lorwynd 0 Posted November 13, 2023 Share Posted November 13, 2023 Hello, Hoping someone out there will be able to help provide additional information to help track down if these reports are malicious or false positives. Recently we've been getting this notification (TCP Port Scan attack Win32/Botnet.generic). TCP port scan detected; Blocked; 192.168.0.45:62067; 192.168.0.112:23; TCP; Win32/Botnet.generic A TCP port scan was detected and blocked. The source IP addresses and ports scanned were 192.168.0.45:62067 and 192.168.0.112:23. The malware detected was Win32/Botnet.generic. Duplicate IP addresses detected in network; Blocked; 192.168.1.1 [b0:95:75:12:03:5d]; 192.168.1.1 [b0:95:75:12:16:13]; ARP How to track and remove a threat. For any information that may be able to help us identify this would be greatly appreciated! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 13, 2023 Administrators Share Posted November 13, 2023 Couldn't it be that you have Windows Defernder APT installed or a penetration test was being performed when the detection occurred? Are you able to reproduce the detection? Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 13, 2023 Share Posted November 13, 2023 (edited) First,Win32/Botnet.generic is an Eset detection id. 7 hours ago, Marcos said: penetration test was being performed when the detection occurred? "My money" is on this event. Port 23 is used by Telnet which is not installed by default on Win 10/11. However, it can be installed by one of the methods listed in this article: https://www.makeuseof.com/enable-telnet-windows/ . External scan attempts against port 23 are a common occurrence by hackers. Normally, such activity should be blocked by an external firewall; either on the router/gateway firewall, or by firewall appliance at network perimeter. Edited November 13, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts