Over the last few days, i have been looking through my Comodo firewall log, and found a very large number of blocked connections in the log, from seemingly random IPs, to random ports. I have not been able to find anything looking up the IPs and ports…
Can anyone here help? Or is there someone deliberately trying to access my machine?
Attached is the log file in a rar archive (HTML).
Thanks for any advice you can give
Matt
[attachment deleted by admin]
hmmm thats odd, I got an e-mail reply notification for this topic, for a reply from Panic - but there is nothing here! Odd… ???
Do you have a wired lan or a wireless one?
God bless the Queen.
Im on a wireless LAN.
Hey matt,
Odd! I’ll have another ■■■■■ at it.
Your logs have a series of alerts from IP 169.254.X.X to ports 137 and 138.
You’ve also got a series of attemtped connection using a range of IP/port combinations.
One scenario that would produce alerts just like these is an iPod like device attached to your network that can’t get an IP (possible from your ADSL modem/router).
If you run P2P apps, like Azereus or similar, and hadnt allowed incoming connections in network monitor, you’d get alerts exactly like these.
Are either of these guesses right?
Ewen 
Ok, first and foremost please read How To: Sniffing the Air I cannot help you with this but It would be useful to snort your lan…
About those Network Monitor Inbound Policy Violation they don’t use the same source ports or destination ports. They came from you country ip range from another dialup user. You need to watch for those. You should try to remember what internet apps you where running at that time. If you don’t remember then you need to look at the log until you find what app is requesting inbound connections. Usually at lest one end (source port or destination port) had to be the same for all connections, this is not the case and it is strange for me, maybe are caused by your internet gaming apps…
Look for Setup_c72a.exe on your hd and delete it maybe you installed some messenger related app but you can safely remove the setup app now.
PnkBstrA/B are a Punkbuster apps to prevent cheating. Maybe you should allow them…
You were trying to download something by ftp from ea.com (autoupdate?) but the connection was blocked, maybe the data was downloaded using http.
You need to set Passive mode for ftp connections.
Regarding those alerts from IP 169.254.X.X they seem to belong to an upnp capable device that cannot get an ip from the dhpc server (usually your router). Is your wifi lan encrypted? how many lan based devices do you have?
You should add multicast ip ranges (239.0.0.0-239.255.255.255 and 224.0.0.0-224.0.0.255) to your network monitor rules.
Create them as zones and add them to your trusted zones.
First and foremost, thankyou very much to you and Panic for responding in such detail! Its unheard of for me to receive such support on a forum!
Okay for your first question gibran, I think those alerts were generated whilst Windows Live Messenger was running - so maybe it is something to do with that. Running a Whois on those IPs seems to confirm that, as i was talking to a friend in Australia - and one IP happened to be registered in Melbourne! ;D But yes I agree, the random ports used was a big concern for me, and thats why I posted here.
Look for Setup_c72a.exe on your hd and delete it maybe you installed some messenger related app but you can safely remove the setup app now.
Yes, I recently installed “MsgPlusLive!”, a Windows Live Messenger extension. Im running a search for that now.
PnkBstrA/B are a Punkbuster apps to prevent cheating. Maybe you should allow them...
Indeed they are, and they are now added - alt tabbing out of a punkbuster game revealed Comodo’s alert for it - which I have now allowed.
Regarding those alerts from IP 169.254.X.X they seem to belong to an upnp capable device that cannot get an ip from the dhpc server (usually your router). Is your wifi lan encrypted? how many lan based devices do you have?
Our LAN is made up of 2 desktops, 10.0.0.25 (dad’s PC); 10.0.0.26 (my pc), a laser printer (10.0.0.28) and a laptop when my dad is at home (unsure of the internal IP). All those are connected to the router via either cable or Wifi. I think my Desktop is the only unwired LAN device. Yes, my Wifi LAN is encrypted with WPA-PSK.
You should add multicast ip ranges (239.0.0.0-239.255.255.255 and 224.0.0.0-224.0.0.255) to your network monitor rules. Create them as zones and add them to your trusted zones.
Okay I shall add those now
@Panic - I am not sure what could be trying to get an IP. I do not posess an Ipod, and the only devices connected to my machine are a webcam and pen drives via USB.
I used to run P2P apps, and yes I experienced those alerts when the tracker didn’t update that I had stopped seeding. My father, however explained all that to me and put my mind at ease.
Thanks again for all your help!
Our LAN is made up of 2 desktops, 10.0.0.25 (dad's PC); 10.0.0.26 (my pc), a laser printer (10.0.0.28) and a laptop when my dad is at home (unsure of the internal IP). All those are connected to the router via either cable or Wifi. I think my Desktop is the only unwired LAN device. Yes, my Wifi LAN is encrypted with WPA-PSK.You can run [url=http://home.comcast.net/~jay.deboer/airsnare/]Airsnare[/url] to catch the MAC address of that IP 169.254.X.X host, it should be caused by the laptop.
Maybe is worth changing your WPA key using SG WLAN Key Generator to get a random generated 504 bit one.
According to Windows Messenger in Windows XP: Working With Firewalls and Network Address Translation Devices if your router has upnp disabled those port are not used in messenger but looking at MSN Messenger Voice Does Not Work there is mentiom about port 9049
Just been playing with AirSnare… powerful program! It was picking up all of my messages that i was sending via MSN, on their way to the router! 
My dad uses his laptop to connect to the Wifi network where he works, and he thinks that the wifi network may dish out IPs in that range. So when he connects to the network at home, it broadcasts that IP. I shall use Airsnare to check next time i can.
We are going to use that WLAN key generator and change our passkey, thankyou for the link! bookmarked ;D
Our router does have upnp enabled at this time, so i think its looking more and more likely that Windows Live Messenger is the culprit.
Thanks for your continued help and patience! Unfortunately it will be another week before i can experiment with the laptop, so I shall continue monitoring the MSN situation, and PM you when i know what is going on with the laptop, and if necessary, research further. Thankyou again! ;D
I have no first hand info about this but your home network should have an netmask of 255.0.0.0
Maybe the laptop has a fixed ip and a different netmask and cannot get and ip from the dhcp server. Usually the 169.254.0.0 to 169.254.255.255 range is used when an host cannot get an ip, it is unikely that such ip is used in a wify network because the router act as dhcp server.
Using upnp messenger should have no problem, but some net apps using upnp and opening random ports every time they are launched will have their inbound port blocked by cpf because no one will risk to open a large port range for inbound connections in NM.
You are wellcome