virus/spyware issue, a firewall issue, or a network issue?

Question

I don’t know if I have a virus/spyware issue, a firewall issue, or a network issue. Forgive me if I put this message in the wrong spot.

For a few weeks, I have been subjected to thousands of unsolicited attempts on port 123 from 2 separate IPs.

I run two computers behind a router. Both computers now run McAfee firewall. Only one computer’s “Inbound Events” tab in McAfee registers these attempts. McAffee describes the type of activity as “Network Time Protocol.” Both IPs get listed at least every two minutes, and sometimes as often as twice a minute. The second weekend they stopped, but then resumed and continued all through last weekend. I didn’t notice any such activity when I was using Norton’s products, but I immediately saw this once I installed McAfee.

I contacted McAfee, and they said that their software only guards against intrusions, not attempts. He then assured me that because they show up in the “Inbound Events,” there are not intrusions. I called my DSL ISP. The first guy didn’t know what to do, so I asked if I could change my IP address, so he walked me through ipconfig “refresh” and “renew” in the command prompt.,” but that didn’t have any effect. The second guy I talked to told me to call my router manufacturer.

I have also run my ant-virus software and numerous anti-virus applications to no avail.

What is going on? Any and all help greatly appreciated.

scottlarockman · Answer

I think you must be confused, because if the incoming connections were from the internet your router(firewall) should be blocking them and it wouldn't allow them to your local network.  What kind of router do you have?  Make/model/version # etc.   What are the IP addresses that are trying to connect?  That will help me know who it is that is connecting.   Spyware Removers

otsu · Answer

Thanks for your questions and interest in helping me.   The router is an SMC Barricade SMC7004VBR.  I am not sure as far as the firmware.  The only time it was updated was about a year ago, and the router is a little more than two years old.   The two addresses are:   192.5.41.41 and 132.163.4.102

scottlarockman · Answer

Well, your computers are probably establishing the connections, those are legit NTP server (time servers)

nslookup 132.163.4.102
102.4.163.132.in-addr.arpa name = time-B.timefreq.bldrdoc.gov.

Authoritative answers can be found from:
4.163.132.in-addr.arpa nameserver = dns-w.boulder.nist.gov.
4.163.132.in-addr.arpa nameserver = dns-x.boulder.nist.gov.
dns-w.boulder.nist.gov internet address = 132.163.4.10
dns-x.boulder.nist.gov internet address = 132.163.4.9

--------------

nslookup 192.5.41.41

Non-authoritative answer:
41.41.5.192.in-addr.arpa name = tock.usno.navy.mil.
41.41.5.192.in-addr.arpa name = ntp1.usno.navy.mil.

Authoritative answers can be found from:
41.5.192.in-addr.arpa   nameserver = metis.usno.navy.mil.
41.5.192.in-addr.arpa   nameserver = charon.usno.navy.mil.
41.5.192.in-addr.arpa   nameserver = psyche.usno.navy.mil.
metis.usno.navy.mil     internet address = 198.116.61.5
charon.usno.navy.mil    internet address = 199.211.133.5
psyche.usno.navy.mil    internet address = 192.5.41.214

otsu · Answer

I did a fresh install last weekend and I have had nary a peep in McAfee's Inbound Events since, which further supports your conclusion that the connections were emanating from my computer.  I have no idea what was causing those connections, but everything seems to be working fine now.  Thanks for your help.

scottlarockman · Answer

Well, MS Windows XP DOES connect to time servers to keep the clock updated.  However, by default (unless you change the registry), it will only update them like once a week or once everyday?  I have a strong suspicion that you had some kind of spyware (clock sync) that was making the connections more often.

Virus & Spyware

virus/spyware issue, a firewall issue, or a network issue?

Was this post helpful?