Hi, From my firewall I find out there were totally 78 times of trying to connect to my computer's port 27374 from different IP address (This means that from different computers, right?) in a minute or two. I found the following from the firewall: "ZoneAlarm blocked what was most likely a port scan by a remote computer trying to find out if a Trojan horse is located on your machine. The scan attempted to communicate with port 27374 on your computer, which is rarely used by legitimate programs. Rest assured, ZoneAlarm has determined that there is no Trojan horse listening on 27374 of your computer." I still don't understand this. 78 attempts from very different IP address in a minute or two! What's wrong with my computer and what can I do about it? Why so many different computers try to connect to the same port of my computer at the very short time? Please help me!!! Thank you.

Port 27374 is a Sub7 trojan port. Maybe you can ask someone here to give u a better trojan scanner/cleaner to scan your machine. Make sure your machine do not have a Sub7 trojan. If your machine is clean from trojan, then you are save, they can't do any harm to you. :) For multiple external IP scanning your machine within 1 or 2 minutes, this might cause by one guy spoofing his IP. Look at all the IP, one of the IP will the real attacker IP. Hope this help ya. Go to this link for more info http://www.dshield.org/ports/port27374.html

This port is used by the trojan called Bad Blood as well as many different versions of Sub7. It is common to get random scans from hackers as well as Internet worm programs. It is not always a hacker trying to get into your computer, in fact most times it is simply a worm trying to get some kind of access to spread an infection. This old default port 27374 that sub7 used on the older versions had some problems. It was found that sub7 used what was called a 'master password'. The master password if known, could be used to enter ANY sub7 infected computer and over ride the password that the hacker used. The master password was sniffed as someone from the sub7 crew was entering an infected computer and then published for everyone to use. After this happened it made it possible for people to write scripts that would scan for these older versions and automatically change passwords and other server information. It is a kind of take over method. One hacker stealing infected computers from other hackers. This is the reason that so many hackers and hacker scripts scan for this port. You should be glad that your firewall detected it. This tells you that you are more than likely not infected. For those that are infected (and have trusted the trojan file by mistake) it will not detect ANYTHING! In other words: If it detects an incoming connection it is almost ALWAYS a false alarm! If it was a real threat, it would not have said ANYTHING. Let me explain. Example: Port 80 when you are not running a web server. You are not running a web server on your computer. You may have a web page, but people do not connect to your computer to see it. You have your web page hosted with an ISP somewhere. This means that you do not have a LOCAL port 80 on your computer. When you make outbound connections to browse the web, you are connecting to REMOTE port 80 on the web site that you visit. Your computer will use a random LOCAL port to make this connection. Summing it up: You DO NOT have a port 80 on your computer, you connect to computers that have a port 80! Almost a year ago a new breed of Internet worms started coming out. This started with Code Red which exploited a buffer overflow in the IIS (web server)indexing service DLL and Nimda which used the code red back doors that were left behind. Nimda also used the exploitation of IIS 4.0 / 5.0 directory traversal vulnerabilities as an infection means. What does this all mean to you? It means that Nimda with all of it's variants, as well as other worms writers that copied parts of the code, have now started something that is causing mass panic to end users. I am speaking of end users that do not know much about ports, and how they work in line with firewall warnings. There are MILLIONS of computers that are infected with these worms. Each infected computer scans random subnets (ip addresses) looking for Windiows NT and 2K machines that have not been patched (done their critical updates)and running IIS (web server). If the worm finds such a machine, it will infect it and start scanning random ip's until it finds another machine to infect. I personally have seen a computer infected before it had time to download the updates. It got a new install of Windows 2000, online for only a few minutes before being infected. Ok, all of this aside; You get an alarm from your firewall. 'This ip address tried to connect to port 80 on your computer..' 'I blocked it for you' This is all well and fine, BUT you do not have a port 80! It could not have done ANYTHING anyway! How do I know this? If you did have a port 80, you would have needed to allow the server so that people can connect and wee your web page! You would NOT have got a warning! If you had IIS - AND WERE at risk, your firewall would have allowed the connection AND the infection to take place (if you were not patched). The same thing goes if you trusted a program that uses the Internet and it had a built in trojan. Your firewall will NEVER say a word while hackers from all over the world are connecting to your computer. I have seen this in many freeware utilities, programs and games. These have all earned their place in our Lockdown signature list. A good example of this can be read at: http://lockdowncorp.com/hiddentrojans.html Firewalls have their use. It just seems that there are so many people following the same format. "I had 200 hackers try and hack me today". Get REAL! You had a Nimda or worm connection from some poor souls infected computer (every five minutes) that could NOT have infected you or done any harm to you as long as you are patched and do not have open file shares. I hope this helps you in some way. There is really nothing that you can do about the port scanning and the many detection's. You may want to turn off the pop up option in your firewall which may help you to some small degree. Michael

wow!.......I feel so small replying after that!....My simple solution is to keep the Zone Alarm on high (preventing any possible trojans on your computer from accessing the net) and download a god trojan scanner/cleaner (not an antivirus) to check your computer

First of all, if you got a warning that said someone tried to connect to you on port 80, that's all it means. There was a legitimate three-way TCP handshake connection attempted on port 80. If you are not listening on port 80, your computer would send an ICMP port unreachable response. Regardless of what kind of server you had(IIS, Apache, etc), if your firewall was set up to block port 80 it would do it and likely send no reply. So as per the original concern, and as was pointed out, the most likely reason that there were 78 attempts to connect to your computer at the same time was an attacker used a port scanning tool and turned on IP spoofing. So there are 77 false IP addresses and one of them is the actual address of the attacker. Your firewall drops the packet so it's not really a concern. They may still be able peek behind your firewall using a malformed connection request but they can't make a legitimate connection if your firewall drops it. I would turn on the XP firewall also.