Just curious if I need to be doing this..

I blocked an IP address, attempting to use “System” to directly connect to my computer this morning.
Since then, the repeated attempts have been numerous ( 49 of them at the moment )
The source IP changes usually after every 3-5 attempts ( along with the port number being attempted ), but the destination IP is always the same.
Also, it bounces back and forth between TCP and UDP when making these attempts.

Not sure what to make of it, but holding back on getting all “dramatic” until someone who knows more than I do offers some input…

Ports it has failed to enter :
137 138 1397 1999 2000 3220 3221 3641 3642 4551 4842

Any thoughts, oh mighty Gurus ?

Hi Spewk.

Your always going to get various inbound connection requests. These may be targeted at ‘System’, ‘Windows Operation System (WOS)’ and even Svchost.

The origins of these requests are many and varied. For example, Windows messenger service spam, NetBIOS broadcasts, Multicasts of various sorts, ICMP traffic etc.

For the majority of them you can quite happily create a rule or two that blocks without logging.

That said, however, it’s always important to make sure your system is not compromised in any way, so a little investigation is always worth while.

If you wish, you can post you log files here and someone can take a closer look at where the traffic is coming from.

Based on the IP addresses, I’ve come to the conclusion that it’s probably internal network traffic ( workplace )
The only thing that raises an eyebrow is the “dogged persistence” of it, which tells me something or someone thinks it/they have a very important reason for connecting to my PC here…
I’ll just keep blocking, as it doesn’t affect anything I do ( another factor that suggests this is something outside the boundaries of what would be considered “normal traffic”) - I have no problem connecting to the database server or running any software / browser / accessing the network shares…

The reason I believe it’s on the network is the fact that the first 3 numbers in the IP address are always 10 - 10.10.10.96 for example, only the 3rd number changes. This is true for both source and destination IP.

Hi. There are a series of private IP address groups of which 10.0.0.0 - 10.255.255.255 is one. These addresses are invalid outside of private networks, so if the communication you are seeing is originating from an address within this range, then it’s from your LAN.

Deciding if the connection attempts are malicious or not is a different question.

Probably just curiousity…I’m the only foreigner working for this company, and this is an office…gonna be some who want to see what the foreigner is doing…

I’ve always been a Pro-Dialogue kind of guy - if you want to know ( and I think it’s any of your business ), just ask and I’ll tell you…
Office politics, fehhhhhhh…I should just go back to trash collection, ha ha ha…

If ‘they’ wanted to find out what you were doing on your PC, there are many more ‘creative’ ways…

Such as ?

There are a variety of ways, it really would depend on what they (assuming they did) wanted to know. Undoubtedly all your network traffic passes through one of more of the company servers, at any point this could be intercepted and analysed. There are also a host of soft and hard keylogging solutions…

isn’t paranoia wonderful :wink:

So are you saying that if I have a keylogger on my PC, CIS won’t detect it ?

Ooooh, hey - THAT’S what I wanted to hear, har har har…

Actually I didn’t say that. I said there are ways information can be obtained. That was in the context of your question

Such as ?
and not in relation to what CIS can or cannot do.