Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Port Scanning Attacks


  • Please log in to reply
25 replies to this topic

#1 james1000

james1000

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 27 November 2010 - 02:43 PM

Hello,

I have a Sony VAIO laptop running XP with 1GB RAM. I have recently had a data backup and reinstallation of Windows after my laptop failed to boot up. This was suspected to be due to malware. I had previously been running AVG 2010 Free as well as Spybot and Malware Bytes. None of these had picked up the malware in question, which was picked up by Norton at the computer shop it was fixed.

Since then I have been trying to work out which Antivirus program will be the best for me and in the meantime have been using the 3 month trial version of Norton 2006 which came with the laptop. This version includes a firewall and intrusion prevention, which AVG Free did not have.
Recently, however I have been informed by Norton that my computer has been subject to about 5 attacks within the last few days. These had port scanning attempts before them followed by the attack attempt which Norton apparently blocked. The attacks were all from two addresses which, according to some Google sources come from China.

I don't understand how this all works and would really appreciate any help or insight into how I stop this current lot from happening and also prevent future ones as well.

Would my previous set up, consisting of AVG Free 2010, Spybot, Malware Bytes and Windows Firewall, have stopped these kinds of attacks? Or, is it likely that this setup may have been why I originally received the malware which shut down my laptop.

Any help greatly appreciated,
Thanks,
James

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 PM

Posted 27 November 2010 - 04:16 PM

A firewall controls network traffic and serves two basics purposes:
  • Prevent incoming communications that you did not request from entering your computer;
  • Monitor what programs on your computer are allowed to communicate out.
The firewall does this by enforcing an access control policy to permit or block (allow or deny) inbound and outbound traffice. Thus, the firewall acts as a central gateway for such traffic by denying illegitimate transfers and facilitatint access which is deemed legitimate. The goal of the firewall is to prevent remote computers from accessing yours and provide notification of any unrequested traffic that was blocked along with the IP address. keep in mind however, that a firewall is not a panacea to solve all of your security problems. If you will open ports through your firewall to allow access to an infected machine, then the firewall is no longer relevant.

A port (TCP/UDP) is an address associated with a particular process on a computer. Ports have a unique number in the header of a data packet that is used to map this data to that process. Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic/Private Ports. Default port values for commonly used TCP/IP services have values lower than 255 and Well Known Ports have numbers that range from 0 to 1023. Registered Ports range from 1024 to 49151 and Dynamic/Private Ports range from 49152 to 65535. An "open port" is a TCP/IP port number that is configured to accept packets while a "closed port" is one that is set to deny all packets with that port number.
Hackers use "port scanning" to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs (viruses, Trojans). Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. If your computer is sending out large amounts of data, that can indicate that your system may have a virus or a Trojan.

If your firewall provides an alert which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer. Alerts are often classified by the network port they arrive on, and they allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. It is not unusual for a firewall to provide numerous alerts regarding such attempted access. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion.

You can use netstat, a command-line tool that displays incoming and outgoing network connections, from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically; no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
-- If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it.

You can use Microsoft Network Monitor to capture, view and analyze network traffic, SmartSniff, Wireshark, PRTG - Free Network Monitor or various other network traffic monitoring tools for troubleshooting and malware investigation.

Online Port Scan allows you to scan individual TCP ports to determine if the device is listening on that port. Shields Up is an online port scanning service used to alert the users of any ports that have been opened through firewalls or NAT routers. There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity.

For a list of TCP/UDP ports and notes about them, please refer to:You can investigate IP addresses and gather additional information at:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 PM

Posted 28 November 2010 - 07:04 AM

These had port scanning attempts before them followed by the attack attempt which Norton apparently blocked.


If your machine was the target of a port scan, I guess your machine has a public IP address.
Is this your choice, or is it the default way of working of your ISP?

If you don't need a public IP address for your machine, I recommend you use a NAT-router. This way, your machine will have a private IP address in stead of a public IP address, and it won't be the target of port scans anymore. Your NAT-router will have a public IP address, and it will issue a private IP address to your machine.
Of course, your NAT-router will be port scanned, but it has a much smaller attack surface than your Windows machine.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 james1000

james1000
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 28 November 2010 - 09:35 AM

Thanks for both of your help.

Regarding the IP address, I am not 100% sure how to tell what the status of my IP is. I am using a mobile broadband dongle. Does that mean that it would be a public address? Are private addresses only available with a router, or have I misundertsood this?

Regarding the netstat. For some reason when I type the netstat terms in the command line they just flash up for an instant but do not stay. The firewall seemed to say that it registered it. Do you have any idea why it might be doing this and how I can access it.

I am still slightly confused about the vulnerability issue. Is the idea that I look in netstat to determine the number of ports which are open and if any are listening? Then should I check the nature of each port and close all the ones which would not disable the internet connection?

Should this reduce/ eliminate the current and future attacks or will I have to do some other stuff?

