Ok, and what is it?

Scanning random port again. It is very interesting who and what for

By the way, TCP and UDP at the same time

[attachment deleted by admin]

Are you using a p2p client such as uTorrent, if so is the port allocated to this 53311?

The 55555 entry could simply be messenger spam, although there is a known trojan that uses this port, that is called Shadow Phyre.

Are you using a p2p client such as uTorrent, if so is the port allocated to this 53311?
The most interesting thing is that it (53311) [b]IS NOT[/b] my p2p port.

Why the computer infected by this trojan is scanning my port?

Very strange. The source addresses and ports are totally random, The connection attempts are using both TCP and UDP and the destination address is identical. Very reminiscent of p2p activities.

You could try running netstat -ano from a command prompt and see if anything is listening on that port. the ‘o’ option gives you the process id, so you could use task manager to find the application.

The 55555 port may not be a trojan, as I said, it’s probably messenger spam. The only way to tell is to look at the traffic with a protocol analyser. You could simple disable the messenger service as it’s totally unnecessary on home PCs.

Nothing is listening on this port! See below. Only uTorrent and ApexDC could listen their ports on my system

[attachment deleted by admin]

Nothing will be listening, if the application that uses this port is inactive. What you’re seeing in your logs is totally consistent with p2p behaviour, if the application is closed, whilst others are still trying to download from you.

Curious that you seem to have two different IP addresses from your ISP. I assume you use a VPN, which would explain the 1723 connection and the 77.x.x.x address. I assume the 109.x.x.x address id your internet address.

I assume you use a VPN, which would explain the 1723 connection and the 77.x.x.x address. I assume the 109.x.x.x address id your internet address.
This is obvious
Nothing will be listening, if the application that uses this port is inactive. What you're seeing in your logs is totally consistent with p2p behaviour, if the application is closed, whilst others are still trying to download from you.
I know. My p2p port is [b]6969[/b] for bittorrent (and 6970 for DC) but not a random port.

There are “DHT network” enabled in uTorrent options. What is it? I dont know. Peer exchange is also enabled… I mean maybe this can be caused by p2p technology or torrent-tracker activity?

Peer Exchange and Distributed Hash Table (DHT) use the defined port in uTorent, in your case that would be 6969. (As an aside, it’s recommended you use a port in the range 49152 through 65535)

If you continue to receive these inbound connection requests and you are totally sure you do not have or have not used and application that was listening on port 53311, then you will need to try and investigate, by using more complicated means, the reason these requests continue.

So, the question is, if you clear your logs and reboot your PC, do these inbound connection attempts start immediately or was it only on one occasion these entries were generated?

So, the question is, if you clear your logs and reboot your PC, do these inbound connection attempts start immediately or was it only on one occasion these entries were generated?
It is permanent activity. Look at present activity. This is russian unique way for building networks :)

This is kinda sorta madness

[attachment deleted by admin]

Ok, I go back to my first post where I suggested it was probably messenger spam. The two screen shots above are different from the earlier post, where the destination port was primarily 53311. In these latest screen shots the destination port is more or less random.

Essentially, this is just ‘noise’ and we can turn it off. Two things to do:

  1. Open start menu/run and enter services.msc Scroll down until you find the messenger service and disable it.

  2. Open CIS and go to Firewall/Network security Policy/Global Rules Add the following rules:

Block TCP or UDP IN (don’t log)
Source Address = ANY
Destination Address = ANY
Source Port = ANY
Destinatio Port = 1024 - 49151

Block TCP or UDP IN (don’t log)
Source Address = ANY
Destination Address = ANY
Source Port = ANY
Destinatio Port = 49152 - 65535

I split these ranges as the first set is Registered ports and the second Dynamic ports and splitting the rules makes troubleshooting easier.

One thing before you do this, please post a screen shot of your Global Rules.

Quill, Im blocking UDP (with exception of 53 out) by means of global rule. And I use “Custom Policy Mode”. My rules for applications are very detailed. I have not problems with blocking of these requests by means of CIS. Im just curious about their origin

Three things:

  1. You use Application Rules to block Outbound connections, not Global Rules.
  2. These are Inbound connections, for which you use Global Rules as a control.
  3. As already stated, it is extremely likely these are just ‘noise’ and are not malicious intrusion attempts.

It could be flood and there could be malicious attempts in this noise.

Actually I do not need global rules, because I have rules for W.O.S. and system and all others apps and groups of apps

If you want to find out what these are, use Wireshark and do some Protocol analysis.

Actually I do not need global rules, because I have rules for W.O.S. and system and all others apps and groups of apps

It would seem these rules are insufficient.

If these are INBOUND and there is no corresponding application listening, then the first thing CIS will do, without exception, is evaluate them against the Global Rules.

The primary purpose of Global Rules is to filter unsolicited inbound connection attempts.

Ewen :slight_smile: