«

Sygate Personal Firewall is giving me occasional warnings of port attacks.
can I find out where these are coming from?

r

Roger Dewhurst wrote:
>
> Sygate Personal Firewall is giving me occasional
> warnings of port attacks. can I find out where
> these are coming from?
>
Should be in the logs. What do they show?

Cheers,

Cliff

--

Barzoomian the Martian - http://barzoomian.blogspot.com

"Enkidu" <> wrote in message
news:433dfbed$...
> Roger Dewhurst wrote:
> >
> > Sygate Personal Firewall is giving me occasional
> > warnings of port attacks. can I find out where
> > these are coming from?
> >
> Should be in the logs. What do they show?


This:-

Somebody is scanning your computer.
Your computer's TCP ports:
135, 445, 80, and 139 have been scanned from 203.173.223.25..

and

Somebody is scanning your computer.
Your computer's TCP ports:
135, 445, 80, and 139 have been scanned from 203.96.212.23..

and

Somebody is scanning your computer.
Your computer's TCP ports:
135, 445, 80, and 139 have been scanned from 203.96.146.55..

Who is this bastard, or these as the case may be?

R

"Roger Dewhurst" <> wrote in news:dhmmv6$joc$1
@lust.ihug.co.nz:

> Who is this bastard, or these as the case may be?

They may not be a malicious user(s). That is normal internet background
noise.

See http://www.dshield.org for more info

http://www.dshield.org/primer.php
This introduction is intended to provide a basic understanding of how the
Internet works and how this applies to firewalls. Thick books have been
written about this, and you are encouraged to read one of them if you
would like to know more. This page will just provide a brief definition
of many of the terms used on this site.

http://www.dshield.org/reports.php
Reports and Database Summaries

Top 10 Most Wanted Top 10 offenders according to the DShield database.
Top 10 Ports Top 10 most probed ports.
Port Report Provides a thirty day history of a user selected port.
IP Info Provides information about an IP address.
Subnet Report Get a summary of recent activity from a Subnet
Block List List of IP address ranges that you might want to block.


--
Ciao, Dave

Roger Dewhurst wrote:
> "Enkidu" <> wrote in message
> news:433dfbed$...
>
>>Roger Dewhurst wrote:
>> >
>>
>>>Sygate Personal Firewall is giving me occasional
>>
>> > warnings of port attacks. can I find out where
>> > these are coming from?
>>
>>Should be in the logs. What do they show?
>
>
>
> This:-
>
> Somebody is scanning your computer.
> Your computer's TCP ports:
> 135, 445, 80, and 139 have been scanned from 203.173.223.25..
>
25.223.173.203.in-addr.arpa. 43200 IN PTR
p279-tga-cameron-nas2.ihug.co.nz

> and
>
> Somebody is scanning your computer.
> Your computer's TCP ports:
> 135, 445, 80, and 139 have been scanned from 203.96.212.23..
>
23.212.96.203.in-addr.arpa. 25541 IN PTR
203-96-212-23.ihug.net
>
> and
>
> Somebody is scanning your computer.
> Your computer's TCP ports:
> 135, 445, 80, and 139 have been scanned from 203.96.146.55..
>
55.146.96.203.in-addr.arpa. 172800 IN PTR
203-96-146-55.apx1.paradise.net.nz

> Who is this bastard, or these as the case may be?
>
The ports are related SMB (file sharing, 135, 139, 445) http
(80). I wouldn't worry too much, since Sygate is doing its
job. Probably users with a virus.

Cheers,

Cliff

--

Barzoomian the Martian - http://barzoomian.blogspot.com

Dave Taylor wrote:
> "Roger Dewhurst" <> wrote in news:dhmmv6$joc$1
> @lust.ihug.co.nz:
>
>>Who is this bastard, or these as the case may be?
>
> They may not be a malicious user(s). That is normal internet
> background noise.
>
maybe not malicious, but prossibly infected.

Cheers,

Cliff

--

Barzoomian the Martian - http://barzoomian.blogspot.com

On Sun, 02 Oct 2005 17:44:25 +1300, Enkidu wrote:

> Dave Taylor wrote:
>> "Roger Dewhurst" <> wrote in news:dhmmv6$joc$1
>> @lust.ihug.co.nz:
>>
>>>Who is this bastard, or these as the case may be?
>>
>> They may not be a malicious user(s). That is normal internet
> > background noise.
>>
> maybe not malicious, but prossibly infected.
>
> Cheers,
>
> Cliff

Or poorly setup home networks advertising themselves on the intarweb
(well.. except for the port 80 scan)
--
Hardware, n.: The parts of a computer system that can be kicked

The best way to get the right answer on usenet is to post the wrong one.

In article <433f65aa$>,
says...
>
> maybe not malicious, but prossibly infected.
>
> Cheers,
>
> Cliff

Someone scanning 135 and 139 I would suspect of be chasing vulnerable
Windows machines and trying to get in via dcom or netbios attacks.

Most likely malicious, I'd say.

-P.

--
=========================================
firstname dot lastname at gmail fullstop com

Peter Huebner wrote:
> In article <433f65aa$>,
> says...
>
>>maybe not malicious, but prossibly infected.
>>
> Someone scanning 135 and 139 I would suspect of be chasing
> vulnerable Windows machines and trying to get in via dcom
> or netbios attacks.
>
> Most likely malicious, I'd say.
>
Well, I meant that the machines may be 'owned' but the user
could be unaware of the fact.

Cheers,

Cliff

--

Barzoomian the Martian - http://barzoomian.blogspot.com