Thanks,
James

#5 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:12:28 PM

Posted 28 November 2010 - 11:01 AM

You can click Start Menu->Run in XP. In Vista and 7, just click on Start Menu. Type cmd and press Enter.
In the command prompt window, type ipconfig and press Enter. Note down the IP Address.
Private IP address look like 192.168.x.x, 10.0.x.x, 172.16.x.x etc.
You can also visit http://www.whatismyip.com/ and check your IP. See if your machine IP shown by ipconfig matches with it - if matches then your machine has public IP.

You can also use netstat command in this command prompt window. But instead of netstat, you can also use TCPView to see present open ports and connections.

Edited by Romeo29, 28 November 2010 - 11:03 AM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 PM

Posted 28 November 2010 - 11:26 AM

I am using a mobile broadband dongle. Does that mean that it would be a public address?

Ah, I see, yes, you probably have a public IP address. You can check this like Romeo29 explains.
Using a router is not an option in your case.

But I seem to remember that some mobile broadband providers give you an IP address in a subnet that is somehow isolated from the Internet. Don't have more details.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 PM

Posted 28 November 2010 - 11:31 AM

One more thing: it 's very likely that command ipconfig will report several IP addresses, as you've several network adapters on your laptop: ethernet, wifi, broadband dongle.
You'll have to find the IP address associated with your broadband dongle in the output of the ipconfig command

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 james1000

james1000
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 28 November 2010 - 12:16 PM

In ipconfig the information was as follows:

IP Address 92.40.169.175
Subnet Mask 255.255.255.255
Default Gateway 92.40.169.175

It appears to be public as, like you say, it is the same address in the whatsmyip link that you gave.
Also, the last six numbers changed when I did it a second time. It was 92.40.209.82.

I don't quite understand how to see for sure which listings may be suspicious. I have attached a screen grab of netstats as I couldn't seem to copy and paste or output the text. There are about 8 which are down as Listening.

http://www.jamesbakerdesign.co.uk/netstats1.jpg

James

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 PM

Posted 28 November 2010 - 01:01 PM

IP Address 92.40.169.175
Subnet Mask 255.255.255.255
Default Gateway 92.40.169.175


Looked the IP address up, it is assigned to three.co.uk, that's your mobile broadband provider?
And I can ping you, so it's really a public IP address.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Blathnat

Blathnat

  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:01:28 PM

Posted 28 November 2010 - 02:07 PM

Norton 2006 is inadequate to properly protect you from modern malware. The antivirus engine is quite out-dated. Should you decide to stay with Norton, and purchase a subscription you will be able to update the program, free of charge, to the latest 2011 version.

#11 james1000

james1000
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 30 November 2010 - 07:52 AM

Thanks, I have upgraded to the trial version of Norton Intenet Security 2011. No malware has come up in the full scan.

Yes, three is my mobile broadband provider.

Regarding checking the ports and closing any which may be vulnerable, I have looked at the links that were provided in one of the previous posts, however am not 100% sure how this works or how to find out the nature of the ports, particularly those marked as 'listening'.

If I use the service in the Shields Up website will that give a clear idea of this? I have read the info on the site. Is it definitely safe to use this? Are there any potential issues with this that I should be aware of?

Is there any way of telling the nature of the ports just be looking at the following list?

http://www.jamesbakerdesign.co.uk/netstats1.jpg

Thanks,
James

#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 PM

Posted 30 November 2010 - 12:08 PM

Regarding checking the ports and closing any which may be vulnerable, I have looked at the links that were provided in one of the previous posts, however am not 100% sure how this works or how to find out the nature of the ports, particularly those marked as 'listening'.


You can view which executables are listening on a port with option -b, this will help you identify the programs or services involved.

Sysinternals' tool tcpview is maybe easier to use, it has a GUI.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 PM

Posted 30 November 2010 - 12:32 PM

A "listening" state is essentially when a program on a computer listens and waits on a port number for another computer to establish a connection to it. See what is the Difference between Established/Listening Ports?.

Didier Stevens is right that TCPView is probably the easiest to use.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 james1000

james1000
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 01 December 2010 - 08:22 AM

I have looked at the TCPView results and also the site http://www.iana.org/assignments/port-numbers , however I not sure which terms are supposed to relate to which. Which numbers or terms should I be checking? I have looked through various ones but can't seem to see any which fit. Is it reliable to google terms in order to check the validity of an item?

Should I be looking at PID, Local Address, Local Port, Remote Address or Remote Port? I don't understand which of these relates to the decimal number in iana.org .

Also in a previous post it was mentioned that listening ports could be malware related. Is it possible that establised ones could also be?

I have attached a screen grab of the results if that is of help:

http://www.jamesbakerdesign.co.uk/tcp1.jpg

Thanks,
James

#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:28 PM

Posted 01 December 2010 - 03:23 PM

Your last screenshot shows that you've no connections with other machines. Look in the column Remote Address, only your machine is listed (localhost & your-...).
The Local Port is the port used on your machine, and those marked as Listening are the ports that are open to accept connections.
For well-known ports, TCPView will display the name of the service in stead of the port number, so you don't have to look it up in the IANA list.
For example, in your screenshot, ntp is the network time protocol, it uses port 123.

Edited by Didier Stevens, 01 December 2010 - 03:23 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users