Results 1 to 5 of 5

Thread: Port scan attempts - Need HELP/Advice....

Hybrid View

  1. #1
    pcsafety_larry Guest

    Default Port scan attempts - Need HELP/Advice....

    Hello,
    Appreciate all replies for this problem.....

    I have ZA AntiSpyware/Firewall Version 7.0.483.00
    Windows Xp-Home - Service pack 2 and all current updates (have not installed sp3 yet)

    I have the ZA settings applied to display the Alert messages for port scan attempts, etc. The ZA works great for all types of attempted intrusions. I work on my PC at least 8 to 10 hours per day. Constantly (average of 10 times throughout the day) I receive the ZA Security Alert - ZA Firewall has blocked access to your PC - for an attempted Port Scan. The problem is that of the 10 to 12 messages I receive, they are from the same origin. Someone in China attempting the port scans. I am concerned that the attempts come from the same location (name and IP address). I reply to the ZA messages to inform ZA of the helpful information.

    This is one of the many links to the alerts I receive several times each day.
    http://fwalerts.zonealarm.com/fwanal...p;tab=overview

    Is it possible that my PC has been targeted or just coincidence that these are generic scans whenever I (or any internet connection is found) access the internet?

    Appreciate your reply and advice.
    Thank You, Larry

    ps -as I am writing this message post, yes - another Firewall block message for the same Port Scan attempt from the same origin !!!!!!!

    Info from Alerts:

    Details about 222.180.37.14, the IP address of the computer that caused the alert you received from ZoneAlarm Anti-Spyware, are provided in the Whois report below. The information in the Whois report comes from the Regional Internet Registry (RIR) for the region where 222.180.37.14 is located: ARIN, RIPE, LACNIC or APNIC. The name of the RIR appears in the Whois report.
    The Whois report includes the name, address and contact information for the Internet Service Provider (ISP) that administers the block of IP addresses that contains 222.180.37.14. The report probably does not list the administrator of the specific computer at IP address 222.180.37.14.
    You should not assume that individuals listed in this report are responsible for the alert you received on your computer.

    % [whois.apnic.net node-1]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 222.176.0.0 - 222.183.255.255
    netname: CHINANET-CQ
    descr: CHINANET Chongqing province network
    descr: China Telecom
    descr: A12,Xin-Jie-Kou-Wai Street
    descr: Beijing 100088
    country: CN
    admin-c: CH93-AP
    tech-c: CQ235-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CHINANET-CQ
    mnt-routes: MAINT-CHINANET-CQ
    changed: hm-changed@apnic.net 20040203
    remarks: This object can only be changed by APNIC Hostmaster
    status: ALLOCATED PORTABLE
    source: APNIC

    role: CHINANET CQ
    address: The mainstreet 3 daping ,chongqing data communication bureau
    country: CN
    phone: +862368614888
    fax-no: +862368602314
    e-mail: abuse@cta.cq.cn
    trouble: send spam reports to abuse@cta.cq.cn
    trouble: and abuse reports to abuse@cta.cq.cn
    admin-c: ZL235-AP
    tech-c: ZL235-AP
    nic-hdl: CQ235-AP
    remarks: http://www.cta.cq.cn
    notify: abuse@cta.cq.cn
    mnt-by: MAINT-CHINANET-CQ
    changed: abuse@cta.cq.cn 20030917
    source: APNIC

    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    e-mail: anti-spam@ns.chinanet.cn.net
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: dingsy@cndata.com 20070416
    mnt-by: MAINT-CHINANET
    source: APNIC

    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm Anti-Spyware

  2. #2
    pcsafety_larry Guest

    Default Re: Port scan attempts - Need HELP/Advice....

    I also have anti-virus software and use a cable modem for the internet connection.
    Thank you.

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Port scan attempts - Need HELP/Advice....

    <blockquote><hr>pcsafety_larry wrote:
    Hello,
    Appreciate all replies for this problem.....
    I have ZA AntiSpyware/Firewall Version 7.0.483.00
    Windows Xp-Home - Service pack 2 and all current updates (have not installed sp3 yet)

    I have the ZA settings applied to display the Alert messages for port scan attempts, etc. The ZA works great for all types of attempted intrusions. I work on my PC at least 8 to 10 hours per day. Constantly (average of 10 times throughout the day) I receive the ZA Security Alert - ZA Firewall has blocked access to your PC - for an attempted Port Scan. The problem is that of the 10 to 12 messages I receive, they are from the same origin. Someone in China attempting the port scans. I am concerned that the attempts come from the same location (name and IP address). I reply to the ZA messages to inform ZA of the helpful information.
    This is one of the many links to the alerts I receive several times each day.
    http://fwalerts.zonealarm.com/fwanal...7&tab=overview

