Repeated TCP port scanning attacks

[ClareG 0]

I have ESET Smart Security v.9 home version on a Windows XP computer connected by blue ethernet cable directly to the NBN. I am getting ESET alerts for repeated TCP port scanning attacks. As I understand it, this means  that ESET is doing its job correctly in protecting me, but I am increasingly annoyed at these attempted attacks. They are more frequent at weekends and now , in school holidays, happening several times a day, and even within the hour. I was told on a Whirlpool forum not to worry, as it was just "script kiddies" playing around, but I'd love to put a stop to them. Any suggestions? I am not at all computer literate, so simle language, please.

[Marcos 5,074]

If the attacks are coming from a trusted device, you can exclude the device's IP address from port scan detection in IDS exceptions.

[ClareG 0]

I've no idea where the attacks are coming from, so I assume they are potentially malicious, and I certainly don't want to make. an excetion for them.

[galaxy 11]

Was hast du denn für einen Router, hast du jemals Emsisoft darüber laufen lassen? Bist du in einem Netzwerk?

Edited December 14, 2017 by galaxy

[TomFace 539]

8 hours ago, ClareG said:

I've no idea where the attacks are coming from, so I assume they are potentially malicious, and I certainly don't want to make. an excetion for them.

Do you have the IP address? If so you can narrow it down. In the past, I also had some port scanning attacks. ESET was quick to block them, but I was able to look up the address and contact that service provider via their "abuse" e-mail address. After I referred the attacks to them (the provider) the attacks stopped (it was 3 or 4 of the same IPs over and over and over). 

Whois Lookup is pretty good. It's run by DomainTools.  http://whois.domaintools.com/ When you look up the IP (if it's not yours or a trusted IP) in the readout there should be a "abuse" e-mail address.

Edited December 14, 2017 by TomFace

[TomFace 539]

3 hours ago, galaxy said:

Was hast du denn für einen Router, hast du jemals Emsisoft darüber laufen lassen? Bist du in einem Netzwerk?

galaxy, as the main forum is an English forum, please post in English so we can all understand.

Edited December 14, 2017 by TomFace

[ClareG 0]

Thanks TomFace, that's a useful idea. But all I have is the pop-up alert from ESET each time it happens, and I don't know how I would find the IP address from that.

[peteyt 393]

7 minutes ago, ClareG said:

Thanks TomFace, that's a useful idea. But all I have is the pop-up alert from ESET each time it happens, and I don't know how I would find the IP address from that.

Have you tried the latest version of eset to see if it is any different. I think it will work on xp

[Aryeh Goretsky 378]

Hello,

You mentioned that your computer is connected directly to NBN via a blue Ethernet cable.  I'm guessing that NBN means Australia's National Broadband Network.  Is that correct?  I have seen it mentioned in the news here in the U.S., but am not tremendously familiar with it.  

There may be some ways to resolve this, but without having a better understanding of how things are wired together it is difficult to say for certain.  So, my first question to you in order to figure out how this works is as follows: 

What's the blue ethernet cable plugged into at the opposite end from your Windows XP computer's Ethernet port?  Does it go into some sort of device like a modem, or is just a receptacle in the wall similar to a power outlet?

Regards,

Aryeh Goretsky

[TomFace 539]

1 hour ago, ClareG said:

Thanks TomFace, that's a useful idea. But all I have is the pop-up alert from ESET each time it happens, and I don't know how I would find the IP address from that.

Aryeh is the expert here so respond to his inquiry.

As far as getting the IP address, unless I am mistaken, there should be a record in log files. Go to (from main gui)>tools>more tools (bottom right hand corner)> log files>and I'm thinking it "should" be under firewall. If not, just look at your other choices (maybe events?). If memory serves me correctly, you should see a list of blocked items which should include the IP addresses.

 

[ClareG 0]

To answer Aryeh first: the blue ethernet cable from my Windows XP computer's Ethernet port goes into a socket on a receptacle in the wall similar to a power outlet, supplied and installed by the National Braodband Network here in Melbourne, Australia.

TomFace: I found the list of Detected Port Scanning attacks under the Personal Firewall tab - 60 of them between 7 October and 14 December. Several have the same beginning number, e.g. 222.186.138. 64:0000 and 222.186.58.131: 6000 

I've tried entereing those into whois.domaintools but it says they are 'malformed'.There are other similar clusters, which I haven't looked up.

peteyt: My ESET is v. 9.0.408.0, and no I haven't tried another version. Prefer not to at this stage, as this one seems to be working as it should re these attacks.

