Results 1 to 9 of 9

Thread: What is scanning my ports?

  1. #1
    toobad Guest

    Default What is scanning my ports?

    I recently found a Trojan in the registry. Panda online scanner found it. I have noticed every time I start my computer and check ZoneAlarm log viewer, I see all sequential ports being scanned for incoming accepts. Even when I am not connected to the internet. I want to add picture files of printsceerns I took of the viewer, but can not find an upload any where.

    Thanks for any help...


    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;================================================= ================================================== ================================================== ==============================
    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0035725.sys
    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0034590.sys

  2. #2
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,463

    Question Re: What is scanning my ports?

    Quote Originally Posted by toobad View Post
    I recently found a Trojan in the registry. Panda online scanner found it. I have noticed every time I start my computer and check ZoneAlarm log viewer, I see all sequential ports being scanned for incoming accepts. Even when I am not connected to the internet. I want to add picture files of printsceerns I took of the viewer, but can not find an upload any where.

    Thanks for any help...


    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;================================================= ================================================== ================================================== ==============================
    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0035725.sys
    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0034590.sys

    Welcome to the ZoneAlarm User Forum..



    It is Sometimes very Difficult to Diagnose and fix a Computer from halfway across the Country, without All the Details, without the ability to sit in front of your Computer monitor and see what's going on..

    We don't even know what Version and Upgrade of ZoneAlarm your Talking about or if this is Windows XP SP3 or Vista, Destop or Laptop Computer?


    If you would Describe your Computer Setup/OS Windows Version and Version and Type of Zone Alarm that you are having a problem with
    and what difficulty you are having, and what Previous Version of ZA and Norton, McAfee or other Security programs that you have installed,

    There are several very knowledgeable Volunteer Participants willing to help you try solving your problem with Zone Alarm..

    Please provide as much detail and error messages etc. that you see on your Computer Monitor.

    Do not run other overlapping security tools, they may block each other and let malware get in your system.If you want a second opinion run the free (Click Here MBAM ) from time to time.



    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: What is scanning my ports?

    Hi!
    on top of valued input from GURU GeorgeV you should consider that those entries are in the OS system restore. So, most probably dead entries or false positives.

    Please see here below how to clean your system:
    http://www.zaforums-stg.com/showpost...07&postcount=2

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  4. #4
    toobad Guest

    Default Re: What is scanning my ports?

    It is XP Pro SP2.
    ZoneAlarm free version 8.0.298.000
    AVG free antivirus
    Malwarebytes' Anti-Malware
    SUPERAntiSpyware Free Edition
    SpywareBlaster
    Spybot - Search & Destroy

    Ealier this week AVG found 6 trojan downloaders and it removed them. Then I tried the Panda Online sacnner 2.0 and it found these, but they come back after a day or so.

    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0035725.sys
    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0034590.sys

  5. #5
    toobad Guest

    Default Re: What is scanning my ports?

    If you look at the port #'s 32, 31, 30 they go up and down in sequence and there are hundreds of them all the same way.

    Description Generic Host Process for Win32 Services was blocked from accepting a connection from the local zone (192.168.1.1:Port 1932).
    Rating Medium
    Date / Time 2009-08-11 13:20:42-5:00
    Type Program Access
    Program svchost.exe
    Source IP 192.168.1.1:1932
    Destination IP
    Direction Incoming (accept)
    Action Taken Blocked
    Count 1
    Source DNS
    Destination DNS
    Policy Personal Policy
    Description Generic Host Process for Win32 Services was blocked from accepting a connection from the local zone (192.168.1.1:Port 1931).
    Rating Medium
    Date / Time 2009-08-11 13:20:42-5:00
    Type Program Access
    Program svchost.exe
    Source IP 192.168.1.1:1931
    Destination IP
    Direction Incoming (accept)
    Action Taken Blocked
    Count 1
    Source DNS
    Destination DNS
    Policy Personal Policy
    Description Generic Host Process for Win32 Services was blocked from accepting a connection from the local zone (192.168.1.1:Port 1930).
    Rating Medium
    Date / Time 2009-08-11 13:20:42-5:00
    Type Program Access
    Program svchost.exe
    Source IP 192.168.1.1:1930
    Destination IP
    Direction Incoming (accept)
    Action Taken Blocked
    Count 1
    Source DNS
    Destination DNS
    Policy Personal Policy

  6. #6
    toobad Guest

    Default Re: What is scanning my ports?

    Something tries to connect about 10 times every 2 minutes. It does not mater if the cable modem is turned on or off.

  7. #7
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: What is scanning my ports?

    Uuuuhm... Ok... You are not using ZA antivirus.
    Well well... you should get your system checked by malware expert. See last point of my previous hyperlink.

    Also you need to update to SP3 with all patches and check all PC for vulnerable software: http://secunia.com/vulnerability_scanning/online/
    No security tools will protect your system if it is not up-to-date.

    Then you have to correctly setup your ZA to allow your router (192.168.1.1) to connect to your system (set it to trusted in the ZA firewall zones). Its normal and by design.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  8. #8

    Default Re: What is scanning my ports?

    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0035725.sys
    00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{3CD395E2-5F45-472A-9944-59109ECC59A0}\RP127\A0034590.sys
    Hi,

    Basically this means that the malware has been removed, but as you did not disable System Restore prior to the removal, some remnants still exist in your old restore points.

    Here are instructions on flushing System Restore:
    http://safecomputing.umn.edu/guides/systemrestore.html


    Let me know if you need further help on this.

  9. #9
    mahtab1966 Guest

    Default Re: What is scanning my ports?

    This paper details many of the techniques used to determine what ports (or similar protocol abstraction) of a host are listening for connections. These ports represent potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus it is quite useful for anyone wishing to explore their networked environment, including hackers. Despite what you have heard from the media, the Internet is NOT all about TCP port 80. Anyone who relies exclusively on the WWW for information gathering is likely to gain the same level of proficiency as your average AOLer, who does the same. This paper is also meant to serve as an introduction to and ancillary documentation for a coding project I have been working on. It is a full featured, robust port scanner which (I hope) solves some of the problems I have encountered when dealing with other scanners and when working to scan massive networks. The tool, nmap, supports the following:

    Vanilla TCP connect() scanning,
    TCP SYN (half open) scanning,
    TCP FIN (stealth) scanning,
    TCP ftp proxy (bounce attack) scanning,
    SYN/FIN scanning using IP fragments (bypasses packet filters),
    UDP recvfrom() scanning,
    UDP raw ICMP port unreachable scanning,
    ICMP scanning (ping-sweep), and
    Reverse-ident scanning.


    ~~ snip sorry no commercial please, see ToS
    Last edited by fax; August 17th, 2009 at 01:28 AM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •