I have been receiving multiple intrusion attempt by my Windows system. I am not sure why it’s happening? Is it some type of malware? Some one please help me how to deal with this issue.
P.S.: I have attached an image of the intrusion attempts.
[attachment deleted by admin]
Hi skboss,
Can you tell me on which side your source ip is?
Is it “internet” connecting to you on TCP 2869 ? or are you connecting to internet on TCP 2869.
This port is normally used for uPNP framework traffic…
To tell you the truth, I am not sure about that. How can I figure that out?
If you open a command box (start, run, cmd and then press ENTER) you’ll get a black window, now type
ipconfig
and see what it shows with “IP Address”
Did you set your firewall to “Block all incoming connections and Stealth my Ports to Everyone”?
I ask because I am having a similar problem and I believe this to be the root of my problem. I am unsure whether your problem is related to mine, but on the off-chance that it is…
Big chance Chiron494,
Are you also running torrent client? that would cause incoming traffic?
Sorry I was busy with my school work. I don’t see any of those ip addresses as my ip address. The first digits are same. eg: if the source ip and destination ips are: xxx.xxx.fgr.asd and xxx.xxx.rtg.adf, my ip address is xxx.xxx.y.zzz
What should I do? How do I solve this problem?
So your saying you are seeing packets that are not destined or coming from your IP ?
that’s not normal… only for broadcast traffic does any of those end on .255 ?
Well I see a change now. Looks like the destination ip matches with my ip now.
eg: my ip- xxx.xxx.xxx.www Source ip- xxx.xxx.xxx.qqq Destination ip- xxx.xxx.xxx.www
What does it mean if my ip and the destination ip match?
Yes that’s traffic directed to your system.
If your ip is in the “source” field it’s traffic FROM going OUT your PC.
If your ip is in the “destination” field it’s traffic COMING IN to your PC.
Did the port number on the destination port also change? and can you repost a new screenshot only blanking your ip, not the others?
Ok. I attached an updated picture of the firewall intrusion attempt. The destination ip is my ip where as the source ip is a bit different. Ex: my ip and destination ip both are xxx.xxx.xxx.xxx while the source ip is xxx.xxx.xxx.yyy
[attachment deleted by admin]
Those are scans against the Windows File and Printer sharing ports.
You can safely create a drop rule for these on the Global rules tab en not log these.
Set a global rule like this
Block
TCP or UDP
Source IP ANY
Source Port ANY
Destination ANY
Destination Port Range 137-139
And an other one with
Block
TCP or UDP
Source IP ANY
Source Port ANY
Destination ANY
Destination Port Range 445
This will block all incoming File & Printer sharing “attacks” normally you move these rules all the way up to the top of the rulebase to they match first, if you use File and Printer sharing on your local LAN then you have to place these rules below that specific access rule.
Thanks for the suggestion, but one quick question? How do I set up those rules, meaning where do I go after opening Comodo?
Firewall → Advanced → Network Security Policy, then switch to the TAB Global Rules
It should look like this one here:
Thanks for the help. Really appreciate it. I set it up as it shows on the pic.
The above picture is from the “Default” settings, this does not reflect the “Stealth ports wizard” block all incoming traffic, it was merely used to show how it look’s 
Did you add the 2 rules on the top of this ?
I did but unfortunately it still shows the intrusion attempt. 
Are you sure you did not set logging enabled on the two block rules?
Can you please post your Global Rules and the piece of firewall logging showing the blocks?
I am pretty sure I followed the instruction. Here are the pics–
[attachment deleted by admin]
Why you have hidden ips? Show us these pigs! >:(