Serious security issues?

**Keikan** · 12-12-2009, 11:36 PM

I turned on my computer today and I noticed that the security log of Sygate Personal Firewall was active (Yes, I probably need a new firewall). I looked at it and I saw that there was a port scan on my computer. No big deal right? But I kept getting port scanned once every minute by the same IP address over and over again. It's also trying to scan every port. Eg. 757,758,759 and then 2 hours later 2609,2610,2611 etc. with it still going on. I do have another computer on a network connected with a hub not a router. When I checked that computer it was getting the same thing from the same IP address. The computers both have Windows XP.

Should I be worried about this activity? It appears really malicious. Can I call my ISP to change my IP addresses or something?

**anon** · 12-12-2009, 11:39 PM

Originally Posted by Keikan

It's also trying to scan every port. Eg. 757,758,759 and then 2 hours later 2609,2610,2611 etc. with it still going on.

Firewalls sometimes mistake P2P connection attempts as port scanning, but this sounds like a real one, although a bit slow - newer tools can scan 500 ports in a few seconds.

I'd say you change your IP if possible, call your ISP if that's the only way. Or if you're not able to, block the attacker with a tool like PeerGuardian/PeerBlock or P2PFire.

**Keikan** · 12-12-2009, 11:43 PM

I don't have any P2P programs running right now.
And yea its around 4 ports/30sec according to the SPF security log...

Any other way to change IP without calling my isp?

**anon** · 12-12-2009, 11:47 PM

Originally Posted by Keikan

Any other way to change IP without calling my isp?

You could try changing your network card's MAC with a program like "Mac Address Changer" or macshift. Just flip the last byte - for example, if your current MAC is:
01 02 03 AB CD EF
Change it to
01 02 03 AB CD FE
Then power-cycle your modem. With some luck you'll have a new IP.

**3RA1N1AC** · 12-13-2009, 06:53 AM

Originally Posted by Keikan

Should I be worried about this activity? It appears really malicious. Can I call my ISP to change my IP addresses or something?

usually ISPs assign temporary WAN IP addresses to residential customers from the ISP's pool of addresses. prolly both as a matter of practicality and to reduce the risk of customers being victimized by network attacks. so... unless you've specifically paid for a permanent WAN IP, rebooting your modem or router should give you a new WAN IP address and put a stop to someone who's been randomly pinging or scanning you. if you're certain that you have a permanent WAN IP, then... yeah, you might need to call your ISP and request a new WAN IP, and explain to them that you suspect a port scanning attack so perhaps they can examine the problem and give you advice if necessary.

if the scans persist after acquisition of a new WAN IP, it might be wise for you to thoroughly inspect the computers in your home for malware infections. possibly your computers might be broadcasting your IP to an outsider without you being aware of it?

ALSO: if you really want to put your mind at ease about the possibility of unsolicited connections being attempted by outsiders, you might want to consider using a router that has a NAT feature (network address translation), even if you're only going to use one computer at a time. it might negatively affect your P2P abilities, but it can certainly stop things like port scans from reaching your computer.

**karachidude** · 12-13-2009, 09:37 AM

Commodo is a gud firewal option

**Appzalien** · 12-13-2009, 03:30 PM

What? I thought Commodo sucked! I used it because Zone Alarm wouldn't work with the Win7 beta, and I hated its GUI. ZA allows me to control what gets in and what gets out with simple warning popups when I install it with the Manual option. With the Manual option set, nothing is allowed to connect to the net without my permission except ZA itself. Then from that point on I just put a check mark in always allow for system files (isass.exe), anti-virus, spyware apps and browsers and never allow for games and cracked programs.
The one thing I leave unchecked and therefore continue to get popups for is "Windows Explorer is trying to connect to the net". The reason I leave it unchecked is many programs use it to try and trick you to allow the connection by hiding the fact its them and not Explorer trying to connect. Some programs that do this I want to connect (for activation or updates) and others I do not, so making a check mark choice in this case can cause issues down the road depending on which choice I make. Some things I want to connect will not be able or things I do not want to connect will. Having the option to choose each time Windows Explorer tries to connect is very handy in this circumstance.

**anon** · 12-13-2009, 04:57 PM

Originally Posted by 3RA1N1AC

it might negatively affect your P2P abilities

Not if you forward your ports

**3RA1N1AC** · 12-13-2009, 05:25 PM

Originally Posted by anon-sbi

Originally Posted by 3RA1N1AC

it might negatively affect your P2P abilities

Not if you forward your ports

of course.

**Keikan** · 12-13-2009, 08:42 PM

Ok. So I've changed my MAC address and power cycled the cable modem and I got a new ip address, still getting the port scans. It's been 24 hours and it's now at 215xx.

I called my ISP (Shaw) and their response was basically "Meh."
Perhaps I have malware? I swapped to a Ubuntu live cd and used Firestarter and it reported the same activity from the same IP too.

I got no more ideas.

Thread: Serious security issues?

Thread Tools

Bookmarks

Bookmarks

Posting Permissions