help to diagnose possible attack

Please help if there is anything wrong....

7/4/2004 11:56:20 PM SYSTEM TCP 81.50.50.171 1485 Packet to closed port
7/4/2004 11:56:18 PM SYSTEM TCP 82.67.209.180 3313 Packet to closed port
7/4/2004 11:56:13 PM SYSTEM TCP 168.103.225.38 3177 Packet to closed port
7/4/2004 11:56:11 PM SYSTEM TCP 217.84.58.137 62244 Packet to closed port
7/4/2004 11:56:05 PM SYSTEM TCP 81.225.181.182 2996 Packet to closed port
7/4/2004 11:56:05 PM SYSTEM TCP 67.71.12.224 3394 Packet to closed port
7/4/2004 11:55:58 PM SYSTEM TCP 83.27.162.151 64991 Packet to closed port
7/4/2004 11:55:54 PM SYSTEM TCP 81.109.156.64 3141 Packet to closed port
7/4/2004 11:55:44 PM SYSTEM TCP 67.71.12.224 3394 Packet to closed port
7/4/2004 11:55:42 PM SYSTEM TCP 80.143.117.152 3561 Packet to closed port
7/4/2004 11:55:35 PM SYSTEM TCP 68.41.74.245 3404 Packet to closed port
7/4/2004 11:55:33 PM SYSTEM TCP 202.156.102.174 3934 Packet to closed port
7/4/2004 11:55:31 PM SYSTEM TCP 81.225.141.109 32878 Packet to closed port
7/4/2004 11:55:31 PM SYSTEM TCP 81.249.50.10 1255 Packet to closed port
7/4/2004 11:55:25 PM SYSTEM TCP 65.6.150.125 50546 Packet to closed port
7/4/2004 11:55:21 PM SYSTEM TCP 217.84.58.137 62244 Packet to closed port
7/4/2004 11:55:21 PM SYSTEM TCP 200.193.225.251 50290 Packet to closed port
7/4/2004 11:55:16 PM SYSTEM TCP 65.65.96.124 60383 Packet to closed port
7/4/2004 11:55:12 PM SYSTEM TCP 65.65.96.124 60373 Packet to closed port
7/4/2004 11:55:11 PM SYSTEM TCP 65.65.96.124 60369 Packet to closed port
7/4/2004 11:55:10 PM SYSTEM TCP 220.255.57.202 3394 Packet to closed port
7/4/2004 11:55:06 PM SYSTEM TCP 68.106.240.178 2145 Packet to closed port
7/4/2004 11:55:05 PM SYSTEM TCP 69.163.3.215 8780 Packet to closed port
7/4/2004 3:12:10 PM SYSTEM TCP 203.115.246.132 HTTPS Packet to closed port
7/3/2004 11:57:26 AM SYSTEM TCP 142.162.174.215 1651 Packet to closed port
7/3/2004 11:57:20 AM SYSTEM TCP 159.93.49.44 1371 Packet to closed port
7/3/2004 11:57:01 AM SYSTEM TCP 82.135.4.230 33077 Packet to closed port
7/3/2004 11:56:57 AM SYSTEM TCP 24.82.22.29 47457 Packet to closed port
7/3/2004 11:56:55 AM SYSTEM TCP 24.82.22.29 47454 Packet to closed port
7/3/2004 11:56:52 AM SYSTEM TCP 24.82.22.29 47448 Packet to closed port
7/3/2004 11:56:48 AM SYSTEM TCP 192.168.76.36 4509 Packet to closed port
7/3/2004 11:56:30 AM SYSTEM TCP 24.18.189.174 2614 Packet to closed port
7/3/2004 11:56:28 AM SYSTEM TCP 217.8.129.113 51463 Packet to closed port
7/3/2004 11:56:27 AM SYSTEM TCP 193.111.124.134 2999 Packet to closed port
7/3/2004 11:56:18 AM SYSTEM TCP 142.161.169.58 52424 Packet to closed port
7/3/2004 11:56:12 AM SYSTEM TCP 24.6.91.117 3759 Packet to closed port
7/3/2004 11:56:08 AM SYSTEM TCP 62.183.157.147 4887 Packet to closed port
7/3/2004 11:56:06 AM SYSTEM TCP 80.233.140.164 4334 Packet to closed port
.....

The IP seems to be random and it seems to be related to MSN Messenger.

 

Hi there, could look like it.
Are you able to sort them on port numbers and on IP addresses too, to see if there is any pattern in that?
It's after 36 hours, so you are expecting them again at 11.55 AM?

 

Why do you feel that it's related to MSN Messenger?

 

I just see probes, and scans. There is no idication its related to msn messenger at all, if anything was an attack.

 

Thanks all for replying.

I think it is related to MSN just because it happened around the time when I started MSN messenger. That's not very convincing.

Unfortunately, I accidentally deleted the log yesterday. I intended to delete the allowed log only but the blocked log was somehow related to the allowed log. So, all i have now is the post here.

If I remembered correctly, the time is very random. Not always at 11.55pm. Sometimes more and sometimes just one or two. But, the one I posted here was a huge list right after I started my XP and at the time I was starting MSN messenger.

I have XP Pro SP1, NOD32, BOClean and recently switched to Outpost (used ZAP before).

BTW, if this is a port scan, is it a outbound traffic or inbound traffic? The outpost log does not mention this.

 

Go to the View menu in the Outpost log viewer, select Add/Remove Columns and enable Direction. Enabling all columns will provide the most info.

Nick

 

Hi Nick

Thanks for the Outpost log viewer tip. Having all the details is helpful when trying to decipher log entries.

Regards,

CrazyM

 

oh no....

9:24:43 AM Attack Detection Report Port Scanning has been detected from 82.192.50.85 (scanned ports:TCP (SOCKS))

 

I turned to block all mode and here is the most recent list.

10:14:01 AM SYSTEM TCP IN REFUSED 216.134.165.155 1160 Block All Activity
10:14:00 AM SYSTEM TCP IN REFUSED 68.55.198.28 1870 Block All Activity
10:14:00 AM SYSTEM TCP IN REFUSED 24.4.159.149 64841 Block All Activity
10:14:00 AM SYSTEM TCP IN REFUSED 216.134.165.155 1158 Block All Activity
10:13:59 AM SYSTEM TCP IN REFUSED 69.23.115.17 1160 Block All Activity
10:13:57 AM SYSTEM TCP IN REFUSED 162.40.221.93 21851 Block All Activity
10:13:57 AM SYSTEM TCP IN REFUSED 65.100.177.184 1968 Block All Activity
10:13:56 AM SYSTEM TCP IN REFUSED 68.69.6.132 4185 Block All Activity
10:13:56 AM SYSTEM TCP IN REFUSED 80.43.82.49 3724 Block All Activity
10:13:55 AM SYSTEM TCP IN REFUSED 200.78.66.188 3169 Block All Activity
10:13:55 AM SYSTEM TCP IN REFUSED 81.228.252.237 2090 Block All Activity
10:13:54 AM SYSTEM TCP IN REFUSED 81.174.146.86 4668 Block All Activity
10:13:52 AM SYSTEM TCP IN REFUSED 24.71.235.87 60445 Block All Activity
10:13:51 AM SYSTEM TCP IN REFUSED 65.95.170.76 61630 Block All Activity
10:13:51 AM SYSTEM TCP IN REFUSED 24.196.226.84 3437 Block All Activity
10:13:49 AM SYSTEM TCP IN REFUSED 198.37.27.81 1630 Block All Activity
10:13:49 AM SYSTEM TCP IN REFUSED 65.95.170.76 61483 Block All Activity
10:13:49 AM SYSTEM TCP IN REFUSED 66.124.198.139 1880 Block All Activity
10:13:49 AM SYSTEM TCP IN REFUSED 82.197.8.96 4273 Block All Activity
10:13:49 AM SYSTEM TCP IN REFUSED 82.197.8.96 4272 Block All Activity
10:13:47 AM SYSTEM TCP IN REFUSED 65.95.170.76 61340 Block All Activity
10:13:46 AM SYSTEM TCP IN REFUSED 24.71.235.87 60162 Block All Activity
10:13:45 AM SYSTEM TCP IN REFUSED 65.95.170.76 61216 Block All Activity
10:13:45 AM SYSTEM TCP IN REFUSED 65.95.170.76 61215 Block All Activity
10:13:45 AM SYSTEM TCP IN REFUSED 200.56.121.254 47766 Block All Activity
10:13:42 AM SYSTEM TCP IN REFUSED 81.213.98.200 2947 Block All Activity
10:13:42 AM SYSTEM TCP IN REFUSED 68.50.3.96 4940 Block All Activity
10:13:38 AM SYSTEM TCP IN REFUSED 81.10.203.25 4297 Block All Activity
10:13:38 AM SYSTEM TCP IN REFUSED 194.30.148.203 3777 Block All Activity
10:13:36 AM SYSTEM TCP IN REFUSED 24.107.151.158 4443 Block All Activity
10:13:34 AM SYSTEM TCP IN REFUSED 219.74.107.237 4348 Block All Activity
10:13:34 AM SYSTEM TCP IN REFUSED 200.78.66.188 3169 Block All Activity
10:13:29 AM SYSTEM TCP IN REFUSED 80.59.76.159 4084 Block All Activity
10:13:29 AM SYSTEM TCP IN REFUSED 4.41.59.74 1309 Block All Activity
10:13:28 AM SYSTEM TCP IN REFUSED 24.58.178.216 1064 Block All Activity
10:13:18 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack
10:13:17 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack
10:13:16 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack
10:13:16 AM SYSTEM TCP IN REFUSED 81.97.104.77 2405 Block All Activity
10:13:15 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack
10:13:14 AM SYSTEM TCP IN REFUSED 69.139.73.233 2428 Block All Activity
10:13:11 AM SYSTEM TCP IN REFUSED 80.53.116.218 1745 Block All Activity
10:13:10 AM SYSTEM TCP IN REFUSED 142.179.142.108 3434 Block All Activity
10:13:07 AM SYSTEM TCP IN REFUSED 219.74.107.237 4305 Block All Activity
10:13:06 AM SYSTEM TCP IN REFUSED 24.196.226.84 3420 Block All Activity
10:13:04 AM SYSTEM TCP IN REFUSED 82.197.8.96 4050 Block All Activity
10:13:04 AM SYSTEM TCP IN REFUSED 82.197.8.96 4051 Block All Activity
10:13:04 AM SYSTEM TCP IN REFUSED 65.95.170.76 63057 Block All Activity
10:13:04 AM SYSTEM TCP IN REFUSED 65.95.170.76 63044 Block All Activity
10:13:02 AM SYSTEM TCP IN REFUSED 65.95.170.76 62800 Block All Activity
10:13:02 AM SYSTEM TCP IN REFUSED 65.95.170.76 62938 Block All Activity
10:13:01 AM SYSTEM TCP IN REFUSED 69.10.111.210 1210 Block All Activity
10:12:59 AM SYSTEM TCP IN REFUSED 65.95.170.76 62799 Block All Activity
10:12:57 AM SYSTEM TCP IN REFUSED 219.122.226.144 2544 Block All Activity
10:12:57 AM SYSTEM TCP IN REFUSED 68.232.179.219 1761 Block All Activity
10:12:57 AM SYSTEM TCP IN REFUSED 220.150.42.184 2165 Block All Activity
10:12:54 AM SYSTEM TCP IN REFUSED 201.128.29.234 4749 Block All Activity
10:12:50 AM SYSTEM TCP IN REFUSED 24.9.158.178 2877 Block All Activity
10:12:50 AM SYSTEM TCP IN REFUSED 68.54.142.96 3452 Block All Activity
10:12:49 AM SYSTEM TCP IN REFUSED 80.1.114.87 1802 Block All Activity
10:12:48 AM SYSTEM TCP IN REFUSED 68.237.218.50 50342 Block All Activity
10:12:47 AM SYSTEM TCP IN REFUSED 68.235.176.37 4079 Block All Activity
10:12:47 AM SYSTEM TCP IN REFUSED 4.41.59.74 2165 Block All Activity
10:12:46 AM SYSTEM TCP IN REFUSED 24.43.10.78 4184 Block All Activity
10:12:46 AM SYSTEM TCP IN REFUSED 24.4.23.156 4053 Block All Activity
10:12:44 AM SYSTEM TCP IN REFUSED 210.187.72.179 3303 Block All Activity
10:12:38 AM SYSTEM TCP IN REFUSED 69.170.94.168 1963 Block All Activity
10:12:36 AM SYSTEM TCP IN REFUSED 24.18.15.118 4084 Block All Activity
10:12:36 AM SYSTEM TCP IN REFUSED 64.231.254.190 3574 Block All Activity
10:12:35 AM SYSTEM TCP IN REFUSED 65.8.78.78 50243 Block All Activity
10:12:35 AM SYSTEM TCP IN REFUSED 216.106.49.152 4041 Block All Activity
10:12:34 AM SYSTEM TCP IN REFUSED 219.74.107.237 4262 Block All Activity
10:12:34 AM SYSTEM TCP IN REFUSED 66.36.144.129 2431 Block All Activity
10:12:32 AM SYSTEM TCP IN REFUSED 65.96.114.108 45931 Block All Activity

Whoever this guy is so desperate to get into my laptop. Scary

 

You can expect to see a lot of such entries in your firewall event log. Nothing to worry about, just common scans.

One source for info on this particular service/port being scanned (1080/Socks):
http://isc.incidents.org/port_details.php?port=1080

Regards,

CrazyM

 

It will help to enable Local Port in your column settings and post the log again.

And CrazyM is right: it's just background noise.

Nick

 

Here it is the one with local port (the last column)

10:14:01 AM SYSTEM TCP IN REFUSED 216.134.165.155 1160 Block All Activity 1364
10:14:00 AM SYSTEM TCP IN REFUSED 68.55.198.28 1870 Block All Activity 1364
10:14:00 AM SYSTEM TCP IN REFUSED 24.4.159.149 64841 Block All Activity 1364
10:14:00 AM SYSTEM TCP IN REFUSED 216.134.165.155 1158 Block All Activity 1364
10:13:59 AM SYSTEM TCP IN REFUSED 69.23.115.17 1160 Block All Activity 1364
10:13:57 AM SYSTEM TCP IN REFUSED 162.40.221.93 21851 Block All Activity 1364
10:13:57 AM SYSTEM TCP IN REFUSED 65.100.177.184 1968 Block All Activity 1364
10:13:56 AM SYSTEM TCP IN REFUSED 68.69.6.132 4185 Block All Activity 1364
10:13:56 AM SYSTEM TCP IN REFUSED 80.43.82.49 3724 Block All Activity 1364
10:13:55 AM SYSTEM TCP IN REFUSED 200.78.66.188 3169 Block All Activity 1364
10:13:55 AM SYSTEM TCP IN REFUSED 81.228.252.237 2090 Block All Activity 1364
10:13:54 AM SYSTEM TCP IN REFUSED 81.174.146.86 4668 Block All Activity 1364
10:13:52 AM SYSTEM TCP IN REFUSED 24.71.235.87 60445 Block All Activity 1364
10:13:51 AM SYSTEM TCP IN REFUSED 65.95.170.76 61630 Block All Activity 1364
10:13:51 AM SYSTEM TCP IN REFUSED 24.196.226.84 3437 Block All Activity 1364
10:13:49 AM SYSTEM TCP IN REFUSED 198.37.27.81 1630 Block All Activity 1364
10:13:49 AM SYSTEM TCP IN REFUSED 65.95.170.76 61483 Block All Activity 1364
10:13:49 AM SYSTEM TCP IN REFUSED 66.124.198.139 1880 Block All Activity 1364
10:13:49 AM SYSTEM TCP IN REFUSED 82.197.8.96 4273 Block All Activity 1364
10:13:49 AM SYSTEM TCP IN REFUSED 82.197.8.96 4272 Block All Activity 1364
10:13:47 AM SYSTEM TCP IN REFUSED 65.95.170.76 61340 Block All Activity 1364
10:13:46 AM SYSTEM TCP IN REFUSED 24.71.235.87 60162 Block All Activity 1364
10:13:45 AM SYSTEM TCP IN REFUSED 65.95.170.76 61216 Block All Activity 1364
10:13:45 AM SYSTEM TCP IN REFUSED 65.95.170.76 61215 Block All Activity 1364
10:13:45 AM SYSTEM TCP IN REFUSED 200.56.121.254 47766 Block All Activity 1364
10:13:42 AM SYSTEM TCP IN REFUSED 81.213.98.200 2947 Block All Activity 1364
10:13:42 AM SYSTEM TCP IN REFUSED 68.50.3.96 4940 Block All Activity 1364
10:13:38 AM SYSTEM TCP IN REFUSED 81.10.203.25 4297 Block All Activity 1364
10:13:38 AM SYSTEM TCP IN REFUSED 194.30.148.203 3777 Block All Activity 1364
10:13:36 AM SYSTEM TCP IN REFUSED 24.107.151.158 4443 Block All Activity 1364
10:13:34 AM SYSTEM TCP IN REFUSED 219.74.107.237 4348 Block All Activity 1364
10:13:34 AM SYSTEM TCP IN REFUSED 200.78.66.188 3169 Block All Activity 1364
10:13:29 AM SYSTEM TCP IN REFUSED 80.59.76.159 4084 Block All Activity 1364
10:13:29 AM SYSTEM TCP IN REFUSED 4.41.59.74 1309 Block All Activity 1364
10:13:28 AM SYSTEM TCP IN REFUSED 24.58.178.216 1064 Block All Activity 1364
