Attacker has been temperaraly blocked??

I see this during some high logged events. Does this mean they will get in soon? Or is this another way of saying blocked in comodo?

Hi, can you post your logs to show what you’re experiencing?

When you open the Activity Log, click on the item, right-click and select “Export HTML” and save the file. You can resave as a Text file in order to edit out the unnecessary info (in other words, just include the specific events you’re concerned about).

Then attach to your post (under “Addition Options”).

LM

Hi all,
I’m new around … but using CFW for almost one year now, and I’me very happy about it.
Today I’ve experienced some events, more than usual, in the way cheater87 was describing…
First ip I get a lot 10.10.x.x… can be from messenger – don’t know, but get a lot of it, lately.
Last four (actually two) are because at that time I was browsing some goole maps.
Don’t’ really have the time to check all topics - I’m keeping almost :slight_smile: all my ports usually closed; is there something I shall worry about?
Is there a way – or planning for the furure – to implement an imediate popup attack notification?
Thanks

[attachment deleted by admin]

gaby,

Welcome to the forums!

The 209.x.x.x and the 66.x.x.x IPs are Google’s. The 10.x.x.x address is reserved for network addressing; it’s an “internal” LAN IP address range, probably most common in business settings.

The primary thing is that by seeing the Block entries in the logs, you know CFP is stopping the access. The down side is that you don’t know what is causing them.

Have you been to any “dodgy” sites lately? Cleared your browser cache lately? Run any virus/spyware scans lately? Etc.

Are the probes continuing?

LM

Thanks, LM for the quick answer…
Not from dodgy sites, for sure. I’m also browsing with FF, javascript blocked. I saw also that sites are from google, that’s why I was surprised - google is not java-blocked;… cache, every 5 minutes… is reflex… using also Comodo AV .

OK then, I’ll increase the block time to a safe limit.
Thank you again.

For the Google ones, you could always contact them to see what they have to say. You never know…

LM

Indeed.

gaby,

Tnx for the ■■■. Just to respond here so I keep track of who’s where’s what, and keep the documentation going for the Development team… ;D

I understand as you say, you’re on a cable connection, and seem to be getting portscans from your ISP. You’ve recently used Azureas, or else you’d dismiss this as a false alarm.

I’m starting to see a definite connection to what other users are reporting of this same scenario - cable connection, CFP reporting a blocked portscan from ISP (typically DNS server), and perhaps some connection to p2p programs.

Have you contacted your ISP to see if they can/will shed any light on the situation? I’m interested to hear their feedback. So far, users have been told only that yes, the IP addresses are theirs, and are legit; that they don’t know what the traffic is and it could be related to p2p application usage; that their (the ISP) Server may have “flipped.”

If you are concerned about any ports being open, you can use a free utility like SuperScan 4, available from Foundstone http://www.foundstone.com/resources/freetools.htm which can scan your localhost (127.0.0.1) to see if you have any open ports. This is a far more reliable test of security than an online test that scans externally.

LM

PS: I don’t think you need to be overly conerned about a security breach; if indeed someone (from whatever source) is trying to access your machine, the firewall is stopping them. I am beginning more and more to think that this is related to “feedback” off of the cable network (ie, other users’ traffic bouncing along the line, creating noise), rather than a serious attempt at a portscan.

Hi LM,

Thank you for the valuable link for tools. The “attacker” is more of the application I was looking for, but is binding to my generic IP, instead of the IP I receive when I connect.

I’ve been in a hurry to post here, instead of reading all the interesting topics related to this issues – it seems you get lots of them.
(example: https://forums.comodo.com/index.php/topic,7376.0.html
Can a Mod shed some light on this please?)

To summarize a little my configuration:

  • cable connection, dynamic IP, XPSP2 with TCP/IP and netmon, no sharing, netbios, and so on, all ports stealth.
  • although I’ve used CPF for almost one year, I’ve only noticed the UDP port scans after using a torrent client. People from ISP linked DNS server is port scanning. | Wilders Security Forums
    comment that this is a CFP bug, but I won’t be so sure, unless some CPF upgrade, inserting the bug, occurred in the same time period.
  • now I’m suspecting more that this is caused by some keep-alive feature of some router/ active equipment, while all users experiencing this have resembling configurations. Would an attacker scan twice same ports in 20 minutes, but changing IP like in the log below?

Date Created: 00:38:17 27-03-2007

Log Scope:: Today

Date/Time :2007-03-27 00:00:52
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 10.10.2.73
Ports: 17685, 17941, 18197, 18453, 18709, 18965, 19221, 19477, 19733, 19989, 20245, 20501, 20757, 21013, 21269, 21525, 21781, 22037, 22293, 22549, 22805
The attacker has been temporarily blocked

Date/Time :2007-03-27 00:00:17
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 5.116.105.30
Ports: 17685, 17941, 18197, 18453, 18709, 18965, 19221, 19477, 19733, 19989, 20245, 20501, 20757, 21013, 21269, 21525, 21781, 22037, 22293, 22549, 22805
The attacker has been temporarily blocked

End of The Report


- contacting ISP won’t be of any help for me; here there’s no such a variety of ISP’s to choose from, so I already know that they won’t even bother to answer. - an optional honeypot port would be nice to have in one of the next CPF versions.

Anyway, I’m no longer concerned about these scans, until next time when I’ll have to open a port :slight_smile:

Thank you again, Gaby

Can you explain a little more what you mean by this? I see no reference in your logs to an application, which would be regarding any outbound attempt (as if your system had been compromised). The only thing I see is blocked inbound attempts.

Tnx,

LM

The “attacker” application from http://www.foundstone.com/resources/freetools.htm
or something similar

Gotcha! Now I understand. Sorry, my mind went in a completely different direction when you said attacker. I thought you meant a real one, LOL, not referring to the intrusion detection tools. ;D

Let me know how that works for you…

LM