Port Scan detected - Blocked by host.

Question

Level 2

260 points

Port Scan detected - Blocked by host.

I couldn't think of a pithy title for this, so that will have to do.

This morning I found I was unable to access my own website. I contacted my host who said my IP had been blocked because:

"*Port Scan* detected from +my ip+ 11 hits in the last 293 seconds"

"I have removed the above blocks on you. Please note that if you did not
authorise the port scan, you might like to run a virus or malware checker
on your local pc."

Now of course being on a Mac I don't tend to worry about viruses or malware in general.

Anyone an idea of what I'd need to check to find out if my Mac really is trying to scan other ports? I suspect it was just some glitch from uploading lots or something.

Happy holidays.
Stu

Alu MacBook, Mac OS X (10.5.6)

Posted on Dec 18, 2008 6:59 AM

Reply

Answer 1

nerowolfe

Level 6

13,090 points

Dec 18, 2008 8:25 AM in response to Stuartea71

Stuartea71 wrote:
I couldn't think of a pithy title for this, so that will have to do.

This morning I found I was unable to access my own website. I contacted my host who said my IP had been blocked because:

"*Port Scan* detected from +my ip+ 11 hits in the last 293 seconds"

"I have removed the above blocks on you. Please note that if you did not
authorise the port scan, you might like to run a virus or malware checker
on your local pc."

Viruses, no. Malware, yes.

Now of course being on a Mac I don't tend to worry about viruses or malware in general.

Not true. Again, viruses, no; malware absolutely

Anyone an idea of what I'd need to check to find out if my Mac really is trying to scan other ports? I suspect it was just some glitch from uploading lots or something.

Try MacScan.
You may have picked up something from your website or elsewhere.
Check your console logs, activity monitor and install LittleSnitch.

While it is not certain, it does seem that you some kind of malware on your computer.

Reply

Answer 2

Stuartea71 Author

Level 2

260 points

Dec 18, 2008 10:33 AM in response to nerowolfe

Hey, thank you for the tips and quick reply.

I've run MacScan - it round some tracking cookies but that's it. I've removed those.

Activity monitor doesn't appear to have anything suspicious running, I looked up any I wasn't sure about which all turned out to be fine.

Not exactly sure what to look for in console. I checked for ports created. Nothing really stands out - one from helpdatad and another from iTunes.

I'll install LittleSnitch to see if it comes up with anything. I'm wondering if it was just RapidWeaver throwing a wobbly when I was uploading to the site.

Thanks again.

Reply

Answer 3

nerowolfe

Level 6

13,090 points

Dec 18, 2008 10:47 AM in response to Stuartea71

Stuartea71 wrote:
Hey, thank you for the tips and quick reply.

I've run MacScan - it round some tracking cookies but that's it. I've removed those.

Activity monitor doesn't appear to have anything suspicious running, I looked up any I wasn't sure about which all turned out to be fine.

Not exactly sure what to look for in console. I checked for ports created. Nothing really stands out - one from helpdatad and another from iTunes.

I'll install LittleSnitch to see if it comes up with anything. I'm wondering if it was just RapidWeaver throwing a wobbly when I was uploading to the site.

Thanks again.

It's better to err on the side of caution. There have been several threads where users have installed malware which did strange things.
Yes, it's possible that your upload program went a bit mad 🙂
As your IP noted, if you did it, then it's OK, so you may let him know that it was you and it may have been a glitch, but if it happens again, not to shut you down, but to inform you that it has happened, so you can trace it out.
Some hosts these days are a bit paranoid, and maybe justifiably so, with all the stuff that is going on with Facebook, Internet Explorer, DNSChanger etc.

Reply

Answer 4

Stuartea71 Author

Level 2

260 points

Dec 18, 2008 11:07 AM in response to nerowolfe

I suspect it was RapidWeaver, trying to upload the site with Littlesnitch installed I had to go through over 30, do you want to let it do this on this port messages. Bit crazy.

I'll reply to my host with the suggestions you've made. Thanks once more, you've been a real help.

Reply

Answer 5

agadams

Level 1

0 points

Mar 4, 2009 10:31 AM in response to Stuartea71

Did you ever get this resolved? I received the same message from my ISP last night. I'm having problems with iLife 09's iWeb and password issues with the builtin FTP client. I wondered if iWeb was causing this or I have another problem.

Reply

Answer 6

ssteiner

Level 1

0 points

Mar 8, 2009 6:40 AM in response to agadams

I am having the same issue and I'm not running RapidWeaver or any other upload program at the time.

Fortunately, I am the hosting company so I have complete control of the firewall and can look in the logs myself to see what's going on.

It's happening to me, and to some of my hosting clients running OS X.

It only seems to happen about once a day, not at a consistent time, and the only thing that's consistent is htat it's allways 11 hits in 150-280 or so seconds.

I've installed LittleSnitch and I'll report back when I have an answer.

S

Reply

Answer 7

nerowolfe

Level 6

13,090 points

Mar 8, 2009 12:06 PM in response to ssteiner

Welcome to Apple Discussions:
Port scans are things we simply live with. There are millions of bots out there (probably all infected PCs), scanning ports on every online computer, router and server, 24/7.
Many of these scans come from computers whose owners are totally unaware that they are running compromised boxes.
If your clients are using a good router with NAT and all ports "stealthed," they should have no problem. Naturally the computers should also be running a good firewall.

Go to GRC and have your clients do likewise,
https://www.grc.com/x/ne.dll?bh0bkyd2
and check your ports.

Reply

*Port Scan* detected - Blocked by host.

Port Scan detected - Blocked by host.