10:13:18 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack 1374
10:13:17 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack 1371
10:13:16 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack 1373
10:13:16 AM SYSTEM TCP IN REFUSED 81.97.104.77 2405 Block All Activity 1364
10:13:15 AM SYSTEM TCP IN REFUSED 202.160.21.14 PROXY:3128 Block Hacker IP After Attack 1370
10:13:14 AM SYSTEM TCP IN REFUSED 69.139.73.233 2428 Block All Activity 1364
10:13:11 AM SYSTEM TCP IN REFUSED 80.53.116.218 1745 Block All Activity 1364
10:13:10 AM SYSTEM TCP IN REFUSED 142.179.142.108 3434 Block All Activity 1364
10:13:07 AM SYSTEM TCP IN REFUSED 219.74.107.237 4305 Block All Activity 1364
10:13:06 AM SYSTEM TCP IN REFUSED 24.196.226.84 3420 Block All Activity 1364
10:13:04 AM SYSTEM TCP IN REFUSED 82.197.8.96 4051 Block All Activity 1364
10:13:04 AM SYSTEM TCP IN REFUSED 82.197.8.96 4050 Block All Activity 1364
10:13:04 AM SYSTEM TCP IN REFUSED 65.95.170.76 63057 Block All Activity 1364
10:13:04 AM SYSTEM TCP IN REFUSED 65.95.170.76 63044 Block All Activity 1364
10:13:02 AM SYSTEM TCP IN REFUSED 65.95.170.76 62800 Block All Activity 1364
10:13:02 AM SYSTEM TCP IN REFUSED 65.95.170.76 62938 Block All Activity 1364
10:13:01 AM SYSTEM TCP IN REFUSED 69.10.111.210 1210 Block All Activity 1364
10:12:59 AM SYSTEM TCP IN REFUSED 65.95.170.76 62799 Block All Activity 1364
10:12:57 AM SYSTEM TCP IN REFUSED 219.122.226.144 2544 Block All Activity 1364
10:12:57 AM SYSTEM TCP IN REFUSED 68.232.179.219 1761 Block All Activity 1364
10:12:57 AM SYSTEM TCP IN REFUSED 220.150.42.184 2165 Block All Activity 1364
10:12:54 AM SYSTEM TCP IN REFUSED 201.128.29.234 4749 Block All Activity 1364
10:12:50 AM SYSTEM TCP IN REFUSED 24.9.158.178 2877 Block All Activity 1364
10:12:50 AM SYSTEM TCP IN REFUSED 68.54.142.96 3452 Block All Activity 1364
10:12:49 AM SYSTEM TCP IN REFUSED 80.1.114.87 1802 Block All Activity 1364
10:12:48 AM SYSTEM TCP IN REFUSED 68.237.218.50 50342 Block All Activity 1364
10:12:47 AM SYSTEM TCP IN REFUSED 68.235.176.37 4079 Block All Activity 1364
10:12:47 AM SYSTEM TCP IN REFUSED 4.41.59.74 2165 Block All Activity 1364
10:12:46 AM SYSTEM TCP IN REFUSED 24.43.10.78 4184 Block All Activity 1364
10:12:46 AM SYSTEM TCP IN REFUSED 24.4.23.156 4053 Block All Activity 1364
10:12:44 AM SYSTEM TCP IN REFUSED 210.187.72.179 3303 Block All Activity 1364
10:12:38 AM SYSTEM TCP IN REFUSED 69.170.94.168 1963 Block All Activity 1364
10:12:36 AM SYSTEM TCP IN REFUSED 24.18.15.118 4084 Block All Activity 1364
10:12:36 AM SYSTEM TCP IN REFUSED 64.231.254.190 3574 Block All Activity 1364
10:12:35 AM SYSTEM TCP IN REFUSED 65.8.78.78 50243 Block All Activity 1364
10:12:35 AM SYSTEM TCP IN REFUSED 216.106.49.152 4041 Block All Activity 1364
10:12:34 AM SYSTEM TCP IN REFUSED 219.74.107.237 4262 Block All Activity 1364
10:12:34 AM SYSTEM TCP IN REFUSED 66.36.144.129 2431 Block All Activity 1364
10:12:32 AM SYSTEM TCP IN REFUSED 65.96.114.108 45931 Block All Activity 1364

 

Here's some info on port 1364: http://isc.incidents.org/port_details.php?port=1364