NORTON INTERNET SECURITY 2005

Jim,

Thanks for the quick response.  Don't know who that Hanaro Telecom is, but Enter.Net is my ISP.  Excuse my ignorance, but any idea as to what was trying to be accomplished by them and what could potentially happen?  As long as the firewall is on, I should be OK, right?  Thanks again for your help!

 

domer1968,

Those entries mean that NIS 2005 is doing its job.

The first IP address, 211.214.160.6, is registered to Hanaro Telecom in Korea. The second one, 216.193.147.234, is registered to Enter.Net, apparently an ISP headquartered in Allentown, PA. There's a handy set of tools available for finding out about IP addresses available at DNSStuff.com. I used the "IPWHOIS Lookup" to obtain the information posted.

The first log entry shows a TCP connection attempt to an unused port (20031). Sometimes it's possible to determine exactly what a TCP port is used for by searching Google for (in this case) tcp port 20031. I didn't find anything very informative in this case. Incidentally, a "port" is like a telephone extension number. When you call a company and ask for an extension, you'll either talk to a person, a recording, hear a busy signal, or be told the extension is unused. This TCP port's unused on your system.

The second log entry doesn't specify a port, but a class of ports ("Unused Windows Services"). So we don't know what specific port was being accessed.

The likelihood that either of those attempts was actually done by a human is small. They were probably caused by programs scanning the Internet for vulnerable machines. Such automated scans are part of the "background noise" of the Internet. They point out why firewall protection is important.

Jim

domer1968,

Neither of the log entries contained enough information to determine what the purpose of the traffic might have been. I think Hanaro Telecom is a Korean ISP. What can happen depends on what the traffic is trying to do. The results may be that an unpatched vulnerability in your operating system is attacked, and the system enters an automatic shutdown as a result. The "Sasser" worm is an example of such a problem. A more benign but sometimes annoying and frightening one is so-called "Messenger Spam". In this case, an ominous message about potential vulnerabilities can appear, and try to induce the user into visiting a web site to solve the problem. This illustration shows an advertisement for phony diplomas.  Here's a page showing some that are intended to frighten the viewer into a web site visit. Some worms may have the sole purpose of disrupting the operation of the Internet by creating an "explosion" of infected machines, all trying to infect other Internet-connected machines. The "Slammer" worm is an example of this behavior.

The firewall will protect you from uninvited traffic. There's another type - invited traffic. Links to pages that offer free downloads of pictures, screensavers, and other things you might want may in fact be malicious sites. Good judgement, good antivirus protection, installing all Microsoft security patches, safe browser settings, and use of resident features that will prevent unauthorized registry changes from being made are all defenses against these.

I've collected a number of links related to network safety that are listed below. You may find them helpful.

Jim

Jim,

Thanks for all your help!  Much appreciated.

 

domer1968,

You're welcome! Glad I could help!

Jim