Unknown inbound UDP

[Guest]

Since I got my XP machine, I've always kept my Norton Internet Security
software current, with an annual subscription. I update frequently. I also
always keep Microsoft service packs and other security upgrades current. I
hope I have a 100% malwlare-free machine, and I want to keep it that way.

Unfortunately, whenever I'm connected to the internet, I get a blizzard of
incomprehensible warnings from Norton Internet Security. Some of them, I
understand. Many I don't. So it's very difficult to know what to allow and
what to block.

The items that concern me most are "UDP inbound" attempts to access my
computer, from unknown TCP/IP addresses, and high port numbers -- usually
five digit port numbers. I used to think these were benign attempts by web
sites to upload content. Stupid, probably. So, I've allowed quite a few of
these in the past. Lately, I've started blocking them, and I've realized the
web sites I'm trying to see work as well as ever. I'm now concerned these
items are suspicious and possibly malicious.

What is the meaning of these attempts to access my computer? Have I done
harm by allowing these at times, in the past? If so, what kind of harm, how
do I diagnose and fix?

I hope that my machine is still malware-free. I think Norton would detect
malware on my macine and warn me -- but, once again, I'm not certain.

I'd be grateful for any assistance.


Cheers,


SNAT

 

[David H. Lipman]

From: "Sensitive New Age Thug" <[email protected]>

| Since I got my XP machine, I've always kept my Norton Internet Security
| software current, with an annual subscription. I update frequently. I also
| always keep Microsoft service packs and other security upgrades current. I
| hope I have a 100% malwlare-free machine, and I want to keep it that way.
|
| Unfortunately, whenever I'm connected to the internet, I get a blizzard of
| incomprehensible warnings from Norton Internet Security. Some of them, I
| understand. Many I don't. So it's very difficult to know what to allow and
| what to block.
|
| The items that concern me most are "UDP inbound" attempts to access my
| computer, from unknown TCP/IP addresses, and high port numbers -- usually
| five digit port numbers. I used to think these were benign attempts by web
| sites to upload content. Stupid, probably. So, I've allowed quite a few of
| these in the past. Lately, I've started blocking them, and I've realized the
| web sites I'm trying to see work as well as ever. I'm now concerned these
| items are suspicious and possibly malicious.
|
| What is the meaning of these attempts to access my computer? Have I done
| harm by allowing these at times, in the past? If so, what kind of harm, how
| do I diagnose and fix?
|
| I hope that my machine is still malware-free. I think Norton would detect
| malware on my macine and warn me -- but, once again, I'm not certain.
|
| I'd be grateful for any assistance.
|
| Cheers,
|
| SNAT

Please provide an excerpt of the log showing these UDP port attempts.

 

[Steven L Umbach]

This is one of the reasons that I often recommend that users use the built
in Windows Firewall or use a hardware device firewall [even a cheap NAT/PAT
router which should also be used anytime you are using cable/DSL anyhow] .
Most users are bombarded with these pop ups and don't understand what is
going on. For most users you can configure your firewall to block these
inbound attempts and not warn you. There is no reason to allow unsolicited
inbound attempts unless your computer is offering a service to internet
users such as a web or ftp server which is rare for the average home user.

If you allowed some of these attempts nothing would happen unless your
computer was listening on that port due to having a service or application
installed that was using that port which could include malware such as a
Trojan. However it is always a good idea to do a full system scan with your
antivirus program if you have any doubt and to also periodically scan for
spyware such as weekly. There are many free spyware programs such as AdAware
SE and Microsoft AntiSpyware that you can download. These attempts are
usually not targeting your computer specifically but are scanning internet
computers to find computers that have that port open. The command
netstat -an will show current port use on your computer and free tools such
as TCPView from SysInternals will display in a gui form and show the
process/executable path that is using the port. You can check out the link
below that lists the use of many of those ports and go to a selfscan site
such as http://scan.sygatetech.com/ to check your firewall configuration to
see if any ports are shown as being open. --- Steve

http://www.iana.org/assignments/port-numbers
http://www.sysinternals.com/Utilities/TcpView.html --- TCPView

 

[Guest]

This is one of the reasons that I often recommend that users use the built
in Windows Firewall or use a hardware device firewall [even a cheap NAT/PAT
router which should also be used anytime you are using cable/DSL anyhow] .
Most users are bombarded with these pop ups and don't understand what is
going on. For most users you can configure your firewall to block these
inbound attempts and not warn you. There is no reason to allow unsolicited
inbound attempts unless your computer is offering a service to internet
users such as a web or ftp server which is rare for the average home user.

--snip--

Thanks very much, Steven and David. Steven, I had guessed at an analysis
similar to yours -- though it took me a long time, and I had many doubts.

The number of ports I have open is small, all the others are cloaked, and I
do a virus scan on the whole hard disk routinely. It always comes up clean.
I've got one adware application, and I'll try the other products and links
you suggested. I'll block these incoming UDPs from now on. It seems unlikely
that any harm has been done.

Norton is extremely complex once I look under the hood, and the warning
messages are worse than useless. This is user hostility. I hadn't fully
appreciated this about Norton before.

Maybe I'll try the native XP firewall instead. Actually, I'm usually
connected thru a wireless hardware NAT router, with a very small number of
necessary ports open, so maybe I'm okay, anyway. Come to think of it, many of
these incoming UDPs occur when I'm connected by dialup -- no hardware
firewall at those times!

Meanwhile, do other apps do a better job of keeping the user informed about
possible malware and break-in attempts than Norton? Anybody know?

Cheers,


Tim