Internet connection request-IP seems to be from Japan. What is going on?

Please tell me what is attempting to happen. In the last month or so Comodo Firewall alerts me that: Application svchost is getting a remote request from 219.126.174.173 tcp on port ms-rpc(135). I did an IP trace look-up anJapanese remote request to connect, IP lookup-from Japan,What is going on? d this is originating from Tokyo, Japan. I do run Avast antivirus and use firefox browser (don’t know if that is pertinent information). The alert may take a half hour to an hour to appear once I am online. I block this request. Please help me understand what is going on.

Additionally, I have many questions about what is going on with the multitude of connections when going on line. I am very curious and want to understand how things work; but these are for later posts.

Please tell me what might be happening here.

Thanks,

Hey and Welcome Marth!

I can’t answer your question 100% but this should give you more info. You are doing right by blocking the request.

I have found some info related to the ip nr you posted hxxp://www.robtex.com/dns/a027.ap.plala.or.jp.html#shared hxxp://www.ip-adress.com/whois/plala.or.jp. But until you haven’t got any clear answers I recommend to add this ip blocked zones.

This is how you add ip to blocked zones CIS —> Firewall —> Network Security Policy —> Blocked Zones —> Add —> A new blocked address. Now you write the IP address in a single IP address

You should also stealth you ports. This how you do it CIS —> Firewall —> Stealth Ports Wizard —> Block all incoming connections and my port stealth for everyone

I have tried with different scanners to see what I get for results and here they are:

VT: Clean (link http://www.virustotal.com/url-scan/report.html?id=a49f1e974aba9177d7b5bddc67fddad7-1292164841)

IPvoid: Clean

Anubis: Summary:
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.

- Performs File Modification and Destruction:
    The executable modifiesand destructs files which are not temporary.

- Performs Registry Activities:
    The executable reads and modifies registry values. It also creates and
    monitors registry keys.

(http://anubis.iseclab.org/?action=result&task_id=1bcc52437203348449de5378d721ea7ad&call=first)

OFF TOPIC

This is only an example, so don’t open port TCP 1723; this example only shows the procedure how to add a port in the firewall.

By EriJH

To open the port TCP 1723 for example

First step is to determine the MAC or Physical address of you network connector. Go to Start → Run → cmd → enter → a black box will show up and enter the following → ipconfig /all (notice the space before /all) → enter → now look up the Physical address and write it down.

Notice that Physical address = MAC address

Firewall → Network Security policy → Global Rules → Add → fill in the following:
Action: Allow
Protocol: TCP
Direction: In
Description: Incoming Port

Source address: Any
Destination Address: Choose MAC address and fill in the found MAC/Physical address
Source Port: Any
Destination Port: 1723

Then push Apply → Now make sure that the new rule is somewhere above the basic block rule(s) as the bottom (the block rules have red icons); you can drag and drop the rules → Ok

I hope this helps a bit.

Regards,
Valentin

[attachment deleted by admin]

at valentinchen:

why do you tell someone who asked about what he should do when something tries to come in, how he could open a port? he said, he has no idea about traffic, and you tell him how to open a port. totally senseless and dangerous. i dont know why you dont see what is usefull, and what not. really, your posts are often like a hill with un-needed informations, even if they are short. un-needed things, which are presented like a usefull thing, are confusing!

at Marth:

use the stealth port wizard of comodo firewall, setting 3 “hide me from everyone”. then you dont get questions for unrequested ingoing traffic.

you never need to allow ingoing traffic, because YOU want to use the internet, but no one should use your pc.

in general: an usual program needs just an OUTgoing rule to work fine. when the program requests “a packet”, the requested packet can come in then.
ONLY running a server or using a p2p need mostly exceptions for INgoing traffic. everything else usually works with just OUTgoing rules (TCP+UDP).
for example windows update: your pc sends an request, and micrososft sends the requested packets to your pc. windows updates need an OUTgoing rule to work fine.
no one in the internet is scanning for access to anyones help! and your firewall is running to give you peace from worries about “ip from whatever”, that is its job.

