Port Scans

Hello Everyone,

In the past two weeks, CPF Network monitor has logged that my ports have been scanned: first a TCP port scan just over a week ago then today just 10 minutes ago, a UDP port scan. In each instance CPF states that the attacker has been temporarily blocked.

This is the first time I’ve had these show up on my CPF logs and I am more than a bit concerned. In each instance, an IP address is logged from where the scan orginated.

My questions are:

  • are port scans (either TCP or UDP) almost always malicious?
  • When CPF says that the attacker was temporarily blocked, does that mean there is a chance they will be able to gain access to my PC if they keep trying?
  • Can I use the IP address logged by CPF to any advantage i.e. discovery who is scanning me?
  • I am using a cable modem and a voIP router; I remember that because of this setup, my real IP address isn’t revealed but what shows up instead are the “ports” and IP address of my voIP router. If that is the case, when CPF logs a port scan, does that mean the scan has actually reached my computer and or is still finding only the router?
  • This question might be redundant: CPF is supposed to stealth my computer. If that is the case, when CPF logs a port scan does that mean more ports have somehow been revealed?
  • Continuing on the topic of CPF stealthing my ports, when CPF registers a port scan and says that the attacker has been temporarily blocked, does that mean whomever scanned my ports now knows my computer exists and I am no longer stealthed?
  • Since I have had a TCP and UDP port scan in the last two weeks, what are the chances that the same person is responsible for both scanning attempts?

Any help or guidance will be greatly appreciated – I don’t want to be hacked! :frowning:

Best,
Max

[/list]

No, sometimes that can be completely innocent… typically, your DNS server, web site or incoming replies for an application that you’re running that CFP has mistakenly has identified as a port scan (because the way the ports are allocated in Windows - usually, fairly, sequentially.

- When CPF says that the attacker was temporarily blocked, does that mean there is a chance they will be able to gain access to my PC if they keep trying?
No. The blocked IP is.. erm.. blocked.
- Can I use the IP address logged by CPF to any advantage i.e. discovery who is scanning me?
Yes, take it to someone like [url=http://www.iptools.com/]IP Tools[/url], find out who they are. Perhaps, it was caused by something you're doing.
- I am using a cable modem and a voIP router; I remember that because of this setup, my real IP address isn't revealed but what shows up instead are the "ports" and IP address of my voIP router. If that is the case, when CPF logs a port scan, does that mean the scan has actually reached my computer and or is still finding only the router?
Depends on what CFP says the Target IP was (your VOIP address or your real IP address).
- This question might be redundant: CPF is supposed to stealth my computer. If that is the case, when CPF logs a port scan does that mean more ports have somehow been revealed?
No. Typically, port scans are done blindly without a single response from your system.
- Continuing on the topic of CPF stealthing my ports, when CPF registers a port scan and says that the attacker has been temporarily blocked, does that mean whomever scanned my ports now knows my computer exists and I am no longer stealthed?
No. But, getting no response at all to a port scan would suggest that either there is nothing there or a firewall that is stealth'ing things.
- Since I have had a TCP and UDP port scan in the last two weeks, what are the chances that the same person is responsible for both scanning attempts?
Maybe, maybe not. The Source IP might reveal that information. But, a skilled hacker would use zombie systems anyway.. so, the Source IP would be an innocent, unsuspecting user.

Kail,

I can’t thank you enough for your response:

No. The blocked IP is.. erm.. blocked.

I asked this question because of the word “temporary”. I figure temporary means just that so if they make repeated attempts to hack my PC, they might succeed. If I’m reading your response correctly, that isn’t the case and for that I am really glad! ;D

Yes, take it to someone like IP Tools, find out who they are. Perhaps, it was caused by something you're doing.

That’s a great resource, thanks. Unfortunately, the search I chose (whois lookup) seems to only give generic information such as who owns the IP address (in this case RoadRunner) but nothing really specific. There were many choices for a search so if you had one particular search in mind, let me know I will give it a whirl.

Depends on what CFP says the Target IP was (your VOIP address or your real IP address).

Forgive me if I’m missing it but CPF only seems to list the attackers IP and not mine. Am I looking in the wrong place?

Thanks again for the info – :■■■■

Best,
Max

Temporary block: Ah… OK. The suspect attacker is temporarily blocked for x minutes. So, they are blocked no matter what they do & no longer bother the user (or CFP). Once those x minutes have passed, they can try their port scan again (if they want). But, it doesn’t really matter… there is no way passed CFP in any event. In short, you’re safe.

IP Tools: What sort of information were you hoping to find?

Target IP: You are quite correct, I had to search some old CFP 2.4 Log files (I’m running the CFP 3 beta) to confirm what you’ve already discovered. I was surprised, but CFP doesn’t record the target IP. But, explain to me a bit more about your 2 different IP addresses? Are they both Internet IP Addresses or is one a Private LAN IP?

What does your LAN look like? Is it something like this:

Internet ------ modem ------ router ------- computer w/CFP

Are there other computers connected to your router?

The thing is, if the router has done its job, your computer with CFP should never have seen the scan.

If you have a setup like this:

Internet -------- modem -------- router ±------ computer w/CFP
±------- another computer

Then the other computer may well have originated the scan, spoofing the address to make it appear it came from the Internet. In which case, the other computer has a problem.

What your LAN looks like, can make a big difference. That’s why my question.

My setup is quite simple: modem ---- > voIP router ----- > Computer.

grue155 wrote: The thing is, if the router has done its job, your computer with CFP should never have seen the scan.

This was my thought exactly. Is it possible for CPF to see a scan on my router?

Kail wrote: Target IP: You are quite correct, I had to search some old CFP 2.4 Log files (I'm running the CFP 3 beta) to confirm what you've already discovered. I was surprised, but CFP doesn't record the target IP. But, explain to me a bit more about your 2 different IP addresses? Are they both Internet IP Addresses or is one a Private LAN IP?

Pardon my ignorance here but I would have no idea if the IP address assigned by the voIP router is private or not. I can say that my voIP provider isn’t giving me an IP and I believe the router is the sole source. I know I have two IP addresses because I have seen my “real” IP given to me by my ISP. Hope that sheds more light on this situation.

Kail wrote: IP Tools: What sort of information were you hoping to find?

Nothing too extreme just full name, address, phone number :wink: I guess what I was hoping to see was perhaps if the source was a known website e.g. Amazon, Yahoo, or something of the like. Some sort of info that would allow me reasonably assume that the scan was not malicious in nature.

Btw, where can I download CFP3 beta? I’ve had a good run with CPF 2.4 and while I know CFP is still beta, is reasonable to assume a high chance that it would run well?

Well, that’s very straightforward. That means the voIP router is forwarding Internet traffic, and not doing any kind of firewall function. What kind of router is it (make and model)? Could be some setting needs to be tweaked.

Just on an off-chance, I’d suggest changing the router admin password, especially if it is still the manufacturer default password.

CFP3 details in the CFP3 forum, next door to this one, under the Comodo Firewall forums list.

I’ve looked everywhere for a CFP 3 Beta download with no luck. Sorry to be so lame but any chance someone could post the link for download here?

https://forums.comodo.com/empty-t13159.0.html