cancel
Showing results for 
Search instead for 
Did you mean: 

Email from Plusnet regarding Port Scanning

sampsgw
Newbie
Posts: 9
Registered: ‎19-05-2015

Email from Plusnet regarding Port Scanning

Hi - I'm new to this forum and I apologise if this query isn't in the right place. I received an email from Plusnet on Sunday suggesting a PC using my IP address had been used to scan other networks for vulnerable ports. Plusnet didn't actually explain what this meant (and I'd never heard the term port scan before) but they did suggest the issue was likely caused by a virus and they advised running an anti-virus program on my PC. The thing is...I don't have a PC for a virus to inhabit and haven't had one for over a year. I have several iPhones, an Apple TV and an IP camera. At the time of the incident only the IP camera was connected to the router. I also live in a rural location and am certain my neighbours aren't close enough to pick up my wifi signal. I've since disconnected the camera and reset my iPhones and router. Could the router have a virus or could the IP camera have a bot(?) or something. Has anyone else received a similar email from Plusnet or had any experience of this issue on an iOS or IP camera device? I'm sorry if this is the wrong forum for this question but it would be great to get any opinions or advice. Thanks
7 REPLIES 7
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Email from Plusnet regarding Port Scanning

The following link is the only similar issue I've heard about. In that case the OP's IP camera was making too many failed dns look ups.
http://community.plus.net/forum/index.php/topic,137422.0.html
sampsgw
Newbie
Posts: 9
Registered: ‎19-05-2015

Re: Email from Plusnet regarding Port Scanning

npr - thanks for the post.
sampsgw
Newbie
Posts: 9
Registered: ‎19-05-2015

Re: Email from Plusnet regarding Port Scanning

Plusnet provided the following Evidence (I've removed my IP address)
EVIDENCE --------------- Date/timestamps (at the very left) are UTC. 2015-05-15 05:47:53.216543 IP (tos 0x0, ttl 49, id 0, offset 0, flags [DF], proto UDP (17), length 293) (my IP) > 208.146.44.x.41765: UDP, length 265 0x0000: 4500 0125 0000 4000 3111 0ac5 925a af15 E..%..@.1....Z.. 0x0010: d092 2c01 0c1f a325 0111 b965 4f59 5958 ..,....%...eOYYX 0x0020: 4b46 4b49 4343 4243 4a4f 4b49 5946 595a KFKICCBCJOKIYFYZ 0x0030: 5141 4b45 484f 4255 454f 4758 4752 5955 QAKEHOBUEOGXGRYU 0x0040: 534b 4255 5643 5755 4f46 5948 4d4d 5751 SKBUVCWUOFYHMMWQ 0x0050: 484f HO
adie:green removed superfluous quote.]
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Email from Plusnet regarding Port Scanning

Is that all the information (evidence) PN have provide?  Roll_eyes
Is the port scan still happening intermittently or was it a one off?
I would first check the routers event log around that time ( 2015-05-15 05:47:53 ) see if there's anything of interest. Also check in the routers event log for the IP address you were on at that time, make sure it's the same as in the report.
sampsgw
Newbie
Posts: 9
Registered: ‎19-05-2015

Re: Email from Plusnet regarding Port Scanning

Thanks npr - When I got in touch with Plusnet they asked me to reset the router, which I did on 17/05 so presumably I won't be able to access logs from 15/05?
I'm pretty sure the IP address I was on on 15/05  matched that in the Plusnet email as it was the same as the one I had saved on my IP camera app. I tried repeatedly to get more information from Plusnet on a live chat but they said that is all they have. I assume it was a one off or I would have had further emails?
I'm no expert in this sort of thing but from what little knowledge I've gleaned from the Internet in recent days it all seems very odd, especially given the absence of a PC in my household (not to mention my wife nor I had even heard of the term port scanning) and the fact that it is extremely unlikely anyone else could pick up my wifi signal?
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Email from Plusnet regarding Port Scanning

I agree it does sound very odd, lets hope that's the end of it.
The router may well have saved the event log from the 15/05. If it a Technicolor you have then it will have save it but you may need to use telnet to look that far back.
eg the first command here http://npr.me.uk/telnet.html#syslog
Let me know if you wish to go to that trouble and need help with telnet Smiley
sampsgw
Newbie
Posts: 9
Registered: ‎19-05-2015

Re: Email from Plusnet regarding Port Scanning

Thanks again for your help - I'll check things out when I get home later.