Port scans? Halp!

So I get home from class today and boot up my computer. A bit later, my brother tells me that on his computer, Symantec detected that a worm attack was coming from 192.168.0.4, which is my computer. I checked out the message, and apparently my computer was running a port scan on 26904 UPD, target 255.255.255.255. I ran two different virus scans and Spybot, and found nothing. Checking out his logs, this has happened a few times over the past few days (earlier on it was scanning 2410 UDP). I closed all the ports on my computer on the router, and can't figure out what else to do.

The different attacks were:

From 192.168.0.4.1277, target 255.255.255.255, port 26904 UDP
From 192.168.0.4.1416, target 255.255.255.255, port 26904 UDP
From 192.168.0.4.2304, target 255.255.255.255, port 2410 UDP

Any ideas?

 

#start>run "cmd"
#"netstat -r"
#printscreen

show me

btw 192.168.0.x is your router not your pc its a local ip (lan) your pc is assigned a router # to port thru but your ip is configured through your modem if I know my jargon correctly.

route goes modem to the router which splits the connection to other PCs.

255.255.255.255 is your netmask

youre probably just running something stupid...

btw get rid of symantec they suck asshair. if you want to spend some $$ for a good security system check out VCOM's System Suite or uhh Kaspersky is another good one. I think its called Kaspersky... You can find a "private" copy somewhere probably...

 

I'm pretty sure dumpster_fox already knows about private 192.168 networks.
And please tell me why symantec sucks. I have no problems with it.

Also, what good would a client machine's route table do? I think "netstat -b" is more informative. You can also do "netstat -a -b" which will also list applications that are listening for connections.

 

Kapersky made my old computer blue screen when i tried to run it. i use AntiVir, its free.

 

AntiVir is not internet protection, lol.

In any sense, your bro probably has malware on HIS pc. just cut off the connection between his PC and yours, and see if the problem persists.

 

http://support.microsoft.com/kb/281336

Maybe this'll help. Follow the instructions to match the ID's and then google the .exe.

 

Well, his virus protection is the only indicator I have to go by, and no other computers on the network have anything that would detect if I were portscanning them. No dice.

For Talus:


For L3TUC3: After the computer has settled down, nothing looks too out of the ordinary. However, as it is settling down (from just being booted up) it looked like this. Aaack.

 

Why is Xfire using so many UDP ports?

Also, it looks like a remote machine (69.28.150.240) is trying to probe your 192.168.0.4 machine, using port 80 because that probably fools many firewalls and allows the traffic. It first tries to probe 139, which is your NetBIOS shares. Then it does a port scan.

Go here and educate yourself a little about how hackers get in your computer, and things you can do to stop it. You will also learn more about TCP/IP than you ever cared to know.

 

Um, not sure what to say. I guess you're a bot. Maybe you were part of this. Are you running a firewall by any chance? If so, check the logs to see if there's anything in there.

Maybe time for a fresh install?

 

My computer was off at the time of the attacks. I don't leave this computer on when I'm not using it.

Code:

