1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

TCP Port Scan

Discussion in 'Networking' started by Jquaide, Jan 6, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. Jquaide

    Jquaide Thread Starter

    Joined:
    Jan 6, 2009
    Messages:
    5
    For the past 4 days I have been receiving this from my router's log:

    2009/01/05 22:13:04 PST FW: severity=low src=221.192.xxx.xx dst=71.129.xx.xx ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped

    2009/01/05 22:20:22 PST FW: severity=low src=221.195.xx.xx dst=71.129.xx.xx ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped

    I am unable to do anything worthwhile on my computer other than check my email while failing multiple times to load due to timing out. I formatted my computers because i thought it had something to do with spyware/malware to no avail. even while both my computers are off i keep getting the port scan errors on my router. I called my isp and they told me that everything is fine. I am running WinXP sp3 and use a 2Wire HomePortal 1000SW.

    Thank you if you can help and i appologize if this is the wrong forum to place this in.
     
  2. Sponsor

  3. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    Ports are scanned all the time. 1000's of people are doing them all day long for various useful and nefarious purposes. Even ISP's do it. A good firewall should not be affected by port scans and it certainly shouldn't affect your connection. These data packets are tiny. Multiple connection attempts or scans should induce an automatic block in a good firewall.

    If you are having connection problems, either it is caused by something else, or you need a new firewall. Can you connect any better with it turned off?
     
  4. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,409
    Please supply the following info, exact make and models of the equipment please.

    Name of your ISP (Internet Service Provider).
    Make and exact model of the broadband modem.
    Make and exact model and hardware version of the router (if a separate unit).
    Model numbers can usually be obtained from the label on the device.
    Connection type, wired or wireless.
    If wireless, encryption used, (none, WEP, WPA, or WPA2)
    Version and patch level of Windows on all affected machines, i.e. XP (Home or Pro), SP1-SP2-SP3, Vista (Home, Business, Ultimate), etc.
    The Internet Browser in use, IE, Firefox, Opera, etc.




    Please give an exact description of your problem symptoms, including the exact text of any error messages.



    • If you're using a wireless connection, have you tried a direct connection with a cable to see if that changes the symptoms?
    • For wireless issues, have you disabled all encryption on the router to see if you can connect that way?
    • Have you connected directly to the broadband modem to see if this is a router or modem/ISP issue?
    • If there are other computers on the same network, are they experiencing the same issue, or do they function normally?




    On any affected computer, I'd also like to see this:

    Hold the Windows key and press R, then type CMD (COMMAND for W98/WME) to open a command prompt:

    Type the following commands on separate lines, following each one with the Enter key:

    PING 206.190.60.37

    PING yahoo.com

    NBTSTAT -n

    IPCONFIG /ALL

    Right click in the command window and choose Select All, then hit Enter.
    Paste the results in a message here.

    If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.
     
  5. Jquaide

    Jquaide Thread Starter

    Joined:
    Jan 6, 2009
    Messages:
    5
    AT&T DSL formerly SBC Global
    2Wire HomePortal 1000SW
    Router is built in with the modem
    Laptop - WEP WinXP Pro Service Pack 3 on Mozilla Firefox
    Desktop - Wired WinXP Pro Service Pack 3 on Mozilla Firefox

    While doing tasks like browsing webpages it is begining to ease up where I only get interupted if I receive the Port Scan the second I am loading a page. When I try to get on a program which needs a sustained connection such as an online video game or a voip service the ping skyrockets from 89 to 1900+ the second I am scanned and then proceeds to timeout of whatever I was doing at the time. I have about 4 pages of logs from the past 4 days so I will post the most recent 20 errors.

    INF 2009/01/06 08:29:18 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 08:39:08 PST SYS: vlanmon0: connection lost, reconnecting...
    INF 2009/01/06 08:48:18 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 09:07:09 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 09:16:23 PST FW: severity=low src=218.10.111.106 dst=71.129.50.88 ipprot=6 sport=12200 dport=7212 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 09:26:08 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 09:44:58 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 09:58:41 PST FW: severity=low src=221.195.73.86 dst=71.129.50.88 ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 10:03:49 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 10:22:33 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 10:28:52 PST FW: severity=low src=218.10.111.106 dst=71.129.50.88 ipprot=6 sport=12200 dport=7212 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 10:31:27 PST FW: severity=low src=61.153.45.198 dst=71.129.50.88 ipprot=6 sport=58933 dport=5902 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 10:31:28 PST FW: severity=low src=61.153.45.198 dst=71.129.50.88 ipprot=6 sport=2677 dport=5902 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 10:41:12 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 10:59:57 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 11:02:27 PST FW: severity=low src=221.195.73.86 dst=71.129.50.88 ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 11:18:58 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 11:37:47 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 11:38:50 PST FW: severity=low src=221.195.73.86 dst=71.129.50.88 ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 11:41:18 PST FW: severity=low src=218.10.111.106 dst=71.129.50.88 ipprot=6 sport=12200 dport=7212 TCP Port Scan Detected, Packet Dropped
    INF 2009/01/06 11:54:39 PST SYS: Successfully logged into a password protected page
    INF 2009/01/06 11:56:36 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped

    Tried changing up from wireless to wired and vice versa for no change in broadband speed. I have disabled encryption for no change. I have connected directly to the modem for no change. All computers on the same network are experiencing the same issue.


    the requested command promt returns :

    C:\>ping 206.190.60.37

    Pinging 206.190.60.37 with 32 bytes of data:

    Reply from 206.190.60.37: bytes=32 time=108ms TTL=56
    Reply from 206.190.60.37: bytes=32 time=85ms TTL=56
    Request timed out.
    Request timed out.

    Ping statistics for 206.190.60.37:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 85ms, Maximum = 108ms, Average = 96ms

    C:\>ping yahoo.com

    Pinging yahoo.com [206.190.60.37] with 32 bytes of data:

    Reply from 206.190.60.37: bytes=32 time=86ms TTL=56
    Request timed out.
    Reply from 206.190.60.37: bytes=32 time=106ms TTL=56
    Reply from 206.190.60.37: bytes=32 time=91ms TTL=56

    Ping statistics for 206.190.60.37:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 86ms, Maximum = 106ms, Average = 94ms

    C:\>nbtsats -n
    'NBTSATS' is not recognized as an internal or external command,
    operable program or batch file.

    C:\>nbtstat -n

    Local Area Connection 2:
    Node IpAddress: [172.16.1.34] Scope Id: []

    NetBIOS Local Name Table

    Name Type Status
    ---------------------------------------------
    USER-B65303E873<00> UNIQUE Registered
    USER-B65303E873<20> UNIQUE Registered
    WORKGROUP <00> GROUP Registered

    C:\>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : user-b65303e873
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : gateway.2wire.net

    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix . : gateway.2wire.net
    Description . . . . . . . . . . . : Belkin 11Mbps Wireless USB Network A
    dapter
    Physical Address. . . . . . . . . : 00-30-BD-9D-C3-7B
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 172.16.1.34
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 172.16.0.1
    DHCP Server . . . . . . . . . . . : 172.16.0.1
    DNS Servers . . . . . . . . . . . : 172.16.0.1
    Lease Obtained. . . . . . . . . . : Tuesday, January 06, 2009 12:19:07 P
    M
    Lease Expires . . . . . . . . . . : Tuesday, January 06, 2009 1:19:07 PM


    C:\>
     
  6. Wanderer2

    Wanderer2

    Joined:
    Jan 28, 2008
    Messages:
    1,428
    "INF 2009/01/06 08:39:08 PST SYS: vlanmon0: connection lost, reconnecting..."

    This is an error requiring more investigation. Ask your isp if they are doing vlans.

    Run a connection/speed test using any one of a dozen online free services. Post your results and what you are told by the isp as your up/down bandwidth.

    do a tracert yahoo.com and post the results.
     
  7. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,409
    For the other error, let's see a couple of these.

    Register at DSLReports and run their Line Quality Tests. It's best to run this test with a direct wired connection to eliminate any wireless issues from the results. It's useful many times to run this test several times, and we'd like to see each of the results. Post the results link from the top of the test display page for each test run here.

    The link to post is near the top of the page and looks like:

    If you wish to post this result to a forum, please copy/paste this URL
    http://www.dslreports.com/linequality/nil/2357195 <- sample only, yours will obviously be different!
    and your IP will be disguised.

