Constant Intrusion Attempts

Hi,

Since September 3rd Comodo has suddenly started blocking intrusion attempts every couple of seconds. I’ve only just noticed the thousands that have piled up and they all look the same. In the log, they all say Application: Windows Operating System and Protocol: UDP, however they all seem to come from different, completely random IP addresses and source ports. The destination ports seem to come in strings of the same port or two but it still changes sometimes.

I think it may be something to do with Azureus/Vuze since it seems to have coincided with a random inability to upload using that application, sometimes it works sometimes it doesn’t. However I’m not really sure of the timing.

I’ve allowed Azureus.exe through Comodo firewall as a trusted application so I don’t see why Comodo would be blocking it.

Any ideas? I’m using Comodo CIS 3.11.108364.552 on Windows 7 64-bit.

Thanks in advance.

It just a normal thing.
It’s not an intrusion attempts.
You can see those blocking msg after turn off Azureus.
Because, other Azureus or Torrent users keep trying to find peers with seeds automatically.

There is only one solution.
go to following link and read my reply please.

https://forums.comodo.com/firewall_help/several_intrusion_attempts_on_the_same_port-t37653.0.html

But how come it’s suddenly started in the last week? I’ve never had a single blocked intrusion attempt before and I’ve been using Comodo and Vuze for several months now.

Thanks for your help Creasy.

Read my above reply again. I’ve edited it.

Because, it’s like this.
When you download something with torrent, there are many peers as you know.
If you don’t upload anything from your PC to other people, there will not be any seeds.
It means you are not a seeder.
So there are any blocking msg with your firewall after turn off Azureus.
But when you download something, you may upload something to other peer(people).
Because you have some parts of those files.
But when you quit Azureus, other peers lose their connections.
So they(torrent programs) keep trying to connect and find seeds from your PC.
Now, do you understand?

Many people hate Azureus users.
Azureus users can make damages to other torrent users.
Why don’t use utorrent instead of Azureus?

I understand what you are saying Creasy, I can see how P2P works. However, when I exit Vuze the blocked intrusions immediately stop as well and start up again when I start it up again so it’s not other computers trying to connect and find seeds from my PC as you state.

For the last hour or so it’s been on and uploading with no problem but there’s still an intrusion attempt blocked every two seconds. This never, ever happened before six days ago so it’s not something that just happens all the time since I’ve never had one blocked intrusion attempt prior to September 3rd.

I had no idea Azureus/Vuze caused any damage to anything, I only use it because it’s simpler and seems to download a lot faster than bittorrent, which I used to use before. What problems does Azureus/Vuze cause?

Hi Barns.

I’m not sure why these should suddenly start now, after such a long time, perhaps something has changed somewhere.

First thing we should do is check your rules for Vuze and also make sure there’s nothing interfering with those.

Any chance you could post a screen shot of the Application and Global firewall rules. please?

If you’re not sure how, take a look at this:

Screenshot-posting for beginners

Thanks Quill.

Here you go. I presume it’s something to do with those block rules in the global rules. I have no idea where they came from or whether they should be there…

[attachment deleted by admin]

Can you show me firewall event?

One thing I notice is that you don’t allow inbound connections. This is bad for a number of reasons. I don’t use Vuze, so help me out here. Normally torrent clients have an ability to check if the right port is open, I assume Vuze is no different? I would hazard a guess and say that if you do have such an ability and you run the check, it will say closed, or something similar.

First thing to do is check which port Vuze is using, then open a window in Global rules to allow TCP and UDP In to that port and only that port. You could also tight up those Application rules. but lets leave that until later.

I have, personally, not changed any rules in Comodo apart from allowing certain programmes, such as Vuze and BitTorrent, as trusted applications so I have no idea where those rules came from, they must have been automatically set up. I don’t know enough about it to set up rules etc.

Yes, Vuze has a tool for checking if the port is open and it usually says yes it is. Sometimes it says no it isn’t so I simply change the port and start it up again. I also find, though, that even if the port tool says the port is closed there’s often still data getting through, just a lot slower than usual. Is that normal?

Here’s a sample of the blocked intrusion attempts I’m getting, there are thousands of them. This one seems to show that something is trying port after port in descending numerical order…

[attachment deleted by admin]

I just did the NAT/Firewall port test in Vuze and it says everything is OK on the port I’m using. However, the blocked intrusion attempts immediately started clicking up again when I opened it and immediately stopped again when I closed it.

The thing with torrents speed is quite often all about ratio. The more you share the more you get. With the rules you have at the moment you’re not giving anything, which is why speeds can seem quite slow.

In Vuze, the first thing to do is set a preferred port, don’t use dynamic ports. Choose a port around 58000 - 62000, say for example 59211. Set this in vuze.

In Global rules create a new rule that allows

TCP and UDP In
Source address - any
destination address - any
source port - any
destination port - 59211

I made that rule and it’s uploading OK. However, the blocked intrusion attempts are continuing to clock up when Vuze is open and then stop immediately when it’s closed. The two most recent blocked intrusion attempts are for UDP access to the very port I just made the rule for! Strange…

You say with the rules I have at the moment I’m not giving anything, however it uploads OK most of the time and my overall ratio is 0.845 so I must be giving something, no? I admit it should be higher and that’s why I’m leaving it uploading at the moment but it’s not the uploading that’s the problem it’s the constant blocked intrustion attempts which worry me.

Am I just being paranoid thinking it’s suspicious that whatever is attempting access tried port 60739 ten times in a row, then port 60738 ten times, port 60737 ten times, port 60736 ten times etc? To my untutored brain, that would suggest a systematic attempt to break in through a scan of all ports in numerical order? Or is my logic flawed?

Just to update: I just checked my Global rules again and Comodo CIS has somehow automatically deleted the rule I made for my Vuze port. It’s gone.

Thanks for your help in this mate.

Recently discovered that on comodo firewall I was getting “intrusion attempts” by the second, from random various ips-tcp/udp on port 10843. At first this concerned me and I was urgently seeking a solution, my paranoid thinking attributes it to an attack but this is quickly ruled out due to the nature of the “intrusion”. So after many hours of searching, I decided to check comodo website (probably should have done this first) and found this post…
My scenario seems to be very similar to Barns’ (Azureus except I dont use, utorrent is the best IMO!) except that my intrusions start when I exit utorrent and stop as soon as utorrent is back up and running. Given what little I know about torrents I can only guess that this is utorrent’s attempt to continue seeding even when the program isnt running, seems backwards, or because commodo has different rules applied between utorrent running and not, but that would make sense right, i mean isnt that part of its job being a firewall. This would lead me to believe that the problem, if one, lies in utorrent not commodo-thoughts, comments, corrections?? Thank You
-I seed the files i download, 90% are over 1.0 ratio and 50% are 1.5