Port scans penetrating router?

I checked out my comodo logs this morning and was surprised to see this entry.

Date/Time :2007-07-27 09:40:52Severity :HighReporter :Network MonitorDescription: TCP Port

ScanAttacker: 75.126.230.210 Ports: 28683, 17163, 16907, 17931, 18187, 18443, 19211, 19723, 20235, 20747, 21515, 21771, 22283, 22795, 23307, 23563, 24331, 24843, 25355, 25867, 26379, 26891, 27403, 28171, 28427, 67, 49, 0, 80, 67, 73, 92, 86, 69, 78, 95, 56, 48, 56, 54, 38, 67, 67, 95, 48, 49, 48, 54, 48, 49 The attacker has been temporarily blocked

My linksys router logs are empty.

I’m grateful that Comodo blocked the port scans but the problem is that I’m behind a router that shares an internet connection with two other computers.

Unfortunately, I’m not good at interpreting the source. This isn’t one of the 192.168.xxx.xxx addresses on my lan. So,is this outside activity that was able to penetrate my router?

When I initiate a port scan at GRC or DSL Reports, all activity is apparently blocked at the router because I don’t ever see any alerts in my Comodo logs. That’s why I’m concerned…I’ve never seen this happen the whole 3+ years I’ve been behind a router.

I would like to note that about the same time of this log entry, I got a Dr Watson message that said “Comodo updater has encountered a problem and needs to close.” Comodo itself still seems to be operating ok.

Could be a coincidence…I dunno. Any help would be appreciated.

Mike

It may not be a port scan… CFP 2.4 has been known to interpret high volume returning packets (such as… 50+ DNS requests) as an attack (port scan), when they are not. In these cases, the attackers IP is typically a DNS (Domain Name Server) or your router. If you’re seeing LAN based IPs, it is probably not an attack… but a bit of “blue on blue” by CFP. ;D Increase the rate/duration settings of CFPs attack detection to resolve.

I think it’s not a port scan, more likely it’s your DNS-server, I mailed my DNS-company and asked them why they port scan me, and I got answer about something, can’t remember what tho. But if you get several ‘port scans’ from same IP, it’s most likely your DNS-company.

EDIT: Curse you kail, I was just going post my answer

Sorry about that Ragwing… that can be annoying. I’ll leave any subsequent questions in your capable hands.

It’s not the DNS server, unless that is “TheSuperficial.com”… (based on the IP showing in the log entry).

LM

PS: Gotta hurry; Ragwing may try to post again…

Ok, my tracking skills are weak at best. I typed in the address at ip whois and it returned something along the lines of “Software Layer Technologies Inc.” Being that I trust your results better than my own, I did a google on “thesuperficial.com” and it appears to be a celebrity site of some sorts. Don’t think I’ll be paying them a visit though.

I thought I was confused before, now I’m at a total loss. For one, I don’t know this site and never been there. Two, I didn’t even have a web browser open at the time of the alert. I was eating breakfast and returned to see the Dr Watson warning about the Comodo Updater. That’s what prompted me to check the logs. The Updater incident turned out to be nothing. It was due to one of the application rules blocking an instance of svchost and that has been straightened out.

I ran RKR, Rootkit Hook Anylyzer, and BlackLight. Ran AV and antispy and everything seems normal on the surface.

So, I don’t know. Don’t think my computer is compromised, but this is awfully strange. Don’t ya think?

Mike

You’re not that far off, really… If you ‘whois’ the IP it will give the SLTI (in Dallas) result, which is who holds the block from 75.126.0.0 - 75.126.255.255 (and probably web-hosts the site). A reverse DNS on the IP gives the exact site info, which is registered by GoDaddy to TheSuperficial.

And yeah, it seems to be a celeb site. Hmm, are you actually Lindsay Lohan, “Mike_P”? ;D

As to what happened, do you have any kids/wife/pet/other that might’ve accessed the computer whilst you were scarfing down your biscuits and gravy?

LM