[Hungry Guy]

For the past several days, my firewall periodically pops up and tells me that it just blocked an intrusion attempt (portscan) from either 209.244.0.3(domain(53)) or 209.244.0.4.

Whenver this happens, I log off (I'm using dial-up), and log back on, and verify that I've been assigned a new IP.

Yet it continues to happen!

Are these IPs familiar to any of you regulars here? Is there some determined hacker stalking me? Or do I have malware on my machine? Or is this fairly routine and nothing to worry about as long as my firewall is blocking it?

[jack213]

I'm no expert, but I strongly suggest you contact one, - (a moderator / administrator) and ask to move your post to the Malware Removal & HJT Logs forum asap.

An intrusion attempt is definatly not a routine occurance. You should probably download Hijack This from one of the links in that forum and await the instructions on how to use it. - Best of luck!

[bp936]

paste this in the address bar,
I always check it at "whois" and see if I recognize anything
.http://tools.whois.net/index.php?fus...oisbyipresults

[calvin-c]

Note that a portscan is not an intrusion attempt. It's proper for a firewall to warn you of a portscan, but it shouldn't (IMO) call it an intrusion attempt. A portscan might trigger an intrusion attempt in the future or it might be beniqn. (I get something like one/hour on my firewall-and it's my ISP checking to make sure I'm not running a server in violations of my TOS.)

Don't get the idea that I'm in favor of portscans. Basically they're like what we used to call 'door rattlers'. Some of these were crooks looking for unlocked doors-and others were watchmen looking for the same thing. Basically, you can't tell whether a portscan is evil or benign until you know who's making it & why.

If the whois lookup comes back to your ISP it's probably benign.

[TOGG]

Do you have any Messagelabs software installed?. The IP address you posted leads to something called 'resolver1.level3.net' and Googling that produces the following detail (unfortunately, I don't know how to interpret it!); http://www.robtex.com/dns/resolver1.level3.net.html

It doesn't seem too sinister if it proves to be some software doing periodic checks which cause the 'home' site to call back, but there could obviously be a nastier explanation.

[Hungry Guy]

Well, my firewall called it an intrusion attempt. I'm not one to jump into emergency panic mode at these sort of things, that's why I asked in here if that IP was familiar to anyone... I asked over in the Malware forum and I'll go there next to see what anyone says...

I don't have Messagelabs software. I don't even know what that is...

[TOGG]

It appears to be a commercial 'anti everything' product; http://www.messagelabs.co.uk/products/ It could be something your ISP uses for anti spam purposes, check with them.

[Hungry Guy]

Okay. Thanks for the info :-)

I just downloaded Hijack This. Call me paranoid, but I'm going to get offline and scan it with my AV before I install it...