I’ve been having strange intrusions and IP’s blocked all of a sudden and comodo asked me if I should let svchost.exe connect to the internet with the IP listed next to it in the screenshot. Should I allow these?
If I put the svchost.exe IP’s in Blocked network zones, I can’t connect to the internet :/.
I see several things, svchost.exe is doing DNS queries on this server:
188.8.131.52 it seems to be a DNS Server, I’m not sure if this is supposed to be your DNS server.
It looks like it could be a rogue DNS server, but I’m not fully sure.
The name that shows up with this ip = 184.108.40.206.static.cableonline.com.mx
Does that ring a bell ?
Can you check your provider settings to see if this would be the correct DNS Server ?
Also a command box with
would be interesting… (you can open a command box by going to start, run, type cmd and press enter)
Next type the ipconfig /all command and see what it tells with DNS Server: …
UDP traffic from port 6646 seems to come from McAfee Remote Agent, do you have any thing like that installed ?
The UDP 1900 traffic is from uPNP if you don’t allow incoming traffic you could disable that.
The UDP 138 is default windows noise, unless you browse network neighborhood you don’t need that also.
Yes, after checking the ipconfig /all, those are my DNS servers and yes, the computer hosting the router/cable modem, has mcafee installed on it. I disabled UPnP now. Now comodo is blocking traffic from 192.168.0.10 (Someone else on my LAN) to 192.168.0.11 (The IP address my router gives me) and the protocol is ICMP, port type (3). What does that mean?
Also I had the address 255.255.255.255 try to connect lately. Could it be IP spoofing, because that doesn’t look like a valid IP address to me.
Yes, but it could be that your DNS Servers are changed without your knowledge ?
Can you check the other PC to see if it also has these DNS Servers ?
The 192.168.0.10 traffic with a destination to x.y.z.255 are broadcasts just normal “hello i am here” traffic.
Also 255.255.255.255 is broadcast traffic, it’s basically send out to everybody on the local network.
So i would not worry to much about it.
I checked on the main computer and it does have the same DNS addresses. I guess this is just paranoia stemming from ignorance on my part :-X
Is it normal for the DNS server to query so much though, because this happens everyday all day. Occasionally it will drop from the active connectiosn list, but it always comes back. Would unblocking the attempt svchost.exe made the first time when it tried to connect with that IP stop it from appearing?
Well if your browser and search results are not showing any strange behavior then i would not worry to much about it…
My computer is working 100% fine, it’s just weird that after 11 pm yesterday, I just start getting hundred of intrusion attempts out of nowhere. Guess it’s nothing to worry about then.
Those “blocked” traffic things on you firewall log are all caused by the other pc on your local network…
Maybe that had a firewall active that got disabled so it can send out more traffic now ?
I had this really strong hunch it wasn’t my PC…but I don;t think it ever had a firewall. The people who use it aren’t computer savvy in the slightest. I’m pretty sure the Mcafee firewall is off.
So nothing left to worry about ? all questions answered ?
My computers working fine and it seems like these addresses are completely harmless, so yes, case closed!
Thanks for the help Ronny