hi there to everyone…
as the title i have that problem in my log of comodo…i get that message every 2-3 seconds…the ip is always changing but the port of destination is always the same and the source port changes…i really have any idea of what could be…i runned some scanner virus and spyware…it founded something but didn’t solve the problem…
could anyone help me?
thanks to everyone
i have windows xp service pack 2,and comodo v 2 at the last update
What access? TCP, UDP, what direction?
As you said yourself, you have no reason whatsoever, at least when idle and not working with specific software, for a request on a high port like 35786:
It stinks like trojan request.
See what processes are running and what are the corresponding applications, look at the running services, look in your registry for run and runonce entries…
Date/Time :2008-01-25 15:44:22
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 118.6.216.105, Port = 2967)Protocol: TCP Incoming
Source: 118.6.216.105:3601
Destination: 82.61.62.*:2967
TCP Flags: SYN
Reason: Network Control Rule ID = 12
Date/Time :2008-01-25 15:44:22
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.61.39.217, Port = nbsess(139))
Protocol: TCP Incoming
Source: 82.61.39.217:2621
Destination: 82.61.62.*:nbsess(139)
TCP Flags: SYN
Reason: Network Control Rule ID = 12
Date/Time :2008-01-25 15:42:42
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.61.91.66, Port = MS-ds(445))
Protocol: TCP Incoming
Source: 82.61.91.66:2613
Destination: 82.61.62.*:MS-ds(445)
TCP Flags: SYN
Reason: Network Control Rule ID = 12
it’s the log of what i receive…ip change often…i checked process running and i checked also with hijack and some other tools…but there isn’t anything let me think of some trojan…i’ll try to make a scan with some other antivirus
and now i notice that also the port are changing…i don’t understand either those msdos and nbsession
thank u for helping
You didn’t say what your networking rules are.
As far as we are concerned, they did their job: someone is trying to gain access to your machine via netbios (port 139) and Microsoft DS (port 445), and those connexions were denied.
If the alert bothers you, just edit the corresponding rule in the network monitor and uncheck the alert.
We can however go a little further: excepting dedicated applications (p2p, but that’s quite insecure, ftp servers…and the local network if you have one), no one is supposed to have TCP in access to your machine: as an example, i have myself forbidden as applications rules ie and mstask, tcp and udp in.
You know log yourself as an administrator, and you go to “services”:
In the absence of a LAN and of shared ressources (printers, other PC), you should desactivate at least the following services as specified in the “safe” column:
http://www.blackviper.com/WinXP/servicecfg.htm
If you have a LAN, check afterwards for the functionnality:
if it does not work, allow back the corresponding service, but make an application rule allowing only the LAN zone: i have these rules for rsvp, svchost and system, in the same time i made 3 networking rules (one for TCP/UDP, ICMP, IP) only allowing the LAN zone.
Last (for the moment), go to pcflank (http://www.pcflank.com/), grc (https://www.grc.com/x/ne.dll?bh0bkyd2) or symantec (http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym,) and look at what is unstealthed or open.
As a minimum, you should have ports 23, 135, 137 to 139, 445 and 500 closed.
ok this thing is making me crazy…i checked site u said me and services on the site i got always green in all tests…all ports stealthed.
i runned agains scans…but nothing is found…i don’t really understand why i get these alert messages…and why those ip address try to contact me