OFF TOPIC

clockwork… did I write: please open this port… NO! Have you looked at this topic before me? if you have then answer and don’t come here to bug me by telling me that I confuse members! At least 20 viewers have looked and no one answered but here I come with an answer. by the way, I wrote Good to Know!!!

PM me next time you have problems with my posts. Thanks

at valentinchen:
its not important what you THINK you are doing, its important what you do in effect.

stop this “i try to help, so i fire any information i can give, if its needed or not, if its understandable or not.”

the opener CANT decide if the information is needed or not. he wants an easy answer, whitch is usefull. he trusts in the answer as “related to what i asked”. he trusts, you understand? your post doesnt help. there is no difference if you had answered or not! apart from the fact that there would not stand a dangerous hint.
DONT answer just to answer. learn it! so many people tell you this.

just an example: in the past i got 2000 blocked events, should i have look up any of it and then put it in blocked zones? no, i block them automatically.
give usefull answers or stop answering.

next time i give your posts to an moderator to look at it. i dont want to discuss this further with you.

  1. you don’t need give my posts; I don’t hide any posts
  2. please do what you feel is right.

Regards

I am starting with a technical analysis of the situation Marth’s report. In my subsequent reply I will comment further on Valentinchen’s advice but will advice Marth first.

It looks likes he has a modem only connection to the web. That is typically a cable modem without a router or dial up connection. Can you tell us how you connect to the web Marth?

Lot’s of people have a router in their set up and won’t get these type of alerts as the NAT and the firewall of the router will silently block these unsolicited access requests.

It is not uncommon to have other IP addresses poking at your connection. It is the “background noise” of the web. That does not mean this access request could not be with malicious intent. BUt that’s what we have the firewall for in the first place. Keep unsolicited access requests at bay.

Assuming Marth has a direct connection to the web it is best, as both of you suggest, to use the stealth settings of the firewall instead of the default settings. Default settings make sense in a network set up with router.

To set the firewall to Stealth go to Firewall → Stealth Ports Wizard → choose Block all incoming connections and make my ports stealth for everyone. Now your firewall is set to stealth and you won’t be bothered anymore by this type of requests.

When you want to run a peer to peer program or other program that needs an open port for incoming traffic come back to the forum and ask for advice.

This is my analysis of Valentinchen’s advice.

There is no need until further notice to block the IP address. The firewall is simply doing its job like it is supposed to.

Even though I am suspicious of the fact that it tries to get access by port 135 port there is still no need to block the IP address. Putting the firewall in stealth mode is enough.

Even though the Anubis report warns for the IP address when trying to access it, simply denying access will do the trick.

However when you see in the logs that this IP address is consistently trying to connect to your computer for prolonged periods of time you could report the user with the abuse department of the ISP he or she is using.

A simple advice as to block all unsolicited incoming and setting the firewall to stealth mode is all that is needed.

Blocking the IP address is not needed as setting the firewall to stealth will take care of it and there is no site connected to it.

Edit: The procedure on how to open a port is not needed in the context of this problem. It adds needless information.

in the case that the topic opener is not native english speaking,

when its said “no need to block that ip”, it means: “its not needed to make a special block rule for single ip-adresses, just use the stealth port wizard (setting 3) to block unrequested INgoing traffic at all”.

it does NOT(!) mean: allow.

just wanted to make that really clear. :slight_smile: … i know how easy it is to misunderstand english sometimes.

Hi Guys,

Marth,

In addition to what clockwork & EricJH posted , please search this forum for “port 135” (no quotes)

You will find many excellent discussions & suggestions

Sure you can Google the similar and one of the sites would be GRC where you can read about it and other ports; what spare services can be disabled in order to make your system more secure meaning the use of specific ports … and so on

My regards

p.s. !ot! I’m totally agree with clockwork re: “another issue” that he touched here. Indeed!