Am I being port scanned right now?

[dave343]

I've been checking my router for the last 1/2hr, the log file I mean and it keeps updating with numerous ip;s reporting unauthorized access from (fictional IP) : 192.123.123.123:99999 to UDP port XXXXX

All the IP's are different, and the ports are different. One also tried to access port 135 which I have blocked.

Also under View DHCP list I can see my own computer XP network name but there is another called "user" and that aint me and no other computer in the house is turned on.

 

[Boscoh]

Welcome to the global Internet.

You get port scanned several, if not dozens, if not hundreds of times per day. It's also likely that you're just getting probed by zombie/worm-infested machines looking for someone new to infect.

At my last job, we had 29 public IP's and on an average day had several thousand hits against the commonly exploited ports - 135, 139, 445, etc. I remember when Blaster came out, we logged several million hits against these ports in a 12 hour period.

Don't worry about it - as long as your firewall is blocking it.

 

[YeOldeStonecat]

I've been checking my router for the last 1/2hr, the log file I mean and it keeps updating with numerous ip;s reporting unauthorized access from (fictional IP) : 192.123.123.123:99999 to UDP port XXXXX

Pet your router and say "Thank you for doing your job".

If you're plugged into the internet for at least a minute or so...yes, you'll start getting scanned 24/7 from all over the place.

I'll repeat what the above poster said ..."Welcome to the Internet".

 

[PanzerBoxb]

Also under View DHCP list I can see my own computer XP network name but there is another called "user" and that aint me and no other computer in the house is turned on.

Does it show a MAC address associated with that other system? Do you have wireless enabled? Is it encrypted? Have you enabled MAC filtering?

 

[dave343]

Yes, under the DHCP it is showing a mac address for the other computer. Also it's only a 4 port wired router, no wireless. No other computer in the house were turned on. (I'm at work right now).
I called my ISP but they couldn't give craps about the problem. Said it was up to me to have security.

 

[m1abram]

Yes, under the DHCP it is showing a mac address for the other computer. Also it's only a 4 port wired router, no wireless. No other computer in the house were turned on. (I'm at work right now).
I called my ISP but they couldn't give craps about the problem. Said it was up to me to have security.

their is really no way for an outside connection to get a DHCP lease on your wired only router. Well their is a way, but it would just be silly for anyone to even do it that I will bet money this is not the case. Also your ISP will not be of much help.

Entries stay in the DHCP lease table even after the computer disconnects they stay in for the duration of the lease, or if the client machine releases the lease. So I am guessing it was another of your machines that belongs to that MAC.

 

[PanzerBoxb]

Have you had any guests over that connected to your network?

[EDIT: Yeah, what m1abram said. ]

 

[dave343]

I know they might stay in the DHCP table however when I fisrt logged onto the router last night only my computer was showing up in the DHCP, but an 1 hr later this other "user" showed up in the DHCP wiht a mac address showing. The whole night no other computer was on in my house.

 

[m1abram]

I know they might stay in the DHCP table however when I fisrt logged onto the router last night only my computer was showing up in the DHCP, but an 1 hr later this other "user" showed up in the DHCP wiht a mac address showing. The whole night no other computer was on in my house.

Check the mac against all other devices in your house, see if you have a match. Also what is the time on the lease?

 

[tprox]

Don't forget Tivos, X-boxes, and Vonage routers.

 

[m1abram]

Also for kicks have you tried pinging the unknown box?

 

[dave343]

Under the DHCP on my router is showed me what computers were being assighned the DHCP. It showed that unknown user but it only listed the Mac address but no IP. Maybe there is somewhere else I can find that? Asante F5300C router.
Also there are no devices plugged into the router except my moms computer but that was turned off for all yesterday. I check the DHCP usually and nothing is listed except for my computer which is why I was surprised that unknown user was listed because an hr earlier it was only me and no other computers had been on all day except mine.

Also as for pinging the unknown box are you referring to the IP that is listed as the unauthorized access in my log file? That IP changes each 30 seconds and it's like clock work I swear. The time the log file lists the IP's are almost exactly 30 seconds apart.

 

[m1abram]

No dont bother pinging any outside ips.

I am referring to the ip in you DHCP table. It will be an internal ip probably something like 192.168.x.x

If you have a hardware firewall and do not forward any ports, you should be in pretty good shape. If you router was a wireless router I would be more concerned about the entry in your DHCP table, however since it is only a wired router then it is going to be something physically in your house.

 

[kumquat]

Also there are no devices plugged into the router except my moms computer

Bam.

Go to your mom's computer and check the MAC address. To display it, type:

ipconfig /all

at a command prompt. I bet you'll have a match.

 

[dave343]

Sry, you are right that the DHCP list not only a Mac address but also an IP address which of course is the same as mine except for the last 3 digits.
I just called Asante, the guys who make my router and spoke to them about the situation. They told me not to worry because if I see Unauthorized access from such and such it means the router is doing it's job in blocking stuff exactly like port scans. Takes some worry off me.

Now.. If only I can set up the router for remote desktop while remaining secure.

 

[kumquat]

Sry, you are right that the DHCP list not only a Mac address but also an IP address which of course is the same as mine except for the last 3 digits.
I just called Asante, the guys who make my router and spoke to them about the situation. They told me not to worry because if I see Unauthorized access from such and such it means the router is doing it's job in blocking stuff exactly like port scans. Takes some worry off me.

Now.. If only I can set up the router for remote desktop while remaining secure.

You can. Forward the port. Done.

 

[PanzerBoxb]

And filter who can connect to it on the box itself. Just in case.