Port scanning, or not?

Discussion in 'ESET Smart Security' started by notnoname, Apr 7, 2012.

Thread Status:
Not open for further replies.
  1. notnoname

    notnoname Registered Member

    Joined:
    Apr 7, 2012
    Posts:
    2
    Hi!

    After installing the latest version of Skype, the firewall of ESS has reported that it has blocked multiple port scans from various ip-adresses (not Skype's corporate ip:s). The targeted ports are all used for Skype: 80, 443, and the port for incoming traffic that was originally generated at setup. The port scan attacks are reported when Skype is not running. I am not sure if these are maclicious port scans, or if it they are initiated by Skype on other users' machines. As far as I understand, Skype uses P2P technology, so the reported port scans may just be normal Skype behaviour? The thing that puzzles me is that I would expect the P2P-network that Skype operates on to be informed whether I am connected or not. If so, then nobody should be trying to reach my computer whenever I am not running Skype...?

    Is there anyone who has experienced the same problem and/or knows if these reported port scans can be safely ignored?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Do you have a router? Can you post few lines from the log?
     
  3. notnoname

    notnoname Registered Member

    Joined:
    Apr 7, 2012
    Posts:
    2
    Hi!

    Yes, I have a router. Below is an excerpt from the log for one particular attempted connection. (I have anonymized the ip addresses.)

    2012-04-07 19:54:16 The address has been blocked temporarily by active protection (IDS) XX.XXX.XXX.XXX:2888 YY.YY.YYY.YY:80 TCP
    2012-04-07 19:54:10 The address has been blocked temporarily by active protection (IDS) XX.XXX.XXX.XXX:2886 TCP YY.YY.YYY.YY:443
    2012-04-07 19:54:10 The address has been blocked temporarily by active protection (IDS) XX.XXX.XXX.XXX:2888 YY.YY.YYY.YY:80 TCP
    2012-04-07 19:54:09 The address has been blocked temporarily by active protection (IDS) YY.YY.YYY.YY:56616 XX.XXX.XXX.XXX:2885 TCP
    2012-04-07 19:54:08 A port scan attack was identified XX.XXX.XXX.XXX:2884 YY.YY.YYY.YY:56616 TCP
    2012-04-07 19:54:07 No application listening on port XX.XXX.XXX.XXX:2888 YY.YY.YYY.YY:80 TCP
    2012-04-07 19:54:07 No application listening on port TCP XX.XXX.XXX.XXX:2886 YY.YY.YYY.YY:443
    2012-04-07 19:54:06 No application listening on port XX.XXX.XXX.XXX:2885 YY.YY.YYY.YY:56616 TCP
    2012-04-07 19:54:05 No application listening on port XX.XXX.XXX.XXX:2884 YY.YY.YYY.YY:56616 TCP
     
Thread Status:
Not open for further replies.