Firewall blocks several times! (about 600!)

Prounnic · January 16, 2010, 11:16am

Hi there, yesterday my firewall blocks about 600 times an IP. I write it there:

Application: svchost.exe
Action: Block
Protocol: UDP
Source IP: 85.102.204.146
Port: 1024
Destination IP: 192.168.1.2
Destination Port: 59992

My firewall blocks this thing about 600 times, I’m very suprised with this thing but I don’t now what is this. I looked the Firewall logs. My firewall blocks this IP three days ago but with 1 time. But not the same ports. In addition the different IPs on there I can see svchost.exe again the some destination but different IP (78.182.198.168) and the a few different IPs. What is going on there? Call someone tell me? Is something going wrong?

Thanks for your helps and thanks Comodo.

Prounnic · January 17, 2010, 4:54pm

It seems there is no reply.

I searched a bit and see someone was ‘‘pinged’’ me. Maybe this is a IP attack from someone. Also I searched the other IPs which firewall blocked before. They all coming from my country.

Anyway, all this thing coming from svchost.exe so I set it to ‘‘Outgoing Only’’ mode. Did I do the right thing? or should I do anything more?

Thanks for your help.

Rolo · January 17, 2010, 5:50pm

Hi Silver Wolf:

You have done well to set svchost.exe to “outgoing only”. Now see what happens.

Regards.

Prounnic · January 17, 2010, 9:40pm

Yeah I did this thing but right now I have too much blocking things around 192.168.X.X (Between the same IP). It came from Windows Operating System (WOS) or System? And the source port is always the same 53 or Type(3). How can I solve this problem?

system · January 17, 2010, 9:54pm

The first part was about svchost.exe, but now it’s from WOS and System? It doesn’t necessarily mean an attack; it can be common internet traffic noise. I get those all the time surrounding WOS and System.

Type 3 is ICMP traffic, while port 53 is used for DNS lookup. You can post a sample of your log if you want.

Prounnic · January 17, 2010, 10:33pm

Okey I attached it. Always like this, it keeps coming. I saw about 50-60 blocks in 20 minutes after I connected to Internet. But I don’t know what is the IP (78.187.125.241). After I saw this IP I look my active connections and I see it also here as UDP out and it had gone in 30 seconds or like this.

Thanks for replies.

[attachment deleted by admin]

Cohen · January 18, 2010, 9:35am

Is the firewall attacks coming in or your own processes calling out? Svchost is a system process in Windows. 192.168.X.X is your own local network.

adioz86 · January 18, 2010, 10:15am

Der Port ist für SSDP (2869) und wird für Universal Plug and Play genutzt. Scheint ne Anfrage von deinem Router zu sein.

Prounnic · January 18, 2010, 11:23am

They are coming from WOS or System as you see in log. I know it. I set svchost.exe is outgoing only mode again then this blocks not coming. But as before the rule looked as Custom, but yesterday I brought it to Outgoing Only mode. Then there is no any problems. It is my fault I think.

And the other IP which started with 78, it is static IP and it is from our internet source Telekom. (One of their informatics partner.) Firewall blocked it but I looked up active connections it was here as UDP Out I said. It had gone about 30 seconds. Anyway, thanks for your helps