Parker 19761 Report post Posted August 18, 2010 So, late last night my laptop started acting overly screwy.. I unplugged it from the internet and immediately started scanning through it and found a very tricky virus.. one that my anti-virus programs didn't seem able to properly remove. Not being able to figure it out personally, I sent it to my cousin to be filled with junk data and reformatted.. After, I was looking through my router logs as I was hoping to find out exactly how this got on my laptop. (I only use my laptop for work e-mail and cerb) I found numerous (as well as some of the same, over and over) IP addresses that had been blocked by my router for attempting send a TCP packet. Another one it's constantly blocking is UDP packets. What are these? Why are people sending them? And how do I stop them? I've had a couple people tell me that they could be people attempting to get into my router, another person told me that it could be slowing down my connection... so at the moment I have no idea what they are and any ideas would be greatly appreciated. xo Quote Share this post Link to post Share on other sites
Guest G***f****** Report post Posted August 18, 2010 TCP and UDP are the protocols the Internet uses. Services use specific TCP and UDP port numbers to communicate. http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers For instance, http (the web) uses TCP port 80 Telnet uses 23' etc. The thing to find out is what type of connection is being blocked (what port is being accessed) and where is it coming from, ( the originating IP address). Quote Share this post Link to post Share on other sites
Parker 19761 Report post Posted August 18, 2010 Yes, I understand that part.. I'm just wondering why/if these IPs are trying to access my router.. The log looks something like this... Wed Aug 18 16:39:05 2010 Blocked incoming TCP packet from 173.189.14.208:53437 to *my router's IP* or Wed Aug 18 16:38:35 2010 Blocked incoming UDP packet from 90.205.102.65:25769 to .... I believe 53437 & 25769 are the ports. (Please correct me if I am wrong though.) I searched the IPs last night, many of them are from Canada but there are some from China, Finland, US, UK.. other random countries. TCP and UDP are the protocols the Internet uses. Services use specific TCP and UDP port numbers to communicate. http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers For instance, http (the web) uses TCP port 80 Telnet uses 23' etc. The thing to find out is what type of connection is being blocked (what port is being accessed) and where is it coming from, ( the originating IP address). Quote Share this post Link to post Share on other sites
Guest G***f****** Report post Posted August 18, 2010 You are correct, those are the port numbers. Those two are not assigned to a specific protocol or service, so what's probably happening is some hacker, bot or worm is scanning the addresses on your ISPs network and looking for connections it can gain access to. Your router is doing it's job and blocking them from getting into your system. On another note, if you ever get a stubborn virus or other piece of malware you can't seem to get rid of, try running Malwarebytes from http://www.malwarebytes.org. It's free and works where other antivirus software has failed me. Quote Share this post Link to post Share on other sites
etasman2000 15994 Report post Posted August 18, 2010 Some background. These packets, TCP or UDP, are means by which one computer program communicates with another. For example, as you browse the Web TCP packets are being sent to (and from) your Web Browser to (and from) the web servers. Other applications may send or receive packets as well. To differentiate the various applications they use something called a port. IP Address = building address. Port = apartment number. Imagine there is an apartment building. To find out if someone lives in an apartment you could send each apartment a letter with a SASE. If you get a reply you can safely say someone lives there. In geek speak we call this probing. These computers all over the world are probing to find out if an application is on that port. If there is one they will now send a identification probe to find out what specific application is on that port. From there they can craft a specific probe to take over the application [1]. Once that is accomplish they can attempt taking control of your computer. But why ? There are two main reasons: 1. they are viruses trying to infect another machine 2. they are botnets (robotic networks) trying to add another machine to their group. Botnets are use for: a. capturing user information for identity theft b. massive spam senders c. dissemination of illicit material d. aiding in attacking computer resources (distributed denial of service) A majority of the botnets are under control of criminal organization who rent these computers out. It is estimated that over 60% of PC around the world are under the control of at least one botnet [2]. Your firewall is the first line of defense in protecting your computer. Hopefully this helps. et [1] this is the reason to keep your computer security updated. [2] it takes about 12 mins for a brand new (unsecured) PC to be taken over by a botnet after it is plug into the Internet. Yes, I understand that part.. I'm just wondering why/if these IPs are trying to access my router.. The log looks something like this... Wed Aug 18 16:39:05 2010 Blocked incoming TCP packet from 173.189.14.208:53437 to *my router's IP* or Wed Aug 18 16:38:35 2010 Blocked incoming UDP packet from 90.205.102.65:25769 to .... I believe 53437 & 25769 are the ports. (Please correct me if I am wrong though.) I searched the IPs last night, many of them are from Canada but there are some from China, Finland, US, UK.. other random countries. 2 Quote Share this post Link to post Share on other sites
whatsup 11893 Report post Posted August 18, 2010 Naomi, looking at your lovely avatar who want's to talk tech. :wink: :lol: Good post BTW. Quote Share this post Link to post Share on other sites
Parker 19761 Report post Posted August 19, 2010 Naomi, looking at your lovely avatar who want's to talk tech. :wink: :lol: Good post BTW. Why thank you. ;) xx Some background. These packets, TCP or UDP, are means by which one computer program communicates with another. For example, as you browse the Web TCP packets are being sent to (and from) your Web Browser to (and from) the web servers. Other applications may send or receive packets as well. To differentiate the various applications they use something called a port. IP Address = building address. Port = apartment number. Imagine there is an apartment building. To find out if someone lives in an apartment you could send each apartment a letter with a SASE. If you get a reply you can safely say someone lives there. In geek speak we call this probing. These computers all over the world are probing to find out if an application is on that port. If there is one they will now send a identification probe to find out what specific application is on that port. From there they can craft a specific probe to take over the application [1]. Once that is accomplish they can attempt taking control of your computer. But why ? There are two main reasons: 1. they are viruses trying to infect another machine 2. they are botnets (robotic networks) trying to add another machine to their group. Botnets are use for: a. capturing user information for identity theft b. massive spam senders c. dissemination of illicit material d. aiding in attacking computer resources (distributed denial of service) A majority of the botnets are under control of criminal organization who rent these computers out. It is estimated that over 60% of PC around the world are under the control of at least one botnet [2]. Your firewall is the first line of defense in protecting your computer. Hopefully this helps. et [1] this is the reason to keep your computer security updated. [2] it takes about 12 mins for a brand new (unsecured) PC to be taken over by a botnet after it is plug into the Internet. Thank you so very, very much for this post.. It's exactly what I was trying to figure out. (in a way I could understand to boot!) xx Quote Share this post Link to post Share on other sites
masterowls 249 Report post Posted August 19, 2010 another thimg you an try doing... a little extreme is using a program called hidemyip. what it doies is tells your computer/router to send a fake ip to the net... (I had mine sending a us address for a while... to get a site that blocked canadian ips to lemme in...)I stopped using it when the ban was lifted... but it works... Quote Share this post Link to post Share on other sites
etasman2000 15994 Report post Posted August 19, 2010 Unfortunately IP masking does not work for this case. The reason is actually quite simple, viruses and botnets don't care. The IP assigned to your machine (technically Internet modem) comes from a known range of addresses. When probing the virus or botnet would try every single address in the range before moving on to the next range. Quote Share this post Link to post Share on other sites