FW log flodded with unusual activity on port 2869 [Resolved]

My Firewall logs are overloaded with blocked events on port 2869. Do I have a problem with my rules or am I really scanned from the outside ???

It seems that I also have problems with systmem’s getting address from my DHCP server (router)

I have a cable modem connected to a router on which my pc is connected,

Here is what I have in my logs:

2007-11-26 08:14:34 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3022 192.168.1.3 2869
2007-11-26 08:14:52 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3023 192.168.1.3 2869
2007-11-26 08:14:55 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3024 192.168.1.3 2869
2007-11-26 08:14:58 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3025 192.168.1.3 2869
2007-11-26 08:15:10 System Idle Process Blocked 0.0.0.0 68 255.255.255.255 67
2007-11-26 08:15:13 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3026 192.168.1.3 2869
2007-11-26 08:15:16 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3027 192.168.1.3 2869
2007-11-26 08:15:19 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3028 192.168.1.3 2869
2007-11-26 08:15:37 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3029 192.168.1.3 2869
2007-11-26 08:15:40 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3030 192.168.1.3 2869
2007-11-26 08:15:43 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3031 192.168.1.3 2869
2007-11-26 08:15:56 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3032 192.168.1.3 2869
2007-11-26 08:16:00 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3033 192.168.1.3 2869
2007-11-26 08:16:03 C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 3034 192.168.1.3 2869

I have a trusted lan zone defined in 192.168.1.1

I have the following NTW rules in place (see attachment 1):

I have the following APPS rules in place (see attachment 2):

[attachment deleted by admin]

Those blocks is your router trying to tell systmem the address.

OK but which address ?? Why on dest. port 2869 ?
I thought this port was used by the for PnP …

What about the 5th line
2007-11-26 08:15:10 System Idle Process Blocked 0.0.0.0 68 255.255.255.255 67

EDIT 2007-12-09 and 2007-12-10 /MBG
I have installed the new patched version and the situation was back normal (as far as port 2869 is concerned) for a few minutes. I still have the same problem today.

Still have those events that I think shouldn’t be blocked as per my global ntwk rules:

Date/Time Application Action Source IP Source Port Destination IP Destination Port
2007-12-09 12:29:51 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67
2007-12-09 12:30:51 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67
2007-12-09 12:32:51 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67
2007-12-09 12:34:51 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67
2007-12-09 12:36:51 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67
2007-12-09 12:38:52 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67
2007-12-09 12:39:51 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67
2007-12-09 12:40:51 Windows Operating System Blocked 0.0.0.0 68 255.255.255.255 67

Port 2869 : I updated my router firmware recently and for some reasons, the upnp options was activated. The router was stherefore sending those events on the LAN. I disabled it and everything is back to normal, including the DHCP broadcast from 0.0.0.0 (don’t know why).

PLease close

I have marked this thread as resolved. If you need to reopen it let a moderator know.