Help!

JolietJake · November 18, 2006, 10:36pm

I’m getting around 20 Inbound Policy Violations a minute just now and in the last 2 hours there’s been 139 high severity events.

What should I do?

Thanks…

JJ 8)

AOwL · November 18, 2006, 10:45pm

Are you using any program(s) when the alerts is coming in? P2P/torrent?
What does the log say? is it ICMP or…?
Do you have a router? Modem? Both?

JolietJake · November 19, 2006, 12:27am

The PC has been sitting idle, no hard drive activity and nothing untoward was running in Process explorer.
I wasn’t using P2P.

The alerts are either TCP or UDP incoming and the ports are 3868 and 45509.

I don’t have a router and I’m on DSL.

AOwL · November 19, 2006, 12:53am

Ok, can you copy and paste some log entry’s here?
Right click in logs and export as html.

JolietJake · November 19, 2006, 12:56pm

Righto mate…
Switched on this morning and all last nights logs have gone but here’s some of todays.

Date Created: 12:51:43 19-11-2006

Log Scope: Today

Date/Time :2006-11-19 12:49:11
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 172.xxxxxxxxxx, Port = 1027)
Protocol: UDP Incoming
Source: 204.16.208.74:47917
Destination: 172.xxxxxxxxxxx:1027
Reason: Network Control Rule ID = 6

Date/Time :2006-11-19 12:49:11
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 172.xxxxxxxxx, Port = 6346)
Protocol: TCP Incoming
Source: 86.139.144.76:1760
Destination: 172.xxxxxxxxx:6346
TCP Flags: SYN
Reason: Network Control Rule ID = 6

Date/Time :2006-11-19 12:47:31
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 172.xxxxxxxxxx, Port = 6346)
Protocol: UDP Incoming
Source: 86.139.144.76:32143
Destination: 172.xxxxxxxxx:6346
Reason: Network Control Rule ID = 6

kail · November 19, 2006, 2:01pm

Isn’t TCP/UDP port 6346 gnutella/napster or something like that?

Edit: Just did a search. Yes, it is gnutella/napster (Link).

system · November 19, 2006, 2:34pm

Hi, JolietJake!

If the destination address starting with 172 is your personal ip-address, you’d better edit it like this: 172.xxx.xxx.xxx for your own safety and privacy. To avoid a lot of work, just delete most of it and leave the last three or four alerts from your log. I think people will get your drift anyway…

Paul Wynant
Moscow, Russia

JolietJake · November 19, 2006, 7:57pm

I’ve never used either so why would it be hitting my PC about 20 times a minute?

system · November 19, 2006, 8:32pm

JolietJake,

this could come from a zombie-net looking for BearShare port 6346. I wouldn’t worry about it too much if I were you…

Paul Wynant
Moscow, Russia

AOwL · November 19, 2006, 8:42pm

If it’s annoying with all the log entries, you could create a network rule that block that port and not logg it, and put it above the default block rule.

JolietJake · November 21, 2006, 11:35am

OK, thanks for all the help guys. (V)