firewall alert: trying to receive: what does it mean

radianceseeker · April 22, 2008, 9:22pm

In the firewall alert in this image:

it says “svchost.exe is trying to receive a connection”, and shows ms-rpc(135). What does this mean:

svchost was already listening on port 135, and some other computer has attempted to connect to my port 135?
svchost is attempting to connect to the remote computer at his port 135?
svchost is opening my port 135 to connect to the remote computer through it?
something else?

Thanks again.

system · April 22, 2008, 9:38pm

A remote computer is trying to connect to svchost in your computer. , so item 1. Good thing to block. Are you using a router?

system · April 22, 2008, 9:40pm

Thats a Winows Service. I get the same alert. Just make it outgoing only.

riggers · April 22, 2008, 9:40pm

Take a look HERE

Matty

radianceseeker · April 22, 2008, 9:52pm

Yes and no.

Yes there’s a router on my LAN, serving as DHCP host and connecting all my LAN machines.

No, because my internet connection is dial-up through my desktop machine, and NOT through the router.

radianceseeker · April 22, 2008, 10:04pm

Is there a way to find out what is running under/behind svchost.exe in that case? or what PID is involved?

system · April 22, 2008, 10:28pm

svchost.exe is listening on port 135 for an internal TCP connection to support the Remote Procedure Call service. An external request comes in to connect to svchost from an outside source, and is blocked (correctly)-I think the way D+ states it is a bit misleading. And according to your other message it is directed at some other IP. Still don’t know why dialup sends stuff that is not addressed for you or whether it is a threat-probably all the dialup experts are somewhere else. You can make a rule to block and not log it if you just want the popups and logging to go away.

riggers · April 22, 2008, 10:36pm

The address that is trying to connect to you is from Level 3 communications CO,US
Don`t know if this means anything to you.

Matty

system · April 22, 2008, 10:49pm

Earlier message at https://forums.comodo.com/empty-t22107.0.html;topicseen showed that it was a RPC connection request from one L3com server to another L3com server that somehow got routed to his address by his ISP. Lacking a dialup expert, and since things appear to be working, seems like a good thing to block. Only caution before was not to try to turn off the RPC service to stop the listening or the computer will stop working. See http://www.blackviper.com/WinXP/Services/Remote_Procedure_Call_(RPC).htm , for example.

MikeH · April 23, 2008, 12:03am

Level 3 is a MAJOR internet infrastructure provider.
(I’ve read a number of articles about them in the financial press).
According to their web site:
The company operates one of the largest communications and Internet backbones in the world.

http://www.level3.com/about_us/index.html

Regards,
Mike