• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Intrusion Attempt False Positive?

Earlier this week Norton alerted me of an intrusion attempt into my computer called "Netis Router Scan 2" which it says it blocked and that no further action is required. I have been receiving this same type of message usually about once or twice a month on this computer since I purchased it about a year ago. The thing is my computer has never been connected to a Netis router or any other Netis product, it has only ever been connected via wire to my Comtrend CT-5072T and nothing else. So how is it possible for me to be getting this alert if I don't even use a Netis router? Is this simply a false positive or is there something I should be worried about?

Replies

Kudos2 Stats

Re: Intrusion Attempt False Positive?

It sounds like something on the internet is scanning to try to find an Netis router. As you do not have one you have nothing to worry about. Norton is protecting against this intrusion attempt.

There is nothing you can do to stop someone scanning from outside your network.

Things happen. Export/Backup your Norton Password Manager data.
Kudos2 Stats

Re: Intrusion Attempt False Positive?

All: There is a Symantec article which explains things a bit further. Peterweb is spot on and you are totally protected.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.295 / N360 Deluxe 22.18.0.213 / Norton Core v.282 on Android 2.00
Kudos2 Stats

Re: Intrusion Attempt False Positive?

Just a comment on IPS false positives:  They are less common than false positives for specific malware.  IPS is looking for attack vectors and exploits of known vulnerabilities that are used to install a variety of malware.  IPS does not look for actual malware itself. Specific malware signatures are more susceptible to false positives than are exploit signatures. Once a vulnerability in a piece of hardware or software (in this case, a router) is known, then the signature to detect attempts to exploit that vulnerability will be pretty straightforward -- identifying an attack process on a known flaw is less prone to false positives than creating a malware signature that targets one malicious file while excluding all similar-looking files.  The point is that you should always assume an intrusion detection is legitimate until proven otherwise.

Kudos0

Re: Intrusion Attempt False Positive?

Thank you everybody. One thing has me puzzled though: Shouldn't I also then be getting alerts of individuals scanning for other hardware or software that I may possess? Why is it always just for a Netis router that I don't have? I would understand it if it was coming from the same origin every time, but according to the alerts it's almost always originating from different locations.

Kudos0

Re: Intrusion Attempt False Positive?

Can you post where these attacks are coming from (it will be shown in the details of the Norton history entry for each event)?  If you are getting repeated alerts to this same attack from different points of origin, it may be something on your PC calling out.

Kudos0

Re: Intrusion Attempt False Positive?

Here are what is listed as the attacking computers of each alert for the last few months. Note that the last two happened on the same day.

Attacking Computer: 35.204.241.17, 52309

Attacking Computer: 178.128.121.233, 56782

Attacking Computer: 80.82.70.39, 37421

Attacking Computer: 104.238.214.147, 52081

Attacking Computer: 104.238.214.147, 54211

Kudos0

Re: Intrusion Attempt False Positive?

MM. Your Comtrend CT-5072T ISP device IS ADSL2, which is what TYPE of devices the outside probing is looking for. Have you disabled remote management in its settings? Also check for an open UDP port 53413, which is what the outside scan is looking for as it is a built in backdoor on the Netcore/Netis router. In the listing you provided UDP port 53413 is not listed.

Check in settings for a firmware update, there should be an automated link in settings for it to check, most routers will periodically check on its own.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.295 / N360 Deluxe 22.18.0.213 / Norton Core v.282 on Android 2.00
Kudos0

Re: Intrusion Attempt False Positive?

I can't seem to access the settings. Perhaps my ISP has it set up in such a way that only they can access it, or I'm just messing up something simple. I suppose I'll contact my ISP about it soon. One thing I should clarify though is that the alerts do in fact list port 53413 in the "Destination Address", the others I listed earlier are listed in the "Traffic Description". Since it's listed in the destination address but not the traffic description does it necessarily mean I do in fact have an open 53413 port or does this just mean that the people/devices doing the scanning are searching for this open port whether I actually have it or not?

Also, one last question I hope maybe someone can answer for me: Given what is listed in the Data Sheet for Comtrend CT-5072T, would it be possible for a hacker to view/record all my internet browsing history if it was hacked? Or would that require direct physical access to it or hacking of my connected PC as well? It's what I'm most curious about.

File Attachment: 
Kudos0

Re: Intrusion Attempt False Positive?

MM. That means your modem/router is being scanned for that open port on UDP but its the specific NETIS router firmware that is vulnerable to the scanning.

In a web browser type in http://192.168.1.1 press enter, use the default login credential your ISP provided. If you cannot access your modem/router settings with those credentials, OR, if you have changed those defaults and still cannot access it, REPLACE the modem with your ISP. That would indicate your modem is compromised and its highly likely your traffic is being monitored and/or intercepted.

Edited: You can also use this online tool to scan for ports that are open on your modem.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.295 / N360 Deluxe 22.18.0.213 / Norton Core v.282 on Android 2.00
Kudos0

Re: Intrusion Attempt False Positive?

No, it's that the page wont load for me to even enter the login credentials. I just get a "This site can't be reached" message. I checked the support page on the Comtrend website and it says that only the ISP can access the unit if they are the ones who provided it. So I'll be contacting them next. But thanks again for assuring me these alerts from Norton are probably nothing for me to worry about. I used the Port Scanner tool and according to it port 53413 is closed for me.