securitynetwork-programmingport-scanning

I got a port scan (blocked by kaspersky antivirus on my windows 10 machine)

I got a notification from my kaspersky antivirus on my windows 10 (which is always on) Apparently, there was a port scan and it was blocked.

User: NT AUTHORITY\SYSTEM
User type: System user
Component: Network Attack Blocker
Result description: Blocked
Name: Scan.Generic.PortScan.TCP
Object: TCP from 104.152.52.xxx at 192.168.0.10:1701
Additional: 192.168.0.10
Databases release date: Yesterday, 1/19/2022 12:34:00 PM
  1. 192.168.0.10 is a virtual machine running debian; I have UFW on this debian and port 1701 is not in any UFW rules. (so it's not allowed)
  2. I have done a grep on the ports of the debian VM using: sudo netstat -tulpn | grep 1701 Found nothing
  3. I assume the port scan has been done on all the machines in my network?
  4. How can I find out where the scan comes from?
  5. What are the consequences? What should I do next?
Solution

  • So from what i understand of what you published, 104.152.52.xxx made a scan. What's odd is how could he effectively reach your machine at 192.168.0.10, so i believe you have port forwarding enabled on your router. *-{see edit}

    I also assume that the IP address of your VM is bind directly to your home network 192.168.0.0\24 (and not in a sub network on Windows 10). So your router should be accessible at 192.168.0.1 (or 192.168.0.254 sometimes)

    Consequences of a scan ?

    Is it normal ?

    What to do next ?

    == EDIT ==

    Other possibility than port forwarding and seems to be the answer:
    If the VM is in a DMZ, then all unassigned ports on the router may be (depends on the router) redirected to the VM, therefore, a scan on the public ip address, would result on a scan on the VM.