Author Topic: Dodgy firewall alert?  (Read 4417 times)

Offline jakeed

  • Newbie
  • *
  • Posts: 3
Dodgy firewall alert?
« on: March 29, 2013, 12:34:03 PM »
Hi all,

I'm curious about a firewall alert I had yesterday. System attempted to connect to the internet on port nbname(137). I looked up the IP https://ipdb.at/ip/203.55.18.106 and it is registered in Perth, Australia to a company called MetaTECH. I did a whois for the hostname http://whois.domaintools.com/boutiquewealth.com.au rather than visiting the site and they appear to be financial advisers. I also noticed that the site has no WOT or Avast WebRep rating, I don't know whether that is a good or a bad thing, more likely bad I suppose.

I did a bit of Googling as to what nbname is as this is beyond my level of understanding. Apparently NBName is a virus whereas nbname is a legitimate process http://forums.comodo.com/leak-testingattacksvulnerability-research/nbname-port-137-t38043.0.html though I don't see how a company not affiliated with any of the software on my computer can legitimately request an internet connection from my computer?

Anyway, naturally, I blocked this connection attempt but I am very curious as to what this might have been about. Seems pretty dodgy to me. In my naivety it sounds like what may happen if my computer was to be part of a DDoS attack? I am happy to believe this was a harmless occurrence but do not know enough about this kind of thing to rule out some nefarious activity. This has happened once before on the same port, but on looking up the IP address it appeared to be registered to Java. I also blocked this attempt as I wasn't sure.

Anyone know what this could have been about, or had similar experiences?
Any feedback is appreciated.

-Paranoid internet user.

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: Dodgy firewall alert?
« Reply #1 on: March 29, 2013, 01:41:38 PM »
Hello Jakeed, Welcome to the Comodo Forums.

Are you sure System was making an outbound connection and not being asked to allow an inbound connection?

Is your computer directly connected to the web by only a modem with no router present?

Offline jakeed

  • Newbie
  • *
  • Posts: 3
Re: Dodgy firewall alert?
« Reply #2 on: March 29, 2013, 02:36:44 PM »
Hi,

Thanks of the reply,

Just checked the log and it was in fact an inbound connection i think - it was a UDP connection, for the source it says 203.55.18.106 and destination 192.168.1.3 so I guess that makes it inbound? I suppose that would rule out my (super-paranoid) DDoS theory!

I connect to the web via a router.

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: Dodgy firewall alert?
« Reply #3 on: March 29, 2013, 02:53:04 PM »
Hi,

Thanks of the reply,

Just checked the log and it was in fact an inbound connection i think - it was a UDP connection, for the source it says 203.55.18.106 and destination 192.168.1.3 so I guess that makes it inbound?
That makes it an inbound connection
Quote
I suppose that would rule out my (super-paranoid) DDoS theory!

I connect to the web via a router.
In that case your router has port 137 open. Please close that port on your router. It is not good to have a standard port like this open to the web.

Offline jakeed

  • Newbie
  • *
  • Posts: 3
Re: Dodgy firewall alert?
« Reply #4 on: March 29, 2013, 03:26:21 PM »
I've looked in the port forwarding section of my router and no ports are listed there. Wouldn't it be listed there if it was open, and wouldn't I have to have opened it? I can't see any immediately obvious sections on my router settings that would allow me to close ports. Do you know which section I would have to go into to do this?

http://imgur.com/GMYSljC

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: Dodgy firewall alert?
« Reply #5 on: March 29, 2013, 04:25:26 PM »
There are two things that can explain the alert you got.

The first one is that your computer is in Demilitarised Zone (DMZ). In DMZ your computer is set outside the router/firewall zone and is directly connected to the web.

Or more likely is that the ports are opened by an application that used the Universal Plug and Play framework that did not close it.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek