It looks like for last 2-3 days Comodo Firewall is reporting several intrusion attempt to my machines that the firewall has been blocking. But these intrusion attempts are making me worried since Comodo is reporting a huge number of intrusion attempts ( 30-40+) everyday. And most of the intrusion attempt are coming from these ip addresses—
64.215.158.16
64.215.158.24
69.22.179.66
69.22.179.112
216.246.75.73
215.246.75.81
All the intrusion attempts are using TCP protocol and Port 80. This usually happen when I am surfing online.
Does anybody know how to stop those intrusion attempt? What should I do to stop those attempts?
What program is using the connection and what port is it using? It’s either something you need to block or something you need to trust. Can’t really tell from the IP address.
I’m afraid i don’t have enough info yet to say something useful about the “intrusions” but having 2/3 tabs open and having over 40 connections that would come down to more that 10 connections a page, that is not a “normal” webpage, they should not stay active for a long time…
Those ip’s are a few from akamai, it could also be that you blocked something like BITS traffic and that it’s trying to download updates ?
Can you please post more details about the “blocked” traffic ?
Thanks for helping me out here. I have 3 tabs open on Firefox---- Facebook, Yahoo and Comodo forum (which is this) and I have about 53 connections. I have firefox and svchost.exe running on my Comodo Traffic list.
What is akamai and what does it do? I don’t think I have any program associating with that company. For my firewall rule-- I put it as allow and protocol is IP, direction is out, ip protocol is any (All of these are from advanced firewall network security policy. As far as I know there is no blocked program in my program lists. Hope this helps.
I have way less connections, but then I’m only loading the homepages of those sites.
Can you run a scan with Malware Bytes Anti-Malware you can find it here after install update the definitions and run a full scan see if anything turns up.
My firefox is configured as shown in the screenshot, the red block contains the ip address of the DNS server.
Could you also run a scan for Rootkits ?
With Gmer you can find it here
If you watch the connections do they drop to a lower number once the page is loaded, if you wait for a certain time they normally have to close a few that just loaded images etc…
I don’t see any screen shot of Firefox and I am not sure what does GMER does? But I am gonna run a test anyway.
Should I upload a copy of GMER scan report after it’s done scanning my PC? Please let me know.
Also to let you know, the connections usually don’t drop. Most of the time I have 40-55 connections reported by Comodo firewall whenever I have 3-4 tabs open.
GMER is a Antirootkit scanner, if it finds anything suspicious it will give an extra alert, saying that it found possible traces of rootkit activity, if it did not then you should be fine.
A rootkit is a piece of software that can “hide” between the OS and you.
So you won’t see it’s files, because it filters them if you open explorer, you wont’ see it’s network traffic because it filters it between your capture tool/security software what ever… that’s probably the most dangerous software you can get infected with, because all scanners will show up clean while you could be heavily infected.
Can you post a screenshot of those connections ? (please blur your own ip address).
Or from the firewall logging what gets’ blocked.
Here is a screen shot of couple of intrusion attempts that happened earlier this month. Since then, I haven’t been using that computer until I find an solution. I also attached a copy of GMER scan.
Thank you for all your help. I really appreciate it.
The Intrusion attempts are not “intrusion” incoming, but blocked “outgoing” traffic seems like there is some blocking rule somewhere to block WOS traffic outgoing. Look for something that is blocked on your Applications and global rules and see if you can find something there…
Do you have any idea what this file is ?
C:\Users<your username>\Desktop\j369qkr4.exe
That does not look good, can you see that file on the desktop ? (check explorer settings if you have “show hidden files” active).
I see also that you are still running CMF is that correct ? CMF is implemented in CIS so i would uninstall that.
As I see C:\Users<your username>\Desktop\j369qkr4.exe is basically GMER exe file.
And you are right. I am using Comodo Firewall Pro. I didn’t download CIS since I already have CFpro.
Is there anything else that I can do to configure Firefox correctly? I think that is the only reason I am having so many connection when I am running Firefox. Otherwise, I don’t see too many connections.
I didn’t explain myself well, sorry. What I meant was that it’s dangerous to simply tell someone to trust svchost.exe without first ensuring it’s the valid path.