Helping people with computers... one answer at a time.

Infected and malicious computers out on the internet are continually looking for ways to infect your machine. A firewall is an important barrier.

Should a computer user be worried about every port scan? My firewall for example, has been blocking what it calls 'attacks' from three different ip addresses that all belong to an ISP called Chinanet. My firewall blocks UDP packets sent from Chinanet through my netbios port and other ports like port 8000. I also notice that when I turn on my computer that my computer tries to send UDP packets to the same IPs from Chinanet, through the netbios -ns port. Is that weird? I always run virus scans regularly and my computer has nothing. My computer seems to be fine and has not been acting strangely lately. I don't know whether or not it's a port scan. Are things like port scans normal? Is every port scan always someone intentionally trying to access your computer? With all the things hackers can be capable of, what are the chances of a casual user being targeted? People say that if something like hacking occurs, to contact your ISP, but is there really anything to be done? Hacking might not be as common as a computer being infected with a virus, but how common is it?

Port scans happen all the time. And I do mean all the time. Steve Gibson of coined the term "internet background radiation" for all the random traffic that's continually happening on the internet due to unpatched and infected machines, and machines that are continually scanning the internet for other machines to infect.

And that's exactly why everyone needs a firewall.

However, there is one aspect of what you describe that is troubling.

Certain types of vulnerabilities in Windows - mostly long since patched - allow a remote computer to connect directly to your computer and essentially take control.

In the past "taking control" typically meant just causing problems; deleting data, deliberately crashing your machine and the like - things that you would notice immediately. Today things are much more stealthy. A compromised computer may often show no outward signs of being infected, but may be ready to send spam or continually scan the internet for other machines to be infected.

"A compromised computer may often show no outward signs of being infected ..."

These machines, along with others purposely set up to do this, go out and scan the internet looking for other machines to infect. They pick an IP address, and try to connect to the machine that might be at that address. They try connecting to different ports on that machine, particularly those known to have exposed vulnerabilities in the past, and see if the machine responds. This "port scan" is nothing more than a remote machine poking at your machine to see if it has any weak spots that can be exploited for infection.

That's why a firewall is so critical. A firewall, particularly a hardware firewall like a router, prevents these probes from ever even reaching your machine.

So as long as you're protected by a firewall and you're keeping Windows up to date, then you're probably in pretty good shape. Given that there are lots of port scans and other vulnerability probes happening all the time, you can still rest easy if you're behind a firewall.

Now, as we know, these types of infections certainly aren't the only way your computer can be compromised. Infected attachments and phishing attempt via email, for example, aren't something that a firewall will stop, so a firewall certainly isn't enough by itself, but it's an important part of the mix.

But something you said has me a tad concerned that perhaps you still have an issue:

I also notice that when I turn on my computer that my computer tries to send UDP packets to the same IPs from Chinanet ...

That's not good.

Make sure that's what your firewall is really telling you (it's often easy to misinterpret), but if your computer is sending out to an IP address in China that you don't expect, know or want - well, that's not good. It's not a port scan (those are incoming only), but it does seem like it's an infection of some sort trying to "phone home" and let some computer over there know that your system has been compromised and is ready to receive instructions remotely.

Yes, even though your anti-virus scan is showing nothing, I'd be more likely to believe that it missed something and that your system has been compromised.

Like I said, though, make sure your firewall is telling you what you think it is. An incoming connection attempt that's blocked is nothing to really worry about. An outgoing attempt, however, is a concern.

In your shoes, I would immediately backup (if you haven't been doing so already) and then run additional anti-virus and anti-spyware scans from different vendors than whatever you're already running. I'll point out that anti-spyware scans are necessary in addition to anti-virus, as they are different things, and the scanners for each operate differently.

Hopefully those will catch and eradicate the problem.

If not - well, as long as your firewall is blocking the outbound connection attempt you're technically safe, but I wouldn't be particularly comfortable, particularly not knowing exactly how you came to be infected.

I'd definitely be sure to review the steps to stay safe on the internet.

Article C3556 - November 5, 2008 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

November 8, 2008 9:17 AM

For those who might want to run a couple of free scans, I'd recommend Housecall from Trend Micro (housecall .trendmicro .com) and Microsoft's Windows Live OneCare safety scanner (onecare .live .com/scan). Both products perform deep scans that often uncover malware missed by antivirus and antispyware products. Depending on hard disk size, total number of files (including temp files), etc each scan could take from just a few minutes to a few hours.

November 11, 2008 7:21 AM

This is something, I too have been worried about a lot. Although, everything's alright with my PC at the moment - I have been looking since a long time for a software or utility that continuously monitors my Internet connection and displays the IP addresses (and associated names) with which any kind of data is exchanged. Does any one know of anything like it?

Jerry Dolan
November 11, 2008 9:49 AM

My computers are connected through a router to the Internet. How do I see the attacks against open ports that may be coming in to my system? How do I see any outgoing signals that may be occurring without my knowledge?

Is there a specific program to do this for me?


John Neeting
November 11, 2008 4:58 PM

When I ran Win98, I used PC Signal 9 firewall which was the best in the universe; until they sold out and it won't run on XP. Using PeerGuardian2, I get hundreds of malicious attempts to get into my PC. Some sites try every port [ all 65,000 of them ] to try and get in. Some sites have virus embedded in their front page and about this time I had, had enough. Savvis URL's in particular [ rogue users ] really cheesed me off. I got 'THUNDERFLOOD.EXE' and started giving back to these lowlifes, what they were sending me. Didn't take too long before the rogue URL's got the message. One Savvis URL in particular kept hitting my ports for days [ hundreds / min ] so I set Thunderflood to run 24/7 in the background aimed at this sit. What I like about this program is 1. It sniffs every port on the target and Sync floods all of them.
2. You can open up multiple copies of the program and hit other criminal sites simultaneously
3. It uses Jack **** overhead in resources so even with 6 to 10 windows running, there is no slow down - in fact there is a SPEED UP in accessing sites because my PC now does not have to spend resources blocking these rogue URL's.
Ethical ??? maybe not, but it does the job and then some

July 17, 2010 11:52 AM

The latest version of Avast (free) Antivirus scans all incoming and outgoing connections/ports. And, I think most other popular antivirus software have also incorporated this facility (of monitoring ports for suspicious activity).

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.