Intrusion attempt by unknown IPs. Please help.

It looks like for last 2-3 days Comodo Firewall is reporting several intrusion attempt to my machines that the firewall has been blocking. But these intrusion attempts are making me worried since Comodo is reporting a huge number of intrusion attempts ( 30-40+) everyday. And most of the intrusion attempt are coming from these ip addresses—

All the intrusion attempts are using TCP protocol and Port 80. This usually happen when I am surfing online.

Does anybody know how to stop those intrusion attempt? What should I do to stop those attempts?

Please help me.

What program is using the connection and what port is it using? It’s either something you need to block or something you need to trust. Can’t really tell from the IP address.

As far as I see it may sound weird but

Windows operating system using protocol TCP and ip 80 (!!!)


temp file of Sophos update.

I also noticed that when I am online if I have only 2/3 tabs open on my firefox browser, Comodo shows about 45-56 outgoing connections. Is it weird?

Hello skboss,

I’m afraid i don’t have enough info yet to say something useful about the “intrusions” but having 2/3 tabs open and having over 40 connections that would come down to more that 10 connections a page, that is not a “normal” webpage, they should not stay active for a long time…

Those ip’s are a few from akamai, it could also be that you blocked something like BITS traffic and that it’s trying to download updates ?

Can you please post more details about the “blocked” traffic ?

Hello Ronny,

Thanks for helping me out here. I have 3 tabs open on Firefox---- Facebook, Yahoo and Comodo forum (which is this) and I have about 53 connections. I have firefox and svchost.exe running on my Comodo Traffic list.

What is akamai and what does it do? I don’t think I have any program associating with that company. For my firewall rule-- I put it as allow and protocol is IP, direction is out, ip protocol is any (All of these are from advanced firewall network security policy. As far as I know there is no blocked program in my program lists. Hope this helps.

Akamai handles various web services for a lot of corporations. It’s fairly common to connect to Akamai servers.


I have way less connections, but then I’m only loading the homepages of those sites.
Can you run a scan with Malware Bytes Anti-Malware you can find it here after install update the definitions and run a full scan see if anything turns up.


I ran a full scan test and it didn’t find anything. I also scanned my pc with Norton 360 nothing came up as well.

This is what it says—

3/9/2009 9:43:42 PM
mbam-log-2009-03-09 (21-43-42).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 169750
Time elapsed: 1 hour(s), 48 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

How did u configure firefox in your Comodo firewall?


My firefox is configured as shown in the screenshot, the red block contains the ip address of the DNS server.

Could you also run a scan for Rootkits ?
With Gmer you can find it here

If you watch the connections do they drop to a lower number once the page is loaded, if you wait for a certain time they normally have to close a few that just loaded images etc…


I don’t see any screen shot of Firefox and I am not sure what does GMER does? But I am gonna run a test anyway.

Should I upload a copy of GMER scan report after it’s done scanning my PC? Please let me know.

Also to let you know, the connections usually don’t drop. Most of the time I have 40-55 connections reported by Comodo firewall whenever I have 3-4 tabs open.

Sorry forgot to attach it.

GMER is a Antirootkit scanner, if it finds anything suspicious it will give an extra alert, saying that it found possible traces of rootkit activity, if it did not then you should be fine.

A rootkit is a piece of software that can “hide” between the OS and you.
So you won’t see it’s files, because it filters them if you open explorer, you wont’ see it’s network traffic because it filters it between your capture tool/security software what ever… that’s probably the most dangerous software you can get infected with, because all scanners will show up clean while you could be heavily infected.

Can you post a screenshot of those connections ? (please blur your own ip address).
Or from the firewall logging what gets’ blocked.

[attachment deleted by admin]


From where should I take the screen shot---- Comodo Internet security policy or from the traffic of outgoing connection.

By the way, Roony

Here is a screen shot of couple of intrusion attempts that happened earlier this month. Since then, I haven’t been using that computer until I find an solution. I also attached a copy of GMER scan.

Thank you for all your help. I really appreciate it.

[attachment deleted by admin]


The Intrusion attempts are not “intrusion” incoming, but blocked “outgoing” traffic seems like there is some blocking rule somewhere to block WOS traffic outgoing. Look for something that is blocked on your Applications and global rules and see if you can find something there…

Do you have any idea what this file is ?
C:\Users<your username>\Desktop\j369qkr4.exe

That does not look good, can you see that file on the desktop ? (check explorer settings if you have “show hidden files” active).

I see also that you are still running CMF is that correct ? CMF is implemented in CIS so i would uninstall that.

p.s. I have removed the gmer.doc after saving it.


As I see C:\Users<your username>\Desktop\j369qkr4.exe is basically GMER exe file.

And you are right. I am using Comodo Firewall Pro. I didn’t download CIS since I already have CFpro.

Is there anything else that I can do to configure Firefox correctly? I think that is the only reason I am having so many connection when I am running Firefox. Otherwise, I don’t see too many connections.

please let me know what should I do?

I would set Firefox to a predefined policy “Web browser” that should work.
Please also set svchost.exe to “Trusted Application”.

Thank you for your help. I will set firefox as web browser and let you know if the number of connections have decreased or not.

I don’t know if this is a good idea. A lot of malware likes to put their own svchost.exe on your system.

That should be catched by Defense+ this one should be the c:\windows\system32\svchost.exe
CIS defaults to this also…

I didn’t explain myself well, sorry. What I meant was that it’s dangerous to simply tell someone to trust svchost.exe without first ensuring it’s the valid path.