Jump to content

Problem with Norton - did I do a bad thing?


Recommended Posts

After using uTorrent for a couple of months, I have suddenly gotten 5 "intrusion blocks" in the last few hours. NIS seems to be saying that it is MY machine that is attacking a machine that is connected as a peer. The log reads as follows:

Details: Attempted Intrusion "MS Windows H.323 BO (2)" from your machine against _._._._ (a machine in my connected peer list) was detected and blocked.

Intruder: ______(name and local address of my machine).

Risk Level: High.

Protocol: TCP.

Attacked IP: __.__._.__. (the peer)

Attacked Port: 1720.

After searching this forum, I configured NIS to ignore "MS Windows H.323 BO (1)" and "MS Windows H.323 BO (2)". Was that the best solution? I get the impression from reading other posts related to NIS that this is an unnecessary block, but I don't want to leave myself open to any REAL threats, and I am especially concerned that it seems to indicate it is ME that is doing the attacking!

Any advice would be appreciated. I know that many people seem to think the NIS is junk and should be replaced, but it works best for me for a variety of reasons. It seems to get along well with PeerGuardian and my network, so why mess with a (usually!) good thing?

Link to comment
Share on other sites

Perhaps it was the other computer using that port? I have to admit I don't totally understand ports, but I have uTorrent set to only use 30065 and not a random port, since I had to configure my router to deal with it.

eta: Okay, I'm learning - I just checked and apparently the outgoing port I was using at the time was 2393. The 30065 is my incoming port.

I think the 1720 refers to the other machine (the peer) because it shows that as the "attacked port" right after it shows his ip as the "attacked ip".

Link to comment
Share on other sites

He's not using a vulnerable port. It's only as vulnerable as the application listening on the port, and µTorrent isn't vulnerable. It's just NIS's heuristic detection thinking that any application that attempts to connect to port 1720 on someone else's computer is being malicious. The reason some people use port 1720 is because there was a time when that port was unblocked by Rogers, and several other ISPs. Those days are long gone, and the port gets throttled by most ISPs nowadays, but people just don't bother changing sometimes.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...