[Hpoonis 7]

Why do you not have a modem/router between you and the wall outlet?  Surely it is highly dubious to be directly connected to the outside without some extra form of wall to protect any connected system?

[peteyt 393]

6 hours ago, ClareG said:

To answer Aryeh first: the blue ethernet cable from my Windows XP computer's Ethernet port goes into a socket on a receptacle in the wall similar to a power outlet, supplied and installed by the National Braodband Network here in Melbourne, Australia.

TomFace: I found the list of Detected Port Scanning attacks under the Personal Firewall tab - 60 of them between 7 October and 14 December. Several have the same beginning number, e.g. 222.186.138. 64:0000 and 222.186.58.131: 6000 

I've tried entereing those into whois.domaintools but it says they are 'malformed'.There are other similar clusters, which I haven't looked up.

peteyt: My ESET is v. 9.0.408.0, and no I haven't tried another version. Prefer not to at this stage, as this one seems to be working as it should re these attacks.

It may work but newer versions often introduce newer technologies and improvements and also fix bugs. There is always a risk when using older versions

[TomFace 539]

6 hours ago, ClareG said:

TomFace: I found the list of Detected Port Scanning attacks under the Personal Firewall tab - 60 of them between 7 October and 14 December. Several have the same beginning number, e.g. 222.186.138. 64:0000 and 222.186.58.131: 6000 

I've tried entereing those into whois.domaintools but it says they are 'malformed'.There are other similar clusters, which I haven't looked up.

 

You must have entered too many numbers. Only enter  222.186.138. 64 and/or 222.186.58.131. Both appear to be coming from the Chinese hackers (China Zhenjiang Chinanet Jiangsu Province Network).

http://www.whatsmyip.org/ip-geo-location/?ip=222.186.58.131

Here are the links to the IP description.

http://whois.domaintools.com/222.186.138.64   http://whois.domaintools.com/222.186.58.131

There appears to be an abuse e-mail address but I am not sure how cooperative they will be (it may be state sponsored...don't know). 

Edited December 15, 2017 by TomFace

[ClareG 0]

Many thanks for checking those numbers for me, TomFace. Chinese hackers sounds far mor potentially malicious than local school kids playing around.

But I'm inclined not to report abuse because it would show they are getting through to a real person and that could give them more ammunition in some way.

To Hypoonis: ESET is doing a good job of being my personal firewall. I wouldn't know what sort of modem/router would do any better nor would I have any idea how to install it. I'm of the 'if it works, don't fix it' generation and mind-set.

To peteyt: when the time goes to renew my ESET subscription I shall no doubt be offered the latest version. But this version updates itself daily if not more often.

[peteyt 393]

18 minutes ago, ClareG said:

Many thanks for checking those numbers for me, TomFace. Chinese hackers sounds far mor potentially malicious than local school kids playing around.

But I'm inclined not to report abuse because it would show they are getting through to a real person and that could give them more ammunition in some way.

To Hypoonis: ESET is doing a good job of being my personal firewall. I wouldn't know what sort of modem/router would do any better nor would I have any idea how to install it. I'm of the 'if it works, don't fix it' generation and mind-set.

To peteyt: when the time goes to renew my ESET subscription I shall no doubt be offered the latest version. But this version updates itself daily if not more often.

Just in case you didn't know your license works for all versions of the product you have purchased e.g. if you buy a license for internet security and 10 is out when you purchased you can use that license for 11 when it comes out - they license per product rather than per a version.

[itman 1,659]

31 minutes ago, ClareG said:

I wouldn't know what sort of modem/router would do any better nor would I have any idea how to install it

Most major ISP providers in the U.S. will provide a combo router/modem as part of their service offering package. These are set up and configured by ISP personnel when the service is installed and activated. This is especially true if your network connection is via DSL. Almost all the routers have a built-in firewall with all rules pre-configured. The router firewall will prevent TCP port scanning and most denial-of-service(DoS) attacks. They will not prevent distributed i.e. multi-point denial of service attacks(DDoS). Most of the routers have NAT and are stateful. NAT i.e. network address translation, will hide the actual outbound port you are using by redirecting it to another unused router port. Stateful means that the router will only respond and allow inbound, a network packet for which one was previously outbound transmitted. This capability also means that no unnecessary ports are open on the Internet facing side of the router yielding what is effectively known as "stealth" capability. An attacker can scan the router's inbound ports to "hell freezes over" but will never succeed since he can not find an open port on the router to access.

Bottom line - your security software firewall becomes a backup facility to these routers and is rarely if ever used for inbound network traffic monitoring. The software firewall in this configuration is used primarily for monitoring outbound and local network based traffic.

