Cannot block remote attacker

Ninja2k · March 26, 2015, 9:57am

Hi all,

My router security logs report that someone is accessing my LAN remotely, to me this looks like someone controlling a Remote Access Trojan. They seem to randomize the attacking ports. I have run 6 anti virus tools to try and detect where the Trojan is but I can’t see it. I am running stealth ports but I am still under attack.Is there any way I can block these attacks using Comodo Firewall?

Line 12: [LAN access from remote] from 221.163.250.228:3389 to 192.168.1.58:2345, Thursday, March 26,2015 00:15:44
Line 39: [LAN access from remote] from 223.130.239.89:1010 to 192.168.1.58:2345, Wednesday, March 25,2015 01:39:57
Line 62: [LAN access from remote] from 223.130.239.89:1010 to 192.168.1.58:2345, Tuesday, March 24,2015 17:28:28
Line 67: [LAN access from remote] from 103.249.103.31:6003 to 192.168.1.58:2345, Tuesday, March 24,2015 16:01:15
Line 72: [LAN access from remote] from 107.20.201.237:4244 to 192.168.1.58:60615, Tuesday, March 24,2015 11:38:33

aim4it · March 26, 2015, 5:34pm

Well 3389 is typically used for Remote Desktop Protocol, not sure about the rest. Is anyone the network using any RDP programs?

Ninja2k · March 26, 2015, 6:32pm

The workstation in question has remote desktop disabled, they appear to be using random ports to connect to the machine. Comodo never alerted me to the attack.

futuretech · March 26, 2015, 6:56pm

In order to give the most help can you answer the following questions to the best of your knowledge.
[ol]- name make and model of router

router settings e.g. any port forwards configured? DMZ? UPnP enabled? sceenshot if possible
what are your comodo firewall settings what does your global rules look like sceenshot if possible
is comodo firewall even enabled? do you have other security or firewall software installed?
the lan ip address 192.168.1.58 is that the computer in which comodo is installed on or could it belong to a different device?[/ol]

C0m0doUserBobbby353 · March 28, 2015, 11:03pm

I’m not sure where you are located or what kind of network you are on- but would you expect any connections from the locations of these IPs? Some are on blacklists as well.
221.163.250.228-South Korea, on blacklist http://www.tcpiputils.com/browse/ip-address/221.163.250.228
223.130.239.89- South Korea, on blacklist http://www.tcpiputils.com/browse/ip-address/223.130.239.89
103.249.103.31- Vietnam, on 2 blacklists http://www.tcpiputils.com/browse/ip-address/103.249.103.31
107.20.201.237- US, Amazon, http://www.tcpiputils.com/browse/ip-address/107.20.201.237
For information on what Amazon Web Services (AWS) could be (many things) https://aws.amazon.com/

Citizen_K · March 28, 2015, 11:46pm

It looks like the following ports may be open on your router for incoming traffic: 3389, 1010, 6003 and 4244. Can you check to see if they are open and if they are open close them?

Ninja2k · April 2, 2015, 2:37pm

I had some open ports which I blocked, the latest version of Avast AV also detected a rootkit, since I took these steps there has been no further intrusions. Thank you all for your replies these security steps should come in useful for others.