    Is it possible that my PC has been targeted or just coincidence that these are generic scans whenever I (or any internet connection is found) access the internet?
    Appreciate your reply and advice.
    Thank You, Larry
    ps -as I am writing this message post, yes - another Firewall block message for the same Port Scan attempt from the same origin !!!!!!!
    Info from Alerts:
    Details about 222.180.37.14, the IP address of the computer that caused the alert you received from ZoneAlarm Anti-Spyware, are provided in the Whois report below. The information in the Whois report comes from the Regional Internet Registry (RIR) for the region where 222.180.37.14 is located: ARIN, RIPE, LACNIC or APNIC. The name of the RIR appears in the Whois report.
    The Whois report includes the name, address and contact information for the Internet Service Provider (ISP) that administers the block of IP addresses that contains 222.180.37.14. The report probably does not list the administrator of the specific computer at IP address 222.180.37.14.
    You should not assume that individuals listed in this report are responsible for the alert you received on your computer.
    &#37; [whois.apnic.net node-1]
    &#37; Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 222.176.0.0 - 222.183.255.255
    netname: CHINANET-CQ
    descr: CHINANET Chongqing province network
    descr: China Telecom
    descr: A12,Xin-Jie-Kou-Wai Street
    descr: Beijing 100088
    country: CN
    admin-c: CH93-AP
    tech-c: CQ235-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CHINANET-CQ
    mnt-routes: MAINT-CHINANET-CQ
    changed: hm-changed@apnic.net 20040203
    remarks: This object can only be changed by APNIC Hostmaster
    status: ALLOCATED PORTABLE
    source: APNIC

    role: CHINANET CQ
    address: The mainstreet 3 daping ,chongqing data communication bureau
    country: CN
    phone: +862368614888
    fax-no: +862368602314
    e-mail: abuse@cta.cq.cn
    trouble: send spam reports to abuse@cta.cq.cn
    trouble: and abuse reports to abuse@cta.cq.cn
    admin-c: ZL235-AP
    tech-c: ZL235-AP
    nic-hdl: CQ235-AP
    remarks: http://www.cta.cq.cn
    notify: abuse@cta.cq.cn
    mnt-by: MAINT-CHINANET-CQ
    changed: abuse@cta.cq.cn 20030917
    source: APNIC
    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    e-mail: anti-spam@ns.chinanet.cn.net
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: dingsy@cndata.com 20070416
    mnt-by: MAINT-CHINANET
    source: APNIC

    Operating System:
    Windows XP Home Edition
    Software Version:
    8.0
    Product Name:
    ZoneAlarm Anti-Spyware
    <hr></blockquote>
    <blockquote><hr>I also have anti-virus software and use a cable modem for the internet connection.
    Thank you<hr></blockquote>


    A lot of these "port scans" from other internet servers are harmless. Happens all the time and this will never stop.
    Nothing really nefarious happening here, but if you would get a router and place it in front of the computer, then there would never be port scans or unwanted connection attempts ever seen by the firewall or by the computer.

    ChinaNet has been doing a lot of this port/IP checking - more then is needed and they have been doing this for some time, with no end in sight of the extra activity.

    Your ZA has protected you and "refused" the unwanted connections. ["Refuse" is where there is no reply answer to that server to stop or cease the connections attempts whereas "drop" means no there is a proper reply to stop the connections attempts. Refuse is used by stealthing firewalls such as the ZA, while drop is used by non stealthing firewalls.]
    Since the ZA has protected you, there should be no genuine concern about the port scanning - there will be more scan seen for other ports such as the ident, msdcom, netbios, rpc, various email, telnet, ftp, ms server and so forth.

    By the way, the 1080 port in questions is actually "Socks" which is used in initializing proxy and with VPN connections attempts. And this could be easily passed off as harmless as it could be easily interpreted as an internet server looking for it's usual vpn connections.
    But the extra activity from china net would be properly seen as looking for all of the IPs of the internet and possiblely logging these for some unusual database of their own. [The fact there was no reply back to their server from a stealthed computer/IP by a firewall such as the ZA still indicates there is in fact a valid useable IP that exisits].

    http://www.iana.org/assignments/port-numbers

    There are two things you can do to enhance security - plan to get a router to block these unwanted connections attempts and then the ZA will never see these unwanted connections as the router's hardware firewall blocks these first.

    And secondly, add in all the APNIC (whois.apnic.net) IP ranges as Blocked in the Zones of the Firewall of the ZA. This would block off Korea. Japan, down to south Asia such as China, India, Hong Kong and it would include part of Oceania and Australia/New Zealand (but not all).
    The advantage is knowing these unwanted areas of the internet world are completely blocked and never will have any access, not just blocked by connection attempts.
    The IP ranges to be blocked can be found here:

    http://www.iana.org/assignments/ipv4-address-space/


    [Also you may want to also block off other regions such as LACNIC (whois.lacnic.net ) which is Latin America Carribean region of the internet and AfriNIC (whois.afrinic.net) which is south/middle of Africa and part of the Middle East. Nothern Africa falls under the RIPE which is Europa and includes eastern Europe (Russia for example).
    I do this myself un my ZA and also block off many other blocks such as the DoD and corporations.]

    Best regards.
    Oldsod.

    Message Edited by Oldsod on 10-08-2008 05:45 PM
    Best regards.
    oldsod

  4. #4
    pcsafety_larry Guest

    Default Re: Oldsod - Thank You....... Port scan attempts - Need HELP/Advice....

    Oldsod,

    THANK YOU. I greatly appreciate your time to detail the information and tutorial regarding the port scans that have been driving me crazy. I am researching several firewall-routers (to purchase this weekend). Tomorrow I will setup the IP-address ranges to block in ZA. Your information is priceless. I hope all the forum members print/save a copy.
    Sincerely, Larry

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Oldsod - Thank You....... Port scan attempts - Need HELP/Advice....

    Thank you pcsafety_larry and you are welcome.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •