how-to block ads
1. Provided the destination ports the events are occurring on are closed or stealthed, nobody is getting into your computer.
Repeated activity from a source IP address on closed or stealthed ports usually indicates a worm or virus or a script kiddie using a simple trojan kit.
Beware of attackers who try dozens of ports looking for an open port with an unpatched vulnerability.
2. Determine how long you have had your IP address. You can do this by examining your firewall log for the destination address of inbound events.
Most surges in events are caused by inheriting an IP address that was formerly used by a busy server. In this case, the events commonly taper off over a period of 1 to 72 hours.
These are not probes; these are legitimate attempts to contact the server that formerly held that IP address.
3. Gather information on the ports concerned and their common uses here:
Enter a port number in the "Port Look" box on the left, and click the "details" button.
Using ports 6667 and 6668 as examples you get:
Scroll down to read the well-known uses and vulnerabilities of the port.
Using ports 6667 and 6668 as examples:
- 6667 is used by a variety of trojans, and
- 6668 is used by IRC and IRCU.
Keep in mind that many software packages can be configured to use different ports than the standard. Port usage lists do not include ports used by uncommon software and malware. Neophasis and other port usage lists merely suggest the common software and malware that use a port.
If your software isn't using the ports described, and you don't have a trojan using the port described, or if the events are blocked by a firewall, you have no immediate concern.
4. You can use the Security Scan in the Tools section of BBR, "Shields Up" at grc.com or the port scan at »security.symantec.com to see what ports are open on your computer.
5. If you are concerned about events occurring on ports on your system, you can use the free services of myNetWatchman and DShield. Both of these organizations collect, anonymize and analyze firewall logs.
MNW focuses on filtering out false alarms and reporting infected machines and hacking attempts to the ISP responsible for the IP address they originate from.
DShield focuses on gathering statistics on abnormal Internet activity. DShield feeds the Internet Storm Center.
6. If you are still concerned about what is going on, feel free to post a question in a new topic in the BBR Security Forum.
Please include these details in your post:
a) Have you had your current IP address for less than 72 hours (3 days)? If less, roughly how long?
b) What are the first two parts of your IP address? (e.g. 123.123.xxx.xxx)
c) What source and destination ports (number and TCP/UDP) are involved?
d) Do the events occur in clusters or one at a time? Roughly how many do you get in an hour (a few, dozens, hundreds)?
e) Is it just one source IP address or many? List some of the source IPs (they aren't secret).
f) An extract of your firewall logs would be very useful. (It is okay to obscure the last 2 parts of your IP address, but do not obscure anything else.)
7. If you are a business, organization or professional that depends on the security of your computer system, we strongly urge you to consider using the services of an IT security professional to review the security of your system.
Additional places to look up ports:
Third Party Firewall Log Collection and Analysis Tools (these work with NAT routers):
Other useful links:
The advice given here is general in nature and not adequate for high-value or highly attractive targets.
Added section for "Third Party Firewall Log Collection and Analysis Tools." IM keith2468 with suggestions of other safe and inexpensive tools.
Inserted item 6, suggestions on what to include in a forum post if still concerned.