Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Port Scan Trouble


  • Please log in to reply
10 replies to this topic

#1 TulShulty

TulShulty

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 29 August 2008 - 02:33 PM

Hello I have a problem with my firewall. When ever I go to a web site or open mail or open yahoo the firewall flasher red and then I get the message that server cant be found and the firewall pops up a log.
1.
Time 08/15/2008 1:52:07 PM
Security Type Port Scan detected
Severity Major
Direction Inbound
Protocol UDP
Local IP 192.168.1.64
Remote Host 192.168.1.254
Application Involved SYSTEM
Count 1

when I open the firewall log or click exit then everything woks fine. It blocks the 192.168.1.254
I ran ipconfig and this is what I got.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : domain.invalid
IP Address. . . . . . . . . . . . : 192.168.1.64
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254

Any thoughts on how to fix this?
Thanks for any help :-)

BC AdBot (Login to Remove)

 


#2 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:18 PM

Posted 29 August 2008 - 03:10 PM

Which firewall are you using? And do you have it set to allow normal network traffic to and from your router?

That IP/IP range is Internal. Seems like the "port scan" is coming from your router.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#3 TulShulty

TulShulty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 29 August 2008 - 03:44 PM

systemsuite 8 yes both the pc and the laptop is set on trusted network. The pc is wired and the laptop is wireless if that helps any.

#4 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:18 PM

Posted 29 August 2008 - 04:01 PM

systemsuite 8 yes both the pc and the laptop is set on trusted network. The pc is wired and the laptop is wireless if that helps any.


Doesn't change a thing re wired vs wireless. They are both going through the same router no? It looks as though your firewall thinks that the router is not part of the trusted network for some reason. I wonder why. There's a lot of normal traffic to and from a router, and it looks like your firewall is confused about what's what.

Time 08/15/2008 1:52:07 PM
Security Type Port Scan detected
Severity Major
Direction Inbound
Protocol UDP
Local IP 192.168.1.64
Remote Host 192.168.1.254
Application Involved SYSTEM
Count 1


That doesn't give much info actually. All it says is that your internal IP is being contacted by the router, and that it's the SYSTEM account priviledge calling for it. No other info as to which ports are actually involved and in what way? I mean any IP that starts with 192.168.x.x is part of your LAN. No firewall should think that there's an attack coming from within under normal circumstances. Do check your firewall settings to ensure you aren't blocking normal traffic.

Is this the one?
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#5 TulShulty

TulShulty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 29 August 2008 - 04:10 PM

yes that is the one. I just doubled checked and both are set on trusted network. I wonder if I didnt set up my network right but they both can see each other and share files and things without trouble. It was all working fine till Aug 14. I wonder if they updated the firewall and some setting didnt get updated.

#6 TulShulty

TulShulty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 29 August 2008 - 04:13 PM

Connection-specific DNS Suffix . : domain.invalid
IP Address. . . . . . . . . . . . : 192.168.1.64
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254

what is the default gateway? is that the siemens router?
thank you again :-)

#7 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:18 PM

Posted 29 August 2008 - 04:21 PM

what is the default gateway? is that the siemens router?
thank you again :-)


Yes. The default gateway is the router normally. That's how the computer knows where to get its information from to be able to access the internet outside of your network. The router is the one that is actually talking to the rest of the net, you're just patched into the router. But the firewall should see remote IPs when you make a connection, and not just the router's and vice versa. If the incoming traffic were from the outside of your LAN (i.e. not the router), then the IP should be a valid one.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#8 TulShulty

TulShulty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 29 August 2008 - 04:29 PM

Subnet Mask . . . . . . . . . . . : 255.255.255.0
what is that?

should these 2 IP address be the same?
IP Address. . . . . . . . . . . . : 192.168.1.64
Default Gateway . . . . . . . . . : 192.168.1.254

Edited by TulShulty, 29 August 2008 - 04:56 PM.


#9 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:18 PM

Posted 29 August 2008 - 08:35 PM

Subnet Mask . . . . . . . . . . . : 255.255.255.0
what is that?


Here's a good explanation of what a subnet is.

should these 2 IP address be the same?
IP Address. . . . . . . . . . . . : 192.168.1.64
Default Gateway . . . . . . . . . : 192.168.1.254


No. They are different machines, with different addresses. The IP Address one is the current machine (in other words, yours). The Default Gateway is explained at the below link.
What is a Default Gateway
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#10 TulShulty

TulShulty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 29 August 2008 - 08:58 PM

Thank You Galadriel :-)

Someone suggested that I open the firewall and add 192.168.1.254 to its allow list so it will see it and stop blocking it. Do you think that would be safe?

#11 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:18 PM

Posted 29 August 2008 - 11:42 PM

Thank You Galadriel :-)

Someone suggested that I open the firewall and add 192.168.1.254 to its allow list so it will see it and stop blocking it. Do you think that would be safe?


Well yes. I would think so. Unless the firewall can't make a difference between the traffic coming from the router vs, traffic coming from the outside of the network (i.e. the internet).
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users