Nmap TCP scan mystery
First post here, but long time F-Secure user.
Have: F-Secure Client Security 9.31 build 118
The other day a user reported a "Intrusion attempt" popup
from F-Secure. "Nmap TCP scan. TCP high ports", and yes, it
looked like some random dsl machine in Finland were probing
a local port.
He had a few, spread over a few days, all from the same IP,
to various high ports, these varied both on target and
No trace in FW logs, and I did not really believe it was
reasonable to assume something had got through firewall/NAT
to probe a single local address, but I found nothing on the
machine to indicate it was locally initiated either.
Looking further, I found six other machines on the network,
all had had the same "attack", sporadically for months. days
and weeks between, in from consumerspace, different IP every
time, checking a high port.
A common thing among the six latter machines was that all
had Spotify installed and running but i'm unsure it this is
Now, and this baffles me further, looking at the remote
addresses (all different), but all on the same domain too: I
checked the first 15, all in Sweden, all on the form:
Note that this is in a way two cases, the first many
contacts between two specific machines, the second six
different machines here, and several machines in the telia,
com domain. Probably ok, probably some peer-to-peer stuff,
but i'd like to understand it.
I have been googling here, there and everywhere in addition
of checking with my local f-secure supplier, but until now,
none the wiser. Any clues would be appreciated.
Regards, Chrr Rekkedal // Bellona