Comodo on University Wireless

Hey all,

First off I am thoroughly enjoying Comodo. Works great and is a lot lighter then other firewalls I have tested. Only problem I seem to be having thus far is connecting to the wireless server at my college. I had previously gotten a virus from the network and not having a firewall. Was one of those lovely sasser’s (lsass.exe is broked! Shutting down in 1 minute!). I realized I was wide open when I saw a “funny” system message that someone had sent out over the network. “Stephen R. says: RACHEL IS GAY LOLZ” in the middle of my note taking. Now when I am at my college there are tons and tons of connections attempting to get onto my computer as you can see from the attached file. I am not sure if making a trusted network would function for this as my IP rotates on every connect. Anyone ever had this problem? I did a search but to no avail. The Universities network is so open and easy to gain access to, which is a shame because it can leave so many people vulnerable. Thank you for any and all assistance.

  • David

Example:

Date/Time :2007-02-05 19:04:01
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.169.56.114, Port = nbname(137))
Protocol: UDP Incoming
Source: 10.169.56.114:nbname(137)
Destination: 10.169.59.255:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2007-02-05 19:04:01
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.171.35.235, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 10.171.35.235:nbdgram(138)
Destination: 10.171.39.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2007-02-05 19:04:01
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.171.35.191, Port = 2222)
Protocol: UDP Incoming
Source: 10.171.35.191:50487
Destination: 255.255.255.255:2222
Reason: Network Control Rule ID = 5
In the attackers’ world, this port is usually used by Trojan.BackDoor.Botex(2222)

[attachment deleted by admin]

No one has experienced this? Got to be some college folks around here somewhere with huge wifi networks!

OK, you have a wireless network that is very dodgy.

Well here is what we need from you:

What services do you need from the wireless network? (IE. Just websurfing or do you need to access files).

Does your University dictate what ports need to be open or something special? (I don’t know as i don’t use university wireless and the one i could use is secure anyway).

We can then dictate “modified” network rules for your LAN that allow the services you want but block everything else. You can setup a trusted range of IP addresses i believe in the firewall but, lets see how secure we can make the connection for you, by having the above details.

Keeping Windows up-to-date is essential. (This is how your computer got the Sasser worm as the hole was patched against a few years ago).

What i am trying to accomplish here is to treat your “LAN” as an “Untrusted LAN (The logical equivalent to the internet)”

Once we have all needed details. I will notify a few mods that know exactly how to modify the default network rules or create new ones.

1st of all, those log-messages all have one thing in common. all the connection attepts are being blocked and logged. You can see the reason for it at the bottom of each message:
Reason: Network Control Rule ID = 5

Secondly, you should not set the WiFi as a trusted network, and you should make this as a rule of thumb. As you pointed out yourself, anyone can hook into the campus WiFi. That includes infected laptops/workstations, IIRC-bots and fellow students with too much spare time on their hands :slight_smile:

Looking over the 3 examples, there are some similarities. They are all broadcasts (meaning they aren’t specifically intended for your computer) directed at anyone on the same network as you:
Destination: 10.169.59.255:nbname(137)
Destination: 10.171.39.255:nbdgram(138)
Destination: 255.255.255.255:2222

As for ports 137 and 138, these are normal netbios broadcasts and are a common sight in a LAN. The port 2222 however is a known port used to insert a trojan. Someone probably tried to exploit an AMD weakness to leave a rootkit/rootshell on your computer (and anyone vulnerable for that matter). Your firewall blocked it successfully, so no worries there :slight_smile:

Expect to see a lot of entries in your log as university campus networks has lots of “traffic” generated, and not all of it is benign :wink:

Appreciate both responses,

To Rotty: For services I usually use internet (firefox), AIM, and sometimes I need to access files on the internet as I download powerpoint notes from class websites and our University website service (www.webct.com). There is no “public” server folder or anything, so I dont have to worry about that. The University does not designate any specific ports to be open at all, only thing they require is that you register your MAC address and you can get online. My Windows is currently up-to-date (Reformatted after the Sasser-ness)

To Triplejolt: I definitely did not set my WIFI as trusted network just for this reason, and I sure am glad I didnt! You are certainly correct that they are all being blocked and logged which I was happy about, the only problem is that it owns my battery life. My laptop went from lasting about 4 hours to almost maxing out a little after 2 from the excess power needed to block and log these items. You would think that with a campus of 40,000 students they would attempt some security on their network with the millions of dollars made, but nope! Lets build a stadium for our ■■■■■■ football team!

Again, I appreciate the help you guys are providing. Let me know If I can provide any further info to assist in creating a network rule.

  • David

Yes, it really does depend on how paranoid you want to get. By the sounds of it if you edited the rules so that all inbound connections are blocked (File sharing can be disabled in windows) then this Computer would be one secure computer. It also seems you don’t need to access any file sharing services so this could be disabled totally in windows as mentioned above.

I have little experiance with laptops, it must be allot of traffic for it to drag your battery down that fast.

Now i say the computer would be secure but without SSL connections or Secure VPN or similar your information being sent/ received is open to everyone on the LAN through a Man-in-the-Middle attack.

Laptops on battery use power for everything from keyboard and mouse movement to WiFi radio signaling strength. The further you are away from an Access-point the more power you use. And beyond a certain range, the signal deteriorates along with the bandwidth.
There are ways to conserve power, but it’s a hassle to your effectiveness. Compromises are the key here.
I once tried to fire up an MMORPG while on battery power, and got 30 mins of fun before the laptop died on me 88)

Final word:
Campus network are seldom secured in any way. Stick with a trusted firewall, Antivirus and a Spyware prevention program.

Good luck with your studies!