don't think they list the tools on the current version, so here's an old version list http://backtrack.offensive-security.com/index.php/Tools. Plenty of choice.

Post Reply