Win32/Botnet.generic TCP Port Scan attack local network

[lorwynd 0]

Hello,

Hoping someone out there will be able to help provide additional information to help track down if these reports are malicious or false positives. Recently we've been getting this notification (TCP Port Scan attack Win32/Botnet.generic). 
 

TCP port scan detected; Blocked; 192.168.0.45:62067; 192.168.0.112:23; TCP; Win32/Botnet.generic

A TCP port scan was detected and blocked. The source IP addresses and ports scanned were 192.168.0.45:62067 and 192.168.0.112:23. The malware detected was Win32/Botnet.generic.

Duplicate IP addresses detected in network; Blocked; 192.168.1.1 [b0:95:75:12:03:5d]; 192.168.1.1 [b0:95:75:12:16:13]; ARP

 

How to track and remove a threat.

For any information that may be able to help us identify this would be greatly appreciated! 

[Marcos 4,935]

Couldn't it be that you have Windows Defernder APT installed or a penetration test was being performed when the detection occurred? Are you able to reproduce the detection?

[itman 1,630]

First,Win32/Botnet.generic is an Eset detection id.

7 hours ago, Marcos said:

penetration test was being performed when the detection occurred?

"My money" is on this event. Port 23 is used by Telnet which is not installed by default on Win 10/11. However, it can be installed by one of the methods listed in this article: https://www.makeuseof.com/enable-telnet-windows/ .

External scan attempts against port 23 are a common occurrence by hackers. Normally, such activity should be blocked by an external firewall; either on the router/gateway firewall, or by firewall appliance at network perimeter. 

Edited November 13 by itman