FW log flodded with unusual activity on port 2869 [Resolved]

[Guest]

[mbg]

My Firewall logs are overloaded with blocked events on port 2869. Do I have a problem with my rules or am I really scanned from the outside

It seems that I also have problems with systmem's getting address from my DHCP server (router)

I have a cable modem connected to a router on which my pc is connected,

Here is what I have in my logs:


2007-11-26 08:14:34   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3022   192.168.1.3   2869
2007-11-26 08:14:52   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3023   192.168.1.3   2869
2007-11-26 08:14:55   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3024   192.168.1.3   2869
2007-11-26 08:14:58   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3025   192.168.1.3   2869
2007-11-26 08:15:10   System Idle Process   Blocked   0.0.0.0   68   255.255.255.255   67
2007-11-26 08:15:13   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3026   192.168.1.3   2869
2007-11-26 08:15:16   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3027   192.168.1.3   2869
2007-11-26 08:15:19   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3028   192.168.1.3   2869
2007-11-26 08:15:37   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3029   192.168.1.3   2869
2007-11-26 08:15:40   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3030   192.168.1.3   2869
2007-11-26 08:15:43   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3031   192.168.1.3   2869
2007-11-26 08:15:56   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3032   192.168.1.3   2869
2007-11-26 08:16:00   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3033   192.168.1.3   2869
2007-11-26 08:16:03   C:\WINDOWS\system32\svchost.exe   Blocked   192.168.1.1   3034   192.168.1.3   2869


I have a trusted lan zone defined in 192.168.1.1



I have the following NTW rules in place  (see attachment 1):



I have the following APPS rules in place (see attachment 2):

[Coolio10]

Those blocks is your router trying to tell systmem the address.

[mbg]

OK but which address ?? Why on dest. port 2869 ?
I thought this port was used by the for PnP ... 

What about the 5th line
2007-11-26 08:15:10   System Idle Process   Blocked   0.0.0.0   68   255.255.255.255   67

EDIT 2007-12-09 and 2007-12-10 /MBG
I have installed the new patched version and the situation was back  normal (as far as port 2869 is concerned) for a few minutes. I still have the same problem today.

  Still have those events that I think shouldn't be blocked as per my global ntwk rules:


Date/Time   Application   Action   Source IP   Source Port   Destination IP   Destination Port
2007-12-09 12:29:51   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67
2007-12-09 12:30:51   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67
2007-12-09 12:32:51   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67
2007-12-09 12:34:51   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67
2007-12-09 12:36:51   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67
2007-12-09 12:38:52   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67
2007-12-09 12:39:51   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67
2007-12-09 12:40:51   Windows Operating System   Blocked   0.0.0.0   68   255.255.255.255   67

[mbg]

Port 2869 : I updated my router firmware recently and for some reasons, the upnp options was activated. The router  was stherefore sending those events on the LAN. I disabled it and everything is back to normal, including the DHCP broadcast from 0.0.0.0 (don't know why).

PLease close

[JJasper]

I have marked this thread as resolved.  If you need to reopen it let a moderator know.

[Tags:]