Is this how Comodo firewall should display port 10000 in the log under reason, it says in the attacks world this port is used by Trojan.W32dumaru.ab/ad(10000). Any help please as my avast has picked up an attack from this trojan, am I safe???
Port 10000 is used by several things. Details Port 10000 (tcp/udp) Attack Activity - SANS Internet Storm Center. Did CFP detect this as trying to come into your machine, or as an application trying to go out to the Internet? What information is in your CFP log? What was the message from avast?
this is the entry:
Date/Time :2007-11-07 20:18:24Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 220.127.116.11, Port = 10000)Protocol: TCP IncomingSource: 18.104.22.168:46055 Destination: xx.xx.xx.xxx:10000 TCP Flags: SYN Reason: Network Control Rule ID = 5In the attackers’ world, this port is usually used by Trojan.W32.dumaru.ad(10000)
why does this appear is it something Comodo is programmed to say, if so why doesnt any other trojans etc get listed under reasons for all the other ports?
In the attackers’ world, this port is usually used by Trojan.W32.dumaru.ad(10000)
Here are details of the virus (just in case you’ve got it on your PC).
The source IP you mentioned is located in South Korea, not that it’s location should be of any particular concern. There’s a freebie utility called “IPNetInfo” which you can download from here which will give you full details. It’s a stand-alone program, so no installation required. Just type in the IP address, click OK and then double click the results.
By the way, you’ve mentioned your own IP address in your last post. That’s not something you’d want to advertise on an open forum like this one, so I’d advise you to amend it to xxx.xxx.xxx.xxx.
Yes, this is something that CFP is programmed to say. My guess as to why, is that was the best available data at that time.
An inbound TCP SYN packet is not conclusive of anything, other than it being the first step of the 3-way TCP handshake. I can do the same thing by using a “telnet yourhost 10000” from an command prompt. The message is apparently designed to get your attention, and evidently succeeded.
From the full text of the CFP mesage, this looks like it was a inbound probe. Harmless to your machine as CFP blocked it.