Advice needed please.

Hi,

3 times in the last two days I’ve had high severity events logged. It’s a UDP ports scan and lists a whole load of ports scanned. It’s the same IP each time.
I entered this IP into Hover IP and it came up with this…


http://img402.imageshack.us/img402/6361/magicalsnap200703162102mq9.th.jpg

Anyone know what it means and what I should do?

Thanks.

Did you google it?

Hi JolietJake

Would you provide a little more detail on the Log entries please.

Toggie

I don’t have the logs anymore unless Comodo saves them somewhere. Next time it happens I’ll copy and paste everything.

C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\Logs.log

Starting with v2.4 logs are saved there.

Here it is…

Date/Time :2007-03-20 09:43:28
Severity :High
Reporter :Network Monitor
Description: TCP Port Scan
Attacker: 199.239.138.200
Ports: 61446, 55302, 55558, 55814, 56070, 56326, 56582, 56838, 57094, 57350, 57606, 57862, 58118, 58374, 58630, 58886, 59142, 59398, 59654, 59910, 60166, 60422, 60678, 60934, 61190, 9523, 47899, 275, 52021, 53585, 17751, 16721, 5465, 59283, 65243, 14138, 727, 53505, 21573, 21717, 13397, 46635, 7590, 13117, 6458, 53317, 20741, 21585, 33361, 15280
The attacker has been temporarily blocked

I came up with this, based on your log entry:

199.239.138.200 USA - Colorado NTTA-199-236 NTT America, Inc. 199.236.0.0 - 199.239.255.255 NTT America, Inc. 8005 South Chester Street, Suite 200, Centennial vipar@us.ntt.net abuse@ntt.net +1-800-551-1630 ARIN

Has this occurred more than once? Were you on a specific website when it occurred, or downloading, etc - some precise activity that you can pinpoint (to which it seemed connected)?

LM

I’ve no idea when it happened. It’s happened about 4 times now in the past week.

Is there anyway to get Comodo to warn on a high severity warning so I can tell?

No warning on an unsolicited inbound connection attempt, via Network Monitor, I’m afraid. You’ll get warnings if an application attempts to create an unauthorized outbound connection, or if components of an allowed application change, or an ABA offense occurs. But at present, Network Monitor does not trigger alerts.

You could use a utility like CurrPorts or TCPView to watch your connections, to see if anything is contacting that IP range, or turn on logging for your outbound TCP/UDP rule, and see if there are any connects. If you can’t come up with any contact from your computer to that IP range, and the inbound alerts continue, I’d contact my ISP with this information, to have them investigate.

LM