My PC behaves oddly lately. In the last few days, I’ve been playing Borderlands 2 and, from time to time, I notice that my keyboard and mouse aren’t as responsive as before. I think an unidentified hacker is able to move them slightly remotely, just to annoy me and get me on my nerves.
Yesterday, I configured my Comodo Firewall to allow access only to DNS and Steam servers. It isn’t working, as my PC is accesing other IP directions. This morning, I clicked on Comodo’s icon in taskbar and it wasn’t responding. My hypothesis is that hackers may have developed a process that emulates Comodo’s GUI, and substituted the real Comodo process in memory. Do you know what could I do to fix this?. Any help would be very appreciated.
Using Wireshark I’ve observed that the following TCP ports on my computer are being access remotely: h2250-annex-g, bintec-admin, novell-ipx-cmd, and-lm, sqdr, tcim-control, nec-raidplus, fyre-messanger, g5m, signet-ctf and ccs-software. Do you know what kind of trojan/rootkit may I have in my computer?. I’m using Comodo v5.12 in a Windows 7 64 bits PC. Also, as they are accesing novell-ipx-cmd port, do you know if Comodo is able to block other protocols than IP?.
Ok. I’ve attached the CIS configuration file and the wireshark dump. I haven’t attached any log of connections because I’ve put Comodo in blocked mode to prevent external access. I’ve rebooted my PC and now I’m posting this from an Ubuntu live CD session (I don’t think it can be hacked unless the attackers had installed a hacked BIOS firmware, but I consider it would be very hard to do so I don’t think this is the case).
I’m connected through an ADSL router to the Internet. I’ve worked for several years in companies that make software for my ISP and I’ve suffered from mobbing in my workplace. I tell you all of these because I think my access to Internet isn’t free. If you see strange IP addresses in the wireshark dump, it may be for this reason (It could be DNS poisoning). Furthermore, if you notice odd behaviour from a “trusted” IP address, consider that one of my former coworkers could have altered routing tables in an ISP node, so maybe my PC is accessing rogue computers instead of the real ones.
From what I can see you’re CIS configuration is corrupted. So, my first suggestion would be to run a diagnostics (CIS/More/Diagnostics) but I’d be inclined to create a new CIS configuration regardless.
As far as the Wireshark dump is concerned, there’s nothing out of the ordinary, although it looks like this is only part of a bigger file? Although it looks a little strange, wireshark simply sees a port and then uses the standard IANA port list to see which service is listed against that port and reports it. It doesn’t mean it really is that service using the port, just that a connection has been made.
There are many reasons why these connections show in wireshark or your CIS logs, for example, inappropriately configured firewall rules and/or an incorrectly configured router are just two reasons. One thing I did notice, in your Global rules, you have blocked IP in (forth rule from the bottom) but you have three inbound allow rules below. These rules will never be seen.
Diagnostics didn’t found anything wrong in my CIS configuration. Anyway, I’m going to upgrade to the latest version of CIS (currently, I have CIS 5.12 installed).
The reason I have the three inbound allow rules below the “block all inbound traffic” one is to be able to put them back easily on the list when I want my computer to act as a server on my LAN. I don’t want them to be always active because my LAN has Wifi access and an unknown attacker was able to alter my router configuration once. I’ve configured my Wifi with an strong WPA key (63 bytes) but I think a hacker could have obtained it easily from my Windows 7 network configuration (AFAIK Wifi keys are stored unencrypted in Windows registry).
I suggested on the “Whishlist - CIS” that it would be great to add an “active” switch to firewall rules, so they can be enabled/disabled without requiring the “trick” to put them back and forth on the rules list. I suppose I could have several CIS configurations to do this but it seems far more complex to me.
When installing please follow the advice I give in my article about How to Install Comodo Firewall to make sure your computer is clean and stays that way.
I’ve installed CIS v6 but something odd happens when I add a new Network Zone which contains several machines identified by their host name. This is the config for the new network in the config file:
As you can see, Comodo automatically adds AddrStart=“23.21.215.35” and AddrEnd=“107.21.213.12” for the host name “leviathan.services.gearboxsoftware.com”. As a result, my PC is able to access IP address between 23.21.215.35 and 107.21.213.12, when what I wanted is access only to “leviathan.services.gearboxsoftware.com” (23.21.215.35).
But what happens when I add a new address (host name) with multiple IP address resolution to a Network Zone is the following: the lowest IP address in the range is assigned to AddrStart and the highest IP address is assigned to AddrEnd (as you’ve seen it happened with leviathan.services.gearboxsoftware.com). Then, if I configure the firewall to allow Internet access only to sites in the Network Zone that includes the host with several IP address, what really happens is that I can access any Internet site that has an IP address between AddrStart and AddrEnd. Well, at least in my computer. It seems to be a bug in CIS. Do the test yourself if you have time. I agree that “leviathan.services.gearboxsoftware.com” case is not very common because frequently host names are resolved to a consecutive range of IP Address.
==================================================
Order : 1
IP Address : 107.21.213.12
Status : Succeed
Country : USA - Washington
Network Name : AMAZON-EC2-8
Owner Name : Amazon.com, Inc.
From IP : 107.20.0.0
To IP : 107.23.255.255
Allocated : Yes
Contact Name : Amazon.com, Inc.
Address : Amazon Web Services, Elastic Compute Cloud, EC2, 1200 12th Avenue South, Seattle
Email : aes-noc[at]amazon.com
Abuse Email : ec2-abuse[at]amazon.com
Phone : +1-206-266-4064
Fax :
Whois Source : ARIN
Host Name :
Resolved Name : ec2-107-21-213-12.compute-1.amazonaws.com
==================================================
==================================================
Order : 2
IP Address : 23.21.215.35
Status : Succeed
Country : USA - Washington
Network Name : AMAZON-EC2-USEAST-10
Owner Name : Amazon.com, Inc.
From IP : 23.20.0.0
To IP : 23.23.255.255
Allocated : Yes
Contact Name : Amazon.com, Inc.
Address : Amazon Web Services, Elastic Compute Cloud, EC2, 1200 12th Avenue South, Seattle
Email : aes-noc[at]amazon.com
Abuse Email : ec2-abuse[at]amazon.com
Phone : +1-206-266-4064
Fax :
Whois Source : ARIN
Host Name :
Resolved Name : ec2-23-21-215-35.compute-1.amazonaws.com
==================================================
==================================================
Order : 3
IP Address : 54.243.98.212
Status : Succeed
Country : USA - Washington
Network Name : AMAZO-ZIAD1
Owner Name : Amazon.com, Inc.
From IP : 54.242.0.0
To IP : 54.243.255.255
Allocated : Yes
Contact Name : Amazon.com, Inc.
Address : Amazon Web Services, Elastic Compute Cloud, EC2, 1200 12th Avenue South, Seattle
Email : aes-noc[at]amazon.com
Abuse Email : ec2-abuse[at]amazon.com
Phone : +1-206-266-4064
Fax :
Whois Source : ARIN
Host Name :
Resolved Name : ec2-54-243-98-212.compute-1.amazonaws.com
=================================================