is someone trying to hack my pc??? [Resolved]

[Guest]

[ashu]

I see many logs in comodo firewall about access being denied to a ip for "inbound policy violation"
does that mean that ip is trying to access my pc???


see the attached image.....
http://i11.tinypic.com/6gkh6z4.jpg



plz help

[blackbinary]

I highly doubt it. If your computer has any mal-ware on it, it's probably that outside company etc. that is trying to contact it. Otherwise, it can easily be just useless junk that gets sent no-matter what. Even when i built my PC, just installed Comodo, plugged in the internet, and whammo. Alot of blocks there too. I guess it really depends just how many you are getting. If its 10+ a minute, you might have a problem, MAYBE. Again, if you block alot of programs, or on the other end, don't allow alot of programs yet, that could be responsible.

[Little Mac]

Looks like a UPnP multicast, possibly from a router.  Are you behind a router?  Any port-forwarding set on the router?

LM

[ashu]

Looks like a UPnP multicast, possibly from a router.  Are you behind a router?  Any port-forwarding set on the router?

LM

Yes....I am behind a router.....

[Little Mac]

Yes....I am behind a router.....

Can you identify the IP involved... 192.168.1.3?

This is an internal IP address (ie, on a network/behind a router).  In this scenario, there's often a lot of multicast "chatter."  The Destination IP address is a part of the subnet that is typically reserved/only used for multicast traffic (typically IGMP) - that being the 239.255.255.250 address.

The 192.168.1.3 IP would be another computer on your network/LAN, or perhaps a resource like a shared/networked printer, storage device, server, etc.  Thus, I would try to make sure that I knew what the device was. 

Also, is your router (and thus, the network) wireless?

LM

[ashu]

The 192.168.1.3 IP would be another computer on your network/LAN, or perhaps a resource like a shared/networked printer, storage device, server, etc.  Thus, I would try to make sure that I knew what the device was.

Yes i think you are right....its a computer cuz its in the range of my ip (192.168.x.x)......
also, i think, its a computer cuz we don't have shared printer/storage device on our network....

but is it possible that the ip is trying to access my pc???

Also, is your router (and thus, the network) wireless?

No..

[Little Mac]

but is it possible that the ip is trying to access my pc???

I doubt it.  Looks like network multicast traffic, based on UPnP and SSDP services being enabled in Windows.  Think of it this way... the computers on the LAN are like blindfolded people in a room together.  One wants to know if anyone named "Joe" is in the room, so they yell, "Hey, is Joe in here?"  Everybody hears it, but most ignore it.  The person yelling hopes that Joe will answer if he's there.  Same sort of thing.  Computers on the LAN that have UPnP & SSDP services active want to know if there are any UPnP devices or computers out there.  So they "shout" to see if they get a response. 

If someone were trying to gain access, you'd likely see some more log entries than a few on those types of ports.  It's always possible that something is going on, but not very likely in my opinion.

LM

[ashu]

Wait take a look at this.........


A different ip this time......and it doesn't seems to belong my network.....
I got several "inbound policy violation" logs from this ip as well...

[Little Mac]

That's NetBIOS traffic (another Windows service to be disabled, along with UPnP & SSDP...).  The ports (137, 138) give it away.  Again, very common, especially on networks.

The 169.x.x.x IP is an "error" IP; non-routable, and the result of not having an active internet connection/IP address established when the traffic was experienced.  You note that both Source & Destination IPs are 169.x.x.x.

LM

[ashu]

thanks little mac for your great help.......
'am completely a newbie to networking and stuff......thanks a lot... .


so is there anything to worry about ?

[Little Mac]

I really don't think so.  Here's the thing to boost your confidence...  Even if it is someone trying to access your computer, it is being blocked, as you can clearly see from the logs.

But I really don't think that's what it is; I think it's simply network chatter.  It can certainly fill up your logs, though. 

If you want to clear that out of the logs, you can create a simple rule in Network Monitor.  This is fine to do, as you already know they're blocked and it's not impacting your connectivity.

Open Network Monitor.  Go to the very bottom rule (the Block & Log IP In/Out rule).  Right-click and select "Add/Add Before."  This is how the rule will look:

Action:  Block (but don't check the box to create an alert - that would cause the rule to be logged)
Protocol:  TCP/UDP
Direction:  In
Source IP:  Any
Destination IP:   Any
Source Port:  Any
Destination Port:  A Set of Ports:  137,138,1900 (no space after the comma)

OK.  Reboot.

That should help significantly.

LM

[ashu]

Thanks my friend, you were great help........

ashu

[Little Mac]

Glad to help, ashu.  I'll mark the topic as resolved, and close it.  If you need it reopened, just PM a Moderator (please include a link back here) and we'll be glad to do so.

LM

[Tags:]