TCP Port Scan from

Lately I got 2 TCP Port Scans (according to CPF), one from my router (??) and one from I don’t understand this. I am behind a NAT-router, why would either the router itself or digg scan ports? Also, I do not get this type of message when Shieldsup scans my ports (=router ports).

The message I get is like this (HTML):

Date/Time :2007-01-12 13:58:48
Severity :High
Reporter :Network Monitor
Description: TCP Port Scan
Ports: 48390, 42246, 42502, 42758, 43014, 43270, 43526, 43782, 44038, 44294, 44550, 44806, 45062, 45318, 45574, 45830, 46086, 46342, 46598, 46854, 47110, 47366, 47622, 47878, 48134, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

Here, =

The other IP was an internal one (192.168-range).


Have you been on, or done any downloads, saved any links, etc, that might explain part of that?

Was the Port Scan alert from the router address at the same timeframe?


Yes, I was on around that time, just reading news items with Opera 9.02. But why would scan ports. Doesn’t make any sense?
The internal scan was earlier, here’s the data:

Date/Time :2006-12-17 20:40:45
Severity :High
Reporter :Network Monitor
Description: TCP Port Scan
Attacker: [my routers external IP]
Ports: 64015, 60687, 60943, 58895, 60431, 59919, 59663, 47887, 60175, 2064, 48399, 61199, 62735, 2320, 61711, 61455, 61967, 62991, 63247, 62223, 63503, 63759, 62479, 64527, 272, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

Also, none of these messages pop-up (although I have ticked the box in Settings), so I might have missed a couple, because I have to look at the log to notice one uin the first place.

Thank you for your time, I hope you can clear things up a bit.


You say that the source is your router’s external IP; I want to clarify that… If it’s the external IP, that’s on the internet side of your router (this would be the IP visible from the outside), as compared to the internal IP, on the computer/intranet side. A pretty much standard internal router IP is or something like that. So, just to make sure what you were referring to.

If you access your router’s configuration/setup, there should be logfiles there as well, that might give more information on the event. I have not seen that sort of occurrence before; it would be a concern for me, too.

As far as the deal, I see a couple possibilities (there may be others, but this what I’m thinking at this point):

  1. It is a function of the website (an RSS feed, or something, perhaps) that appears to CPF as a Port Scan.
  2. Some evildoer was using the website (through a bot, etc) to try to scan connected computers.
  3. Did you have a p2p application (utorrent, etc) open at the time?

I would kind of doubt #1; while some firewalls I’ve used seem to interpret everything as a port scan, I haven’t seen CPF do that. There’s obviously a lot of activity that happened all at once.

Did you install CPF on Automatic?
Have you made any changes to the default Network Monitor rules?

You can increase the frequency of your popup alerts by going to Security/Advanced/Miscellaneous, and moving the Alert Frequency slider to High. Click OK. Reboot to clear the memory and set the changes.

Littlemac, thank you for your time.
Just when I posted last message, it hit me too: was it the internal or external IP. Forget my rambling about internal, it was the external one, as I stated in last message.

Yes, of course I changed the Network Control Rules. Added 3 (at the top), to block any traffic (in/out, UDP/TCP to a couple of sites, like doubleclick and Opera (phone home).
No, I was not connected to a P2P-network, the only P2P I connect to is Skype, and I was not running it at that time.
About installing CPF on automatic: no idea, you mean ‘Custom’ or ‘Standard’ setup during installation, like many progs offer? If so, do not remember, prob. Custom.

About pop-up freq: it has always been set too High. Can’t go any higher. CPF’s pop-ups are not a friend of mine anyhow, cause the also usually pop-under, instead of pop-up, so my browser freezes, I wonder why, then I remember underneath other windows there might be a CPF pop-under waiting for input, which is usually the bogus ‘Intellipoint [or any other prog. you just ran] has modified the OLE-Panam-Lets-Hijack-A-Plane-Do-You-Want-Left-Or-Right-Testikel-Removed etc’ message.

Thanks for your help, again.

Can you access your router’s configuration, to view the logs there? That may help identify some as well.

Also, are you running your browser full-screen? I know with full-screen games, the alerts pop under rather than over, which is frustrating for gamers.


Hi Guys

Sorry to ■■■■ in, its just that I get these type of things quite a bit and often its my own DNS. The reason is fairly simple, I run a program (eg. SysInternals Process Explorer) & then I get the scan warnings. The thing is that Process Explorer has a TCP/IP tab where it lists & resolves the connections. Now, imagine Process Explorer with 30+ processes & some of these (like Firefox) containing multiple connections to different IPs (a P2P/chat program is also a classic). So, Process Explorer issues 60 odd resolve requests to the DNS… what CFP sees is 60 different packets all inbound within a few hundred milliseconds from the same source… naturally Windows just increments the ports numbers for each inbound connection & ■■■■ port scan CFP announces. All I did was to increase the port scan trigger limit within CFP to exclude these. I increased the Traffic Rate from 50 to 200.

I’ve also had similar scan alerts, as described above from some web sites… usually I was using Firefox or Opera with lots of tabs open on the same site & I issued a global refresh or something like that. Sometimes its because of packet fragmentations, making a single stream look like many streams until the browser sorts it out. I can normally spot these false alerts because the port numbers are very large (30000-50000) & are just a consequence of Windows allocating the ports. Real scans tend to be more focused, looking for services, trojan ports or P2P programs.

Anyway, I hope that helps.

Kail, thanks for your help. This looks to be the explanation for the problem. I will set the Port Scan Probe Rate to 200, as you indicated, and see how things will develop.

Thanks again to little Mac. I don’t even know how to access the router logs, so I hope Kail’s solution works.

Kail’s probably right; hopefully so… :wink:

As far as your router’s logs, you would need to access your router’s configuration interface. When you got your router, there should have been instructions with it (if you got it new) for how to access it. It’ll give you a local IP address to access thru your browser, and a password to get in. Once you’re in, you can access the logs, or route them to your computer, etc. I recommend changing the default password (since it’s usually “Administrator”).

If you don’t have the access info, you can probably get it from the manufacturer.