    Copy/paste that link here.

    Note: You will have to enable PING (ICMP) request response either in your router (if you have one), or in your computer's firewall for direct modem connections. This is very important to get the most important part of the test to run.







    I think the port scans are something that probably happens to almost every router on the planet, I checked a couple of the addresses. I'd be amazed if many other people don't see scans from the same address ranges. :)
     

    Attached Files:

  8. Jquaide

    Jquaide Thread Starter

    Joined:
    Jan 6, 2009
    Messages:
    5
    I'm on hold for at least 2 more hours with the isp tech support place. I am supposed to be getting 1536kbps Incoming 384kbps Outgoing and I am getting 1263kbps/294kbps

    traceroute to w2.rc.vip.re4.yahoo.com (206.190.60.37) with 32 bytes and 30 max hops:
    1: adsl-71-129-63-254.dsl.irvnca.pacbell.net (71.129.63.254) 15 ms
    2: dist4-vlan55.irvnca.pbi.net (67.114.48.66) 73 ms
    3: bb2-g9-0.irvnca.sbcglobal.net (151.164.92.196) 15 ms
    4: bb2-p12-0.klmzmi.sbcglobal.net (151.164.242.77) 16 ms
    5: asn10310-yahoo.eqlaca.sbcglobal.net (151.164.89.214) 18 ms
    6: so-2-0-0.pat1.dax.yahoo.com (216.115.96.50) 49 ms
    7: ae4.pat2.dax.yahoo.com (216.115.102.139) 49 ms
    8: so-1-0-0.pat2.dce.yahoo.com (216.115.96.20) 102 ms
    9: ae1-p151.msr2.re1.yahoo.com (216.115.108.23) 83 ms
     
  9. Wanderer2

    Wanderer2

    Joined:
    Jan 28, 2008
    Messages:
    1,428
    Those up/down you listed are within tolerances. You never get exactly what the isp states but should be close as you are.

    Your tracert looks OK though it never completed at 206.190.60.37
     
  10. Jquaide

    Jquaide Thread Starter

    Joined:
    Jan 6, 2009
    Messages:
    5
  11. Jquaide

    Jquaide Thread Starter

    Joined:
    Jan 6, 2009
    Messages:
    5
    i ran it again just now using command prompt instead of the router MDC

    C:\>tracert yahoo.com

    Tracing route to yahoo.com [206.190.60.37]
    over a maximum of 30 hops:

    1 1 ms 1 ms <1 ms homeportal.gateway.2wire.net [172.16.0.1]
    2 14 ms 17 ms 17 ms adsl-71-129-63-254.dsl.irvnca.pacbell.net [71.12
    9.63.254]
    3 14 ms 15 ms 27 ms dist4-vlan55.irvnca.pbi.net [67.114.48.66]
    4 14 ms 17 ms 17 ms bb2-g9-0.irvnca.sbcglobal.net [151.164.92.196]
    5 16 ms 17 ms 15 ms bb2-p12-0.klmzmi.sbcglobal.net [151.164.242.77]

    6 18 ms 23 ms 19 ms asn10310-yahoo.eqlaca.sbcglobal.net [151.164.89.
    214]
    7 50 ms 50 ms 51 ms so-2-0-0.pat1.dax.yahoo.com [216.115.96.50]
    8 51 ms 53 ms 49 ms ae4.pat2.dax.yahoo.com [216.115.102.139]
    9 83 ms 84 ms 82 ms so-1-0-0.pat2.dce.yahoo.com [216.115.96.20]
    10 84 ms 82 ms 84 ms ae1-p141.msr1.re1.yahoo.com [216.115.108.19]
    11 83 ms 84 ms 84 ms te-9-3.bas-a2.re4.yahoo.com [216.39.49.7]
    12 82 ms 82 ms 82 ms w2.rc.vip.re4.yahoo.com [206.190.60.37]

    Trace complete.

    C:\>
     
  12. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,409
    So far, I see nothing wrong. The line quality tests all look fine, and your tracert seems OK too. The speeds are not out of line for the level of service you have either.

    Do you have any other computers on this network? I'm thinking more along the lines of something on the computer. Can you test this with another computer? Perhaps a friend with a laptop if you don't have a second computer?
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/787275