Hello nice guys! I have been using comodo for two years or more. Recently I have noticed a intrusion attempts which was blocked by the one and only Comodo firewall. Bur I am not sure , how to interpret the available data and understand it totally. Thus asking your help.
Comodo Firewall event log shows 10 intrusion attempts within 24 seconds. Details are -
After a IP look up I have found that the source IP belongs to Cognet Communication (Washington)
http://en.utrace.de/whois/66.28.139.208
The same look up site says that it can not find anything for the Destination IP: 10.80.119.175.
http://en.utrace.de/?query=10.80.119.175
None of the Ips are mine! How can that be possible?
It happened while I was running XampLight package to test wordpress in my computer.
Just after seeing the event and IP look up (at that time) I tried the Destination IP: 10.80.119.175 in to address bar. Surprisingly it returned the wordpress dashboard!
But after 12 hours of the incident when I am writing this post putting the Destination IP: 10.80.119.175 into the address bar is resulting in browser report saying “The server at 10.80.119.175 is taking too long to respond.” Though the everything is as the same now when it was in the incident time.
I am using windows XP SP3.
Now can you please help me in understanding about what happened really?
Waiting for your kind reply.
Thanks.
UPDATE
Firewall has detected 3 more intrusion attempts by “Windows Operating System”. This time -
1 attempt source IP is 77.203.4.242 and destination is 10.80.63.190. Port type(1)
Another 2 attempts are from 85.183.48.207 and destination is 10.80.95.80 Port type(1)
AGAIN
This time 2 TCP attempts -
source 10.80.41.148, port 1943 and destination 10.80.106.108, port 5900
By the way, What does the “Application : Windows Operating System” refers to?
The IP range 10.x.x.x is the private class A range, so one would assume that it has to so with your own network. Maybe something to do with your router?
It seems weird that you could browse to the private address, could be that there is an entry in your host file using 10.80.119.175 as a host name?
Can you tell on what type of connection you are (Cable, ADSL, dial up, ect…)? Do you have a router present in your network? What is the name of your provider? Do you run a peer to peer client?
Dear bulgroz and EricJH , thank you very much for your reply. I am trying to explain the indecent more to you, so that a reasonable answer could be constructed.
I am using dial up connection. The service assign different IPs on each log in.
In my pc I have no router attached. The connection to PC is via usb interface. The provider is a GSM mobile phone company.
I was not run anything “peer to peer” type like torrent. Though the XampLight package was running (mysql and apache) to run wordpress setup in my pc for offline testing.
4. I am really anxious now-a-days about my connection. I am using a datatransfer counter that is showing data upload at 3KB/s speed every now and then. But it usually didn’t happen at that scale previously. It usually would be less than 1 KB/s while normal web browsing.
I am happy that those who are capable of understanding these things are reading this post. Wishing that a reasonable conclusion will not be very tough to achieve.
Apparently you get an IP address in the 10.x.y.z range from your provider. The 10 range is 1 of the 3 ranges reserved for Local Area Networks. That’s what Bulgroz said when he was talking about private A class range.
This is an ICMP message.ICMP protocol is used to communicate error messages about the connection. In this case it Type (3) Code (10). It is one of the Destination unreachable messages: Host administratively prohibited.
When there is no program responding to an incoming message the log will tell it was caught by Windows Operating System. WOS is sorta the garbage collector.
Points to be noted:
After a IP look up I have found that the source IP belongs to Cognet Communication (Washington)
http://en.utrace.de/whois/66.28.139.208
I think Wordpress may be hosted by Cogent.
2. The same look up site says that it can not find anything for the Destination IP: 10.80.119.175.
```
http://en.utrace.de/?query=10.80.119.175
```
This is traffic from other computers/phones on the wireless network of your ISP.
3. [b]None of the Ips are mine![/b] How can that be possible?
4. It happened while I was running XampLight package to test wordpress in my computer.
Just after seeing the event and IP look up (at that time) I tried the Destination IP: 10.80.119.175 in to address bar. Surprisingly it returned the wordpress dashboard!
The IP address 10.80.119.175 is your IP address. Apparently Wordpress listens for this.
[b]But[/b] after 12 hours of the incident when I am writing this post putting the Destination IP: 10.80.119.175 into the address bar is resulting in browser report saying "The server at 10.80.119.175 is taking too long to respond." Though the everything is as the same now when it was in the incident time.
I am using windows XP SP3.
Now can you please help me in understanding about what happened really?
Waiting for your kind reply.
Thanks.
With dial up you have a dynamic Ip address. It will change each time you log in. Did you disconnect your connection in these 12 hrs? To know that your IP address is go to Start → Run → cmd → enter–> now you are in a black DOS like text box → now type: ipconfig → enter → now you will see your IP Address. For more information you can use the ipconfig /all.
[b]UPDATE[/b]
Firewall has detected 3 more intrusion attempts by “Windows Operating System”. This time -
1 attempt source IP is 77.203.4.242 and destination is 10.80.63.190. Port type(1)
Another 2 attempts are from 85.183.48.207 and destination is 10.80.95.80 Port type(1)
AGAIN
Was this an ICMP message? If so, you didn’t post the complete message.
This time 2 TCP attempts -
source 10.80.41.148, port 1943 and destination 10.80.106.108, port 5900
By the way, What does the “Application : Windows Operating System” refers to?
This is another copmuter connected to your ISP.
The things you have seen this far are just the background noise of the web and showing the firewall does one of its basic tasksit is supposed to do: blocking unsolicited incoming traffic.
Thank you very much EricJH for spending your time to help me.
The 10 range is 1 of the 3 ranges reserved for Local Area Networks. That's what Bulgroz said when he was talking about private A class range.
OK then actually what “your ip” type sites show me is actually not my IP but providers and I have my IP shown in ipconfig. OK.
This is an ICMP message.ICMP protocol is used to communicate error messages about the connection. In this case it Type (3) Code (10). It is one of the Destination unreachable messages: Host administratively prohibited.
When there is no program responding to an incoming message the log will tell it was caught by Windows Operating System. WOS is sorta the garbage collector.
OK. Then can I find out that which programs are generating those errors? Which program were to respond to which incoming message?
UPDATE
Firewall has detected 3 more intrusion attempts by “Windows Operating System”. This time -
1 attempt source IP is 77.203.4.242 and destination is 10.80.63.190. Port type(1)
Another 2 attempts are from 85.183.48.207 and destination is 10.80.95.80 Port type(1)
AGAIN
Was this an ICMP message? If so, you didn’t post the complete message.
No, these were TCP.
The things you have seen this far are just the background noise of the web and showing the firewall does one of its basic tasksit is supposed to do: blocking unsolicited incoming traffic.
I am very happy that comodo informed all about the background noises of the web. I want it to continue that.
Now whatever happened, should I consider that solely generated by my actions? OR someone targeted my PC? Please . . .
The alerts you receive are incidental. Nothing to worry about. That is what you have a firewall for. If one IP address would be constantly and consistently trying to connect it may be worth to investigate further and subsequently report to the abuse department of the other person’s provider.