Sun, 01/01/1900 00:00:00 - Netgear Activated.
Sun, 01/01/1900 00:00:00 - UDP packet dropped - Source:68.142.64.165, 27014, WAN - Destination:69.62.190.27, 19016, LAN - 'Possible Port Scan'
Sun, 01/01/1900 00:00:00 - TCP connection dropped - Source:63.241.255.8, 3724, WAN - Destination:69.62.190.27, 17928, LAN - 'Suspicious TCP Data'
Tues, 02/06/2007 22:37:51 - Get NTP Time: Tues, 02/06/2007 22:37:51
Tues, 02/06/2007 22:38:31 - UDP packet dropped - Source:204.71.190.133, 9856, WAN - Destination:69.62.190.27, 18428, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:38:47 - UDP packet dropped - Source:216.182.177.123, 4003, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:46:07 - TCP connection dropped - Source:68.142.233.150, 5061, WAN - Destination:69.62.190.27, 18031, LAN - 'Suspicious TCP Data'
Tues, 02/06/2007 22:51:39 - UDP packet dropped - Source:71.81.235.220, 1672, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:51:39 - UDP packet dropped - Source:75.46.137.252, 3277, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:51:41 - UDP packet dropped - Source:84.61.62.9, 2786, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:51:45 - UDP packet dropped - Source:68.109.49.211, 1551, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:51:45 - UDP packet dropped - Source:208.63.196.33, 50975, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:51:45 - UDP packet dropped - Source:68.218.180.15, 50069, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 22:51:45 - UDP packet dropped - Source:220.237.171.245, 62015, WAN - Destination:69.62.190.27, 18415, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:00:19 - TCP connection dropped - Source:69.62.233.184, 2605, WAN - Destination:69.62.190.27, 2967, LAN - 'Suspicious TCP Data'
Tues, 02/06/2007 23:25:25 - TCP connection dropped - Source:58.215.76.199, 80, WAN - Destination:69.62.190.27, 24137, LAN - 'Suspicious TCP Data'
Tues, 02/06/2007 23:58:41 - UDP packet dropped - Source:83.226.75.217, 25777, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:58:41 - UDP packet dropped - Source:202.10.82.154, 12215, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:58:43 - UDP packet dropped - Source:82.131.247.192, 34948, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:58:57 - UDP packet dropped - Source:71.193.5.69, 25108, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:58:59 - UDP packet dropped - Source:219.90.191.132, 1069, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:58:59 - UDP packet dropped - Source:88.240.74.51, 1123, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:59:03 - UDP packet dropped - Source:71.198.144.124, 29671, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Tues, 02/06/2007 23:59:03 - UDP packet dropped - Source:69.254.129.87, 25777, WAN - Destination:69.62.190.27, 17771, LAN - 'Suspicious UDP Data'
Wed, 02/07/2007 00:58:17 - TCP connection dropped - Source:84.113.243.31, 4089, WAN - Destination:69.62.190.27, 4899, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 01:04:53 - TCP connection dropped - Source:222.109.64.11, 4180, WAN - Destination:69.62.190.27, 4899, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 01:11:33 - TCP connection dropped - Source:69.210.107.179, 2310, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 01:20:39 - TCP connection dropped - Source:82.77.49.134, 4268, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 01:25:39 - TCP connection dropped - Source:69.39.17.14, 2169, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 01:32:37 - TCP connection dropped - Source:86.122.118.134, 21353, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 01:54:19 - UDP packet dropped - Source:24.64.240.79, 24358, WAN - Destination:69.62.190.27, 1026, LAN - 'Suspicious UDP Data'
Wed, 02/07/2007 01:58:13 - TCP connection dropped - Source:203.136.180.35, 1787, WAN - Destination:69.62.190.27, 4899, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 02:08:53 - UDP packet dropped - Source:24.64.15.27, 23100, WAN - Destination:69.62.190.27, 1026, LAN - 'Suspicious UDP Data'
Wed, 02/07/2007 02:14:33 - TCP connection dropped - Source:69.60.230.182, 3230, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 02:37:56 - Get NTP Time: Wed, 02/07/2007 02:37:56
Wed, 02/07/2007 02:43:34 - TCP connection dropped - Source:58.20.109.29, 41611, WAN - Destination:69.62.190.27, 1080, LAN - 'socks proxy'
Wed, 02/07/2007 02:50:00 - UDP packet dropped - Source:24.64.249.229, 30319, WAN - Destination:69.62.190.27, 1026, LAN - 'Suspicious UDP Data'
Wed, 02/07/2007 03:35:24 - UDP packet dropped - Source:24.64.63.194, 15585, WAN - Destination:69.62.190.27, 1026, LAN - 'Suspicious UDP Data'
Wed, 02/07/2007 03:48:36 - TCP connection dropped - Source:219.148.147.207, 6000, WAN - Destination:69.62.190.27, 7212, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 04:08:02 - TCP connection dropped - Source:69.119.105.63, 1135, WAN - Destination:69.62.190.27, 2968, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 04:48:50 - UDP packet dropped - Source:24.64.140.137, 31953, WAN - Destination:69.62.190.27, 1028, LAN - 'Suspicious UDP Data'
Wed, 02/07/2007 05:05:30 - TCP connection dropped - Source:69.66.155.156, 1831, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 05:14:22 - TCP connection dropped - Source:88.161.116.110, 2487, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 05:20:48 - TCP connection dropped - Source:69.28.232.137, 2852, WAN - Destination:69.62.190.27, 2967, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 05:21:04 - TCP connection dropped - Source:222.215.119.221, 7000, WAN - Destination:69.62.190.27, 42561, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 05:30:00 - TCP connection dropped - Source:67.103.145.2, 50550, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 06:27:00 - TCP connection dropped - Source:24.168.156.164, 25194, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 06:31:54 - TCP connection dropped - Source:24.168.156.164, 23455, WAN - Destination:69.62.190.27, 5900, LAN - 'Suspicious TCP Data'
Wed, 02/07/2007 06:38:00 - Get NTP Time: Wed, 02/07/2007 06:38:00
Wed, 02/07/2007 
CÐÅ

