Author Topic: Startup port scan  (Read 1154 times)

0 Members and 1 Guest are viewing this topic.

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 5675
  • Country: va
Startup port scan
« on: July 20, 2022, 11:35:06 pm »
Missus brought in a laptop used by a club, and on booting it my PC AV popped up to report a port scan from it.

Suspecting something nefarious, I've subjected it to a scan by Kaspersky's USB boot disk. Found nothing.

Is there anything on a W10 laptop (HP, if it matters) that might legitimately do a port scan of stuff on the local network on booting? It has AVG on it, but I'm pretty sure that doesn't do it.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5166
  • Country: au
Re: Startup port scan
« Reply #1 on: July 21, 2022, 01:30:34 am »
Unless it has a direct connection to the internet (which is very unlikely), it's highly unusual anything from the outside would be performing port scans on a machine that's behind a router. I'd need more information such as a screen shot of the message and any logs the AV is able to provide.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 5675
  • Country: va
Re: Startup port scan
« Reply #2 on: July 21, 2022, 01:45:02 am »
Nothing from outside. My PC and the laptop both connected to the same LAN (laptop via WiFi, PC via cable) so no router involved and no Internet. PC AV pops up to say there's a port scan from the IP address that the laptop has acquired. I verify that the IP address is the one the laptop is using, but other than that I don't know anything more (it was promptly banned from the network).

I need to set up an isolated network and run a sniffer to see what's actually going on, but this is the first time anything has done this (so far as I know). It's not a look around the network to see what's there but scanning to find open ports on the PC.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5166
  • Country: au
Re: Startup port scan
« Reply #3 on: July 21, 2022, 02:02:56 am »
Nothing from outside. My PC and the laptop both connected to the same LAN (laptop via WiFi, PC via cable) so no router involved and no Internet. PC AV pops up to say there's a port scan from the IP address that the laptop has acquired. I verify that the IP address is the one the laptop is using, but other than that I don't know anything more (it was promptly banned from the network).

I need to set up an isolated network and run a sniffer to see what's actually going on, but this is the first time anything has done this (so far as I know). It's not a look around the network to see what's there but scanning to find open ports on the PC.

Seems weird. Maybe just crap AV giving you false positives?
 

Offline mag_therm

  • Frequent Contributor
  • **
  • Posts: 605
  • Country: us
Re: Startup port scan
« Reply #4 on: July 21, 2022, 02:23:16 am »
Could be a virus on the computer  from the club.
I had linux boxes running on corporate LANs in various countries, that log all ssh attempts with the source ip and the user and pw.
Most come from certain countries, but have seen attempts from within the Lan from employee Win portables.
 

Offline golden_labels

  • Frequent Contributor
  • **
  • Posts: 888
  • Country: pl
Re: Startup port scan
« Reply #5 on: July 21, 2022, 03:20:27 am »
A heuristic guess is: not impossible, but towards the lower end of probability.

Grab packet capture software for your system,(1) limit it to the IP address of the laptop and see what you receive when it boots. Port scans are very easy to distinguish by the sheer number of packets sent towards different ports with no clear reason. A typical port scan will use SYN packets, without ever attempting to actualy make a connection. Wikipedia describes common port scan methods, but it’s unlikely it would be anything fancy — in particular for unattended scan.

Some types of software try to scan LAN for various services without any harmful intents. That includes both things installed on a computer and firmware in “smart” TVs and such. Such an attempt may trigger alarms in antivirus software. That’s typically easy to distinguish from a port scan,(2) because packets arrive only to a small number of relevant ports (e.g. belonging to Spotify servers in case of “smart” TVs).

But, in general, the situation raises a very important concern. That you are running an operating system that was used by someone else in the past, instead installing it from scratch. That is always a security risk.


(1) Wireshark is a common program of that type that works across multiple platforms.
(2) To an intelligent beaing, not to an automated system — unless it knows specific rules describing that kind of traffic.
You are grounded! — said mom to pin 11 of an LM324 op-amp
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Offline ejeffrey

  • Super Contributor
  • ***
  • Posts: 3121
  • Country: us
Re: Startup port scan
« Reply #6 on: July 21, 2022, 03:28:50 am »
It might be a virus or it might be a false alarm but if I got a used computer I'd wipe it and do a clean install no matter what so that is my recommendation.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 5675
  • Country: va
Re: Startup port scan
« Reply #7 on: July 21, 2022, 10:07:15 am »
Thanks, everyone, for confirming that it looks somewhat suspicious.

I wondered if the AV was being confused by something normal. I also have Glasswire installed, which has firewall features which I don't use because I'm not paying a subscription, so I just have it around to see what apps are involved if there are 'issues'. Glasswire saw the laptop connecting to a couple of ports (Bonjour, for instance), but of course it would only see ports that had apps listening so it doesn't tell me what else was being scanned. Nevertheless I think it backs up the concerns of the AV.

Today I had intended to set it up on a two-machine network with wireshark capturing the traffic. Unfortunately (for this scheme) it was taken away because... well, it's complicated. But it will probably be back soon and I'll deal with it then. Meantime the standing rule that no unknown kit gets connected to the LAN without my say so has been strongly reiterated.

(If the laptop was something we'd acquired it would naturally have been wiped and an appropriate OS installed from scratch. But it isn't - the club use it for video capture so I can't dick with it very much. It was connected to the LAN just to make sure Windows 10 wasn't going to update during an upcoming demonstration...

I could, and probably should, just ban the thing from ever appearing again, but I would like to know exactly what was having a poke around.)
 

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 5030
  • Country: fi
    • My home page and email address
Re: Startup port scan
« Reply #8 on: July 21, 2022, 12:39:09 pm »
It does look suspicious.

There are some plug-and-play technologies like UPnP/SSDP/DLNA, mDNS/Bonjour/Avahi, that some AV might consider port scanning.  Even a vulnerability scan is very similar to port scanning.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 5675
  • Country: va
Re: Startup port scan
« Reply #9 on: July 21, 2022, 02:20:51 pm »
Doing a random search our of boredom rather than in the expectation of finding anything...

https://support.avg.com/answers?id=9065p0000000fYlAAI

Quote
In simple words, AVG Internet Security's feature, Network Inspector, is occasionally running a background scan of network devices, to check for any "weak" or "default" passwords. This is what you're seeing in the mentioned reports.

It is none of their business what other machines do or don't do.
 
The following users thanked this post: MK14, Nominal Animal

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 5675
  • Country: va
Re: Startup port scan
« Reply #10 on: July 24, 2022, 12:46:43 pm »
Turns out it was AVG which was causing the fuss. It is hard to overstate how cretinous that feature is - for most users it will likely cause the PC to be blocked from a network, and for the malicious 10-year-olds it's saying "Hey, you can hack that machine over there real easy."
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf