Ports being scanned? Nmap Xmas scan?

Hi, just need some help. Hopefully it’s just that i’ve messed up somewhere along the line but i don’t think so…

Think My ports are being scanned and i’ve earlier had a problem with a (person?) scanning my ports. I hate Norton before (Ewww…) and it said i was being scanned by a program called something
similar to Xmas Nscan, by unfortunately it didn’t offer me any help so i got CFP instead which i by far prefered.

But now i still got alot of logs of high severity class, and ALOT of medium…So just wanted to check in if it’s a glitch in my setup (God i hope so) or someone trying to access my computer/network.

And i get alot fast, went from 30 to 100 in like 10-20 minutes.

  • The version of Comodo Firewall Pro Installed
    (Sorry i’m not sure)

  • Your Internet connection type (dial-up/cable/Direct connection/LAN etc)
    (8 Mbps)

  • Operating system and Service Pack Level
    (Win xp Sp2)

  • How you are logging in to the OS (Admin, User)

  • Other Security applications installed (AV, AS, HIPS etc)
    (Avast!,spybot and Ad-aware)

  • Security related applications which have been removed/disabled before installing CFP.

  • Security related application which have been removed/disabled after installing CFP.
    (Nothing i think)

  • Detail the problem, such as which applications are running when you have the problem. (Utorrent,Msn, Skype, Deamon tools and firefox)

  • Please inform us if you have created any custom rules.
    (yes to open a custom port for utorrent, and i might have made one for WoW downloader)

Also i have a Netgear rangemax wireless router Model: WPN824v2

(V) hope you can help me

[attachment deleted by admin]

Hi FrippeII, welcome to the forums.

It is difficult to gauge looking at screen shots. CFPs Log can be exported to an HTML file (right click the Log). You can then open the HTML file in your default browser & use a simple Copy ‘n’ Paste to post examples of the Alerts here. Remember to mask any Private IP numbers that you do not want made public, thanks.

Thank you.

Btw if i give out some vital info without realizing it please tell me so i can remove/hide it. Thnx again

Oh and while it scan my ports my interner becomes REALLY slow, tho i tried a connection speed test that said my speed was around where it should be.

Date/Time :2007-06-08 17:46:19
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE)
Protocol:ICMP Incoming
Reason: Network Control Rule ID = 6

Date/Time :2007-06-08 17:39:18
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Invalid Flag Combination)
Direction: TCP Incoming
Reason: ACK FIN RST is an invalid TCP flag combination

Many differs a little mosty by Ip’s tho, if you need the log file send me a PM

Figured out the name of the Scan aswell Nmap XMAS scan

It’s OK, you didn’t post anything private. I (or another Mod) would have removed it if you had anyway.

OK, I suspect that these are something to do with uTorrent. Have you read the FAQ on torrent stuff? Emule and bittorent tuttorials

Yes i have, And i followed the guide found at www.portforward.com

OK, the Invalid Flag Combination alert is mentioned in a fewloads of torrent-related posts…


… they seem to be saying this stuff is normal for P2P/torrent traffic. Check them yourself, see what you think.

Here’s another good topic on this…


I read somewhere that if you have had uTorrent or similar software installed in the past and then uninstalled it that your IP address would still get probed for months.

Think I saw it on DSLReports somewhere, not sure though.


Yes, that is true jasper, for uninstalled P2P. Its because nodes all over the p2p-network that you were (are) using have your IP & what you were offering to share. So, even if you’re not using the P2P app any more, you can still get unsolicited calls from the P2P network for weeks afterwards… until your IP drops off the nodes catalog.

edit: Of course this only impacts those users with static Internet IP address. Those with an dynamic IP Internet address it does not impact, although the dynamic IP users can inherit someones interrupted/old P2P session & encounter a similar event.

I followed some of the advice from the links you gave me and for now it seems to work fine, but if you don’t mind kail I’d like to mail my log to you so you can look through it when ever you feel to have a quick look, ofc if you feel it’s a pain in the neck thats Ok too =P

Thanks a bunch for the help and hopefully it’s resolved, i’ll get back to you later to say if it’s working or not.

Thank again (M)

That would suck getting someone elses IP that had P2P installed previously. Never thought of that. That would be very possible too. :o


Yep, it is OK to email me the Log FrippeII.

Jasper: Even worse when the user encountering this storm is running the very same P2P app, the MAC numbers don’t match. hehehe. Of course, it depends on your firewall how you find out about it… if at all.

Would hate to try and sort that mess out. :-\


Thank you for your help, i no longer have those freaky logs. But i still have quite a slow load speed on Webpages, and still when i do the speed tests it takes forever but comes out with a normal result, any idéa about this?

(kail i’ve sent the mail with the logs to removed by mod (hope it’s the right one, and my email got a weird name since i created it as a spoof email in the beginning

Please don’t post email addresses on the forums, it attracts spam. And… please don’t send me 3 emails at over 3MB each. I don’t have broadband. You should have zipped the HTML files first, no need to do it now. I already have multiple copies. :slight_smile:

Here’s what I said in my reply email (I removed me moaning about email sizes & zip). ;D

LOL, don't worry about your name. I'm not called kail either in real life.

Yep, these Logs are consistent with that of a P2P network. However,
there also blocks in there that indicate that (a) The UPnP Service is
running & broadcasting (some routers use UPnP Mcasts), (b) you are on a
LAN & (c) either LAN has other PCs or your router has its own IP on the
LAN. If you are on a LAN with friendly-systems or you router, box or
whatever has its own IP, then you should have set-up a Trusted Zone
within CFP.

First, Sorry about 3 mails, hotmails server was not in top shape and was messing around, and sorry about the email address aswell, figured you’d remove it if you didn’t want it out like that. (and yeah i should have considered that you didn’t have broadband and zipped it =P)

About (A) i’m not quite sure what that means but i hope it’s a normal thing i don’t have to look into =P
Yes i’m on a LAN with a router that has it’s own IP and then distributes to the other 3 computers.
And i need to make a trusted zone

And i wasen’t concerned that you’d think it was my IRL name or something like that =)
Just that i button mashed it and everyone that receives mail from me thinks it’s a virus mail =p

Love this forum!

No problem. :slight_smile:

OK, so you need to create a Trusted Zone in CFP (Security - Tasks) that includes your systems LAN IP, your routers LAN IP & the other Systems LAN IP if they are “friendly & to be trusted” of course.