My router security logs report that someone is accessing my LAN remotely, to me this looks like someone controlling a Remote Access Trojan. They seem to randomize the attacking ports. I have run 6 anti virus tools to try and detect where the Trojan is but I can’t see it. I am running stealth ports but I am still under attack.Is there any way I can block these attacks using Comodo Firewall?
Line 12: [LAN access from remote] from 220.127.116.11:3389 to 192.168.1.58:2345, Thursday, March 26,2015 00:15:44
Line 39: [LAN access from remote] from 18.104.22.168:1010 to 192.168.1.58:2345, Wednesday, March 25,2015 01:39:57
Line 62: [LAN access from remote] from 22.214.171.124:1010 to 192.168.1.58:2345, Tuesday, March 24,2015 17:28:28
Line 67: [LAN access from remote] from 126.96.36.199:6003 to 192.168.1.58:2345, Tuesday, March 24,2015 16:01:15
Line 72: [LAN access from remote] from 188.8.131.52:4244 to 192.168.1.58:60615, Tuesday, March 24,2015 11:38:33
Well 3389 is typically used for Remote Desktop Protocol, not sure about the rest. Is anyone the network using any RDP programs?
The workstation in question has remote desktop disabled, they appear to be using random ports to connect to the machine. Comodo never alerted me to the attack.
In order to give the most help can you answer the following questions to the best of your knowledge.
[ol]- name make and model of router
- router settings e.g. any port forwards configured? DMZ? UPnP enabled? sceenshot if possible
- what are your comodo firewall settings what does your global rules look like sceenshot if possible
- is comodo firewall even enabled? do you have other security or firewall software installed?
- the lan ip address 192.168.1.58 is that the computer in which comodo is installed on or could it belong to a different device?[/ol]
I’m not sure where you are located or what kind of network you are on- but would you expect any connections from the locations of these IPs? Some are on blacklists as well.
184.108.40.206-South Korea, on blacklist http://www.tcpiputils.com/browse/ip-address/220.127.116.11
18.104.22.168- South Korea, on blacklist http://www.tcpiputils.com/browse/ip-address/22.214.171.124
126.96.36.199- Vietnam, on 2 blacklists http://www.tcpiputils.com/browse/ip-address/188.8.131.52
184.108.40.206- US, Amazon, http://www.tcpiputils.com/browse/ip-address/220.127.116.11
For information on what Amazon Web Services (AWS) could be (many things) https://aws.amazon.com/
It looks like the following ports may be open on your router for incoming traffic: 3389, 1010, 6003 and 4244. Can you check to see if they are open and if they are open close them?
I had some open ports which I blocked, the latest version of Avast AV also detected a rootkit, since I took these steps there has been no further intrusions. Thank you all for your replies these security steps should come in useful for others.