Dismiss Notice

Psst... Ready to join TalkBass and start posting, make new friends, sell your gear, and more?  Register your free account in 30 seconds.

Anyone else having a lot of ports scans via firewall?

Discussion in 'Off Topic [BG]' started by odie, Sep 21, 2003.


  1. odie

    odie Supporting Member

    I usually average 1-5 blocked port scans via ZoneAlarm. But today I have had atleast 30!!!

    What gives?? Im a noob when it comes to this. But it seems out of ordinary for me.:eek:
     
  2. i noticed this too; the day i installed zonealarm, i had a scan *immediatly* when it was opened up!

    in the past 2 weeks, I've had 150,000 scans, and I do not have any servers, websites etc.

    hacking is really stupid :meh:
     
  3. FretNoMore

    FretNoMore * Cooking with GAS *

    Jan 25, 2002
    The frozen north
    Any PC owner that has a minimum of survival instinct should get a firewall and an email virus scanner ASAP. Properly set up the hacking turns into pathetic background noise. It is annoying though to know that there's thousands of pimply geeks attacking your computer at all times. Maybe we should bring back public caning. Would be suitable for the spammers too.

    Please note the absence of a smiley face.
     
  4. odie

    odie Supporting Member

    Do you even need an email scanner if using hotmail etc?? Ive heard the debate before. But was not sure of what to think etc.
     
  5. FretNoMore

    FretNoMore * Cooking with GAS *

    Jan 25, 2002
    The frozen north
    I guess it depends on how good the scanning is at your Internet and mail service provider, but I prefer to have my own security on top of whatever they provide. During the latest crazy virus period I got something like one hundred email daily with viruses attached, many looked like the came from hotmail addresses, even though my ISP supposedly checks for spam and viruses. The best protection is probably to be very paranoid about what mail you read, but I felt there were so many last time that I might have opened one inadvertantly. So now I have a virus check on incoming mail as well.
     
  6. Mike Money

    Mike Money Banned

    Mar 18, 2003
    Bakersfield California
    Avatar Speakers Endorsing Hooligan
    I have no anti-virus software or anything like that. The only firewall I have is built into my router. My pc is perfectly fine.
     
  7. BigTed

    BigTed

    Jul 1, 2002
    San Diego
    I get port scanned on average every 5 to 10 minutes when I have my computer on. Just as scary is all of the programs that try to acess the internet from my computer.

    If you don't already, tell ZoneAlarm to alert you everytime a program tries to access the internet. SCARY!!:eek:
     
  8. Ívar Þórólfsson

    Ívar Þórólfsson Mmmmmm... Supporting Member

    Apr 9, 2001
    Kopavogur, Iceland
    Guys, these are not hack attempts.... this is the result of two viruses... Sobig and Msblaster.

    They scan computers for port 135(and one other port) and check if the are vulnarable to that Microsoft bug. If so, they automatically transfer themselves via TFTP to your computer and start spreading themselves around the net.

    Those are my 0.02$ on the subject.
     
  9. Kazaa uses port 1214. I have 3000+ of shared files, so I get scanned (and those are blocked!) a lot on that port, when Kazaa isn't running.
     
  10. odie

    odie Supporting Member

    I always get a scan on port 27374. I have had 50+ since midnight last night!! I usually have only a few a day.

    What is this port?
     
  11. FretNoMore

    FretNoMore * Cooking with GAS *

    Jan 25, 2002
    The frozen north
    You can do an Internet search on "port xxx", where xxx=your number, you'll get lots of info on what the traffic might mean.

    27374 is used by a known trojan (downloaded program that opens a back-door to your PC) called SubSeven.
     
  12. Ívar Þórólfsson

    Ívar Þórólfsson Mmmmmm... Supporting Member

    Apr 9, 2001
    Kopavogur, Iceland
    I did a search on google. "port 2734" and basically what I came up with is this:

    SubSeven 2.1 Windows Remote Control Trojan uses that port

    Port 27374 - SubSeven

    27374 is one of the default ports of the BackDoor-G2.svr.gen trojan, more commonly known as SubSeven. It is the current (as of May 2001) trojan of choice for most DDoS attacks and clone attacks on specific services, such as IRC. Scans of this port are often accompanied by scans of port 1243, another default SubSeven port of older versions.

    For a good summary of SubSeven, see Symantec's SubSeven Page.
     
  13. Ívar Þórólfsson

    Ívar Þórólfsson Mmmmmm... Supporting Member

    Apr 9, 2001
    Kopavogur, Iceland
    Bleh, beat me to it! :)
     
  14. FretNoMore

    FretNoMore * Cooking with GAS *

    Jan 25, 2002
    The frozen north
  15. odie

    odie Supporting Member

    Cool thanx guys.

    Yes ZoneAlarm said that these are most often scans looking for origins of Trojans. So whyare they scanning mine 50 times a day??

    Should I just ignore it?? Or be concerned??
     
  16. FretNoMore

    FretNoMore * Cooking with GAS *

    Jan 25, 2002
    The frozen north
    There's endless amounts of people out there that run automated scanning of various ports to see if they can break in somewhere. You can ignore it, ZoneAlarm's log is just a sign that your firewall is working, blocking these people. Also, if your PC haven't been infected with this particular backdoor program there is nothing for them to communicate with, even if ZoneAlarm hadn't blocked the attempt.
     
  17. Ever since I had DSL w/ steady IP address installed, I get a "break-in" about every few seconds. Over 100,000 since February. Most of them are port 1214 (Kazaa), but a lot of them are "high-rated", real break-in attempts. I expect Zonealarm to only give access to programs I choose.

    Anyone knows what happens when Zonealarm locks up (after all, this is windows...) and I'm not around? Do I risk break-ins or does it block all access, like the ZA panic button?
     
  18. BigTed

    BigTed

    Jul 1, 2002
    San Diego
    If your getting scanned continuesly from the same IP adress, check the DNS name. It usually gives away who their ISP is. Send the ISP an "abuse of service email." I've done it a few times, but I'm not sure if they take those emails seriously.
     
  19. KB

    KB

    Jan 13, 2000
    Chapel Hill, NC
    I have noticed a large increase in the alert log of my Zone Alarm, but I just assume it is hackers pinging my system and ZA blocking them. Now it occurs about every 5 to 10 seconds when on-line.