You can see the exact moment I locked down all my ports. Also, checking my Empires server, I have an abundance of "bad challenges" from one IP on many different ports. Fortunately, the only ports I have open on my server rig are Steam ones and a Half-Life one.

Fresh install isn't an option.

So I can check what's incoming with the Router Security logs, but how can I check what's outgoing? Furthermore, how can I find this damn thing and nail it?

 

Have you tried netstat -a -b?

Might be a damn shitty one that shows itself easily...

EDIT:
I am ze 100% stealth on ze first ~1000whatever ports. I'm sure something up in the thousands is open, but hey, I'm on 56k, if it's open there won't really be enough bandwidth to do anything with it...

 

Niarbeht: page one, page two, and page three. The parts below the red lines are on the next image as well.

I don't think that this is particularly helpful, though, because a bunch of connections pop up right when I log in, then quickly disappear. Use of the -a -b switches seems to slow netstat down a lot, and I doubt I could catch them in time.

 

http://www.file.net/process/spmd.exe.html

Other than that, doesn't seem like anything's up aside from XFire being the ghey.

 

I doubt spmd.exe is the problem. It's the license server for XSI 5.1. And as for nothing seeming to be up, take a look what happens when I catch it as I've just logged in: hundreds of connections on a wiiide range of ports and hundreds of connections to god-knows-what.

 

Well, it's safe to assume something is having fun with your internet connection. Maybe contact your virusscan supplier? It might be something they haven't caught yet.

 

This program might be useful, it gives info about the process each socket is associated with:

http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

 

I've never seen anything like this before... First of all, what kind of dumbass program tries to connect to the same server on 1,000 different ports? Normally it works the other way, where a remote computer tries to find open ports on your computer. Maybe to make you believe your being port scanned and nothing else? It sure as hell looks like you're being port scanned, but connections are actually being established on every port, which implies that your computer made those connection requests... Even more strange, it's coming from your System PID. Either you have some wonky windows service running, or some new type of virus found it's way into the core of your OS. If that is the case, re-format is the only option till a virus scanner can pick it out and remove it.

Maybe you are (unwillingly) participating in some kind of DDoS attack?

 

If it's establishing an outbound connection like that, it's probably "dialing home". It also achieves the opening of the port, should "home" decide it wants to do something in return.

I'm sorry, man, but I'm going to have to recommend you re-install. Or, install every anti-virus/anti-malware known to man, reboot in safe mode, and scan like mad.

EDIT:
Ever tried running peerguardian and manually adding the IP addy's being opened?

 

Wow... That is quite a problem you've got there. Depending on the complexity and make of the worm/virus these can usually be fixed with something as simple as Norton Internet Security. Simply install it. Unplug your connection. And set it to catch all incomming and outgoing commands. Reconnect and enable ONLY the ones you know to be safe. This also tells you which program is sending them. This will work as long as it isn't a super virus or one that also disables anti-viruses. Wish you luck.

 

I installed ZoneAlarm, and all of those unidentifiable connections when I start up have just disappeared. Let's see if it stays that way, I guess.

UPDATE: Nup, they're still there. However, I put a little more footwork into researching my issue, and came up with this: someone else had my problem. Turns out that yeah, all of the IPs and domains resolve to Limelight Networks, who told that guy that they weren't malicious. Should I habeeb this? Could it be that I had no worm after all, and that it was just some company failing at the internets ("These are either broken connections or errors coming from the servers instead of the load balancer.")? I certainly haven't noticed any malicious behavior whatsoever on my computer, which is what really had me baffled.