[ClareG 0]

That's all very interesting, itman, and I think I understand what you are saying. But I'm not in the USA and my ISP did not offer a 'combo router/modem' when they signed me up to the NBN. They are in another state and not in the business of selling or installing up hardware. Also I assume such a device would require its own power point,  and I have none to spare anywhere near the computer; I live in a very small flat (apartment) built in the 1970s when one power socket per room was the norm; I'm already using all the spare slots on a powerboard for the NBN device, the printer and heaters.

I've discovered that I can set ESET not to send these pop-ups of these threats it is detecting, and just let it go on with its job in the background. Maybe I'll do that.

No peteyt, I didn't know that but unless someone tells me otherwise I don't see that upgrading to a more recent version of ESET would make a difference re this particular issue. 

[Aryeh Goretsky 378]

Hello,

You mentioned that the blue Ethernet cable goes into what sounds like a wall-mounted Ethernet jack, but also that it has a connection to a powerboard.  Does the jack in the wall have a second cable coming out of it to get power from the powerboard?  

Regards,

Aryeh Goretsky

 

[ClareG 0]

Aryeh: it looks like this

I don't have Foxtel but it was the best illustration I could find. It is somtimes installed with a Battery Backup Unit, but I rarely experience electric power drop-outs so I chose not to have that. Besides the blue ethernet cable, I have line to a power point and a connection to a UNI-V voice port for my telephone, so that I can make or receive phone calls at any time, even when my computer is switched off.

[TomFace 539]

14 hours ago, ClareG said:

Many thanks for checking those numbers for me, TomFace. Chinese hackers sounds far mor potentially malicious than local school kids playing around.

But I'm inclined not to report abuse because it would show they are getting through to a real person and that could give them more ammunition in some way.

ClareG I understand completely. Again, if it's Gov't sponsored hacking  you would not get any response/cooperation anyway. I used to get port scans from China a few years ago (from time to time) and they just abruptly stopped on their own. With attacks these days it's hard to judge what they're after or the "size" of their desired target.

The only time I used the abuse e-mail was another scanning attack from a domestic location here in the US.

Keep your defenses strong (and up). I wish you luck with you issue.

Edited December 16, 2017 by TomFace

[itman 1,659]

10 hours ago, ClareG said:

That's all very interesting, itman, and I think I understand what you are saying. But I'm not in the USA and my ISP did not offer a 'combo router/modem' when they signed me up to the NBN. They are in another state and not in the business of selling or installing up hardware. Also I assume such a device would require its own power point,  and I have none to spare anywhere near the computer; I live in a very small flat (apartment) built in the 1970s when one power socket per room was the norm; I'm already using all the spare slots on a powerboard for the NBN device, the printer and heaters.

If using a Wi-Fi router, it doesn't have to be located in the same room as where the NBN/computer is located. It could reside in another room as long as you have a NBN patch panel in another room. Here's a guide how to connect a Wi-Fi router to a NBN: https://iihelp.iinet.net.au/General_NBN_FTTP_router_setup_advice. This setup also has the advantage of allowing you to locate your computer in any room and multiple computers if you wish. The only downside to a Wi-Fi router is the internal network adapter connection speed your PC supports. Most older PC's limit that to 100 mbps.

Perhaps you can find an I.T. friend that can help you purchase a suitable router with all the features I previously mentioned and help set it up for you.

Edited December 16, 2017 by itman

[peteyt 393]

16 hours ago, ClareG said:

That's all very interesting, itman, and I think I understand what you are saying. But I'm not in the USA and my ISP did not offer a 'combo router/modem' when they signed me up to the NBN. They are in another state and not in the business of selling or installing up hardware. Also I assume such a device would require its own power point,  and I have none to spare anywhere near the computer; I live in a very small flat (apartment) built in the 1970s when one power socket per room was the norm; I'm already using all the spare slots on a powerboard for the NBN device, the printer and heaters.

I've discovered that I can set ESET not to send these pop-ups of these threats it is detecting, and just let it go on with its job in the background. Maybe I'll do that.

No peteyt, I didn't know that but unless someone tells me otherwise I don't see that upgrading to a more recent version of ESET would make a difference re this particular issue. 

I don't know if it would make any difference but have noticed people on here not wanting to pay for the newer version like you not realising that it doesn't cost anything. It may not fix this particular issue, I'd be lying if I said I knew about this issue, but as newer versions contain multiple fixes and new features/improvements you never no. Some people prefer to stick to older versions but for me when it comes to eset I always upgrade as the newer versions generally offer better protection than previous versions