find what program that can cause constant port scans?

Discussion in 'other firewalls' started by mango, Jul 7, 2006.

Thread Status:
Not open for further replies.
  1. mango

    mango Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    82
    i have outpost firewall, the other day i was getting constant port scans from 1 IP to ports TCP (4536, 4752, 2597, 4804, 1795, 1733)

    The ip isnt chinese etc, but from Zuerich of all places.

    i looked up in the firewall, but the process name was not available

    This happens several times an hour, and each time the ip is blocked for 5 min as in the outpost rules.

    the only solution i can think of is to exclude a program from startup 1 by one to see what happens.
     
  2. faterider

    faterider Registered Member

    Joined:
    Nov 6, 2004
    Posts:
    64
    If someone from outside scans you don't need to check installed programs. They have nothing to do with him.

    Just ban his IP forever and you are done ;)
     
  3. mango

    mango Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    82
    well, ive checked the logs and it seems to be tcp 4662 thats noted in outpost logs.

    ive changed the external ip, and it still ongoing.

    But the attack warnings seems to stop when i connect straight to the modem, and not through the router.

    But the router settings havent been changed for a while, and this just started some days ago. Also the outpost rules havent been changed too much.

    so to sum up, connected straight to modem-> no warnings in outpost

    pc->router->modem = attack warnings everytime.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Do you use P2P software (emule?)

    Reset your router. All inbound should be stopped/blocked at this layer, unless you have set port_forward (some P2P/torrent clients can open ports in your router via uPnP)
     
  5. mango

    mango Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    82
    emule was on, for an rare occasion but tcp port 4662 is not used.

    the attack notices comes also when emule is not running.

    ill save the config and reset router see if that helps
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    When you run eMule, the settings within eMule (the inbound you set/allow for TCP/UDP) will be passed to the servers/other eMule users. While eMule is running, these inbound will be allowed,.. But when you close eMule, the servers/ other users will still be trying to connect in, This is when the firewall will block/ show alerts /log the blocked packets. (port 4662 is the default TCP inbound for eMule,... if you are not wanting / allowing the inbound (for inbound server/ other user connection / high ID) then disable this in eMule network settings)
     
  7. mango

    mango Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    82
    ah, thanks.

    Rarely use emule, combined with new router and outpost firewall would probably do this.....
     
Loading...
Thread Status:
Not open for further replies.