Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What's a port scan, and should I be worried about them?

Question:

Should a computer user be worried about every port scan? My firewall
for example, has been blocking what it calls ‘attacks’ from three
different ip addresses that all belong to an ISP called Chinanet. My
firewall blocks UDP packets sent from Chinanet through my netbios port
and other ports like port 8000. I also notice that when I
turn on my computer that my computer tries to send UDP packets to the
same IPs from Chinanet, through the netbios -ns port. Is that weird? I
always run virus scans regularly and my computer has nothing. My
computer seems to be fine and has not been acting strangely lately. I
don’t know whether or not it’s a port scan. Are things like port scans
normal? Is every port scan always someone intentionally trying to
access your computer? With all the things hackers can be capable of,
what are the chances of a casual user being targeted? People say that
if something like hacking occurs, to contact your ISP, but is there
really anything to be done? Hacking might not be as common as a
computer being infected with a virus, but how common is it?

Port scans happen all the time. And I do mean all the time. Steve
Gibson of grc.com coined the term “internet background radiation” for
all the random traffic that’s continually happening on the internet due
to unpatched and infected machines, and machines that are continually
scanning the internet for other machines to infect.

And that’s exactly why everyone needs a firewall.

However, there is one aspect of what you describe that is
troubling.

]]>

Certain types of vulnerabilities in Windows – mostly long since patched – allow a remote computer to connect directly to your computer and essentially take control.

In the past “taking control” typically meant just causing problems; deleting data, deliberately crashing your machine and the like – things that you would notice immediately. Today things are much more stealthy. A compromised computer may often show no outward signs of being infected, but may be ready to send spam or continually scan the internet for other machines to be infected.

“A compromised computer may often show no outward signs of being infected …”

These machines, along with others purposely set up to do this, go out and scan the internet looking for other machines to infect. They pick an IP address, and try to connect to the machine that might be at that address. They try connecting to different ports on that machine, particularly those known to have exposed vulnerabilities in the past, and see if the machine responds. This “port scan” is nothing more than a remote machine poking at your machine to see if it has any weak spots that can be exploited for infection.

That’s why a firewall is so critical. A firewall, particularly a hardware firewall like a router, prevents these probes from ever even reaching your machine.

So as long as you’re protected by a firewall and you’re keeping Windows up to date, then you’re probably in pretty good shape. Given that there are lots of port scans and other vulnerability probes happening all the time, you can still rest easy if you’re behind a firewall.

Now, as we know, these types of infections certainly aren’t the only way your computer can be compromised. Infected attachments and phishing attempt via email, for example, aren’t something that a firewall will stop, so a firewall certainly isn’t enough by itself, but it’s an important part of the mix.

But something you said has me a tad concerned that perhaps you still have an issue:

I also notice that when I turn on my computer that my computer tries to send UDP packets to the same IPs from Chinanet …

That’s not good.

Make sure that’s what your firewall is really telling you (it’s often easy to misinterpret), but if your computer is sending out to an IP address in China that you don’t expect, know or want – well, that’s not good. It’s not a port scan (those are incoming only), but it does seem like it’s an infection of some sort trying to “phone home” and let some computer over there know that your system has been compromised and is ready to receive instructions remotely.

Yes, even though your anti-virus scan is showing nothing, I’d be more likely to believe that it missed something and that your system has been compromised.

Like I said, though, make sure your firewall is telling you what you think it is. An incoming connection attempt that’s blocked is nothing to really worry about. An outgoing attempt, however, is a concern.

In your shoes, I would immediately backup (if you haven’t been doing so already) and then run additional anti-virus and anti-spyware scans from different vendors than whatever you’re already running. I’ll point out that anti-spyware scans are necessary in addition to anti-virus, as they are different things, and the scanners for each operate differently.

Hopefully those will catch and eradicate the problem.

If not – well, as long as your firewall is blocking the outbound connection attempt you’re technically safe, but I wouldn’t be particularly comfortable, particularly not knowing exactly how you came to be infected.

I’d definitely be sure to review the steps to stay safe on the internet.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

5 comments on “What's a port scan, and should I be worried about them?”

  1. For those who might want to run a couple of free scans, I’d recommend Housecall from Trend Micro (housecall .trendmicro .com) and Microsoft’s Windows Live OneCare safety scanner (onecare .live .com/scan). Both products perform deep scans that often uncover malware missed by antivirus and antispyware products. Depending on hard disk size, total number of files (including temp files), etc each scan could take from just a few minutes to a few hours.

    Reply
  2. This is something, I too have been worried about a lot. Although, everything’s alright with my PC at the moment – I have been looking since a long time for a software or utility that continuously monitors my Internet connection and displays the IP addresses (and associated names) with which any kind of data is exchanged. Does any one know of anything like it?

    Reply
  3. My computers are connected through a router to the Internet. How do I see the attacks against open ports that may be coming in to my system? How do I see any outgoing signals that may be occurring without my knowledge?

    Is there a specific program to do this for me?

    Thanks

    Reply
  4. When I ran Win98, I used PC Signal 9 firewall which was the best in the universe; until they sold out and it won’t run on XP. Using PeerGuardian2, I get hundreds of malicious attempts to get into my PC. Some sites try every port [ all 65,000 of them ] to try and get in. Some sites have virus embedded in their front page and about this time I had, had enough. Savvis URL’s in particular [ rogue users ] really cheesed me off. I got ‘THUNDERFLOOD.EXE’ and started giving back to these lowlifes, what they were sending me. Didn’t take too long before the rogue URL’s got the message. One Savvis URL in particular kept hitting my ports for days [ hundreds / min ] so I set Thunderflood to run 24/7 in the background aimed at this sit. What I like about this program is 1. It sniffs every port on the target and Sync floods all of them.
    2. You can open up multiple copies of the program and hit other criminal sites simultaneously
    3. It uses Jack **** overhead in resources so even with 6 to 10 windows running, there is no slow down – in fact there is a SPEED UP in accessing sites because my PC now does not have to spend resources blocking these rogue URL’s.
    Ethical ??? maybe not, but it does the job and then some

    Reply
  5. The latest version of Avast (free) Antivirus scans all incoming and outgoing connections/ports. And, I think most other popular antivirus software have also incorporated this facility (of monitoring ports for suspicious activity).

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.