I have contacted comcast about this, and their networks… all others are open for contact, please report them, particularly if you use those networks. my wireless phones were jammed several times during the conversation. This is another reason why i post my lists. Be careful, Surf safely! Try not to p on anyone =/
How often do these IP addresses try to connect to you. Every how many seconds?
If I recall correctly from another topic you are on cable and not using a router. Is that correct? Do they all contact to the same port? Are you using p2p clients? When you close down such a program it will take a couple of hours before all requests stop.
As Eric suggests, what makes you think these addresses are suspicious. (See attachment for details on each address)
[attachment deleted by admin]
i am technically behind 2 routers, a dsl modem and a typical router… i have used 3 or more connections per pc…
These were directed at the ip address for a lan adapter.
It was persistent for more then 72 hours, at no point during that time did it stop, blocking it via the router only resulted in quicker and rotateing scans and remote conns…
It’s suspicious because nothing is sopposed to be connecting to a pc or home, ANY network in this fashion. And no, if software has been closed, those connections should end when the programs closes… particularly if comodo’s fw is configure to do such.
I do not use any kind of software that allows remote connections except for ??cis pro?? and geekbuddy.
even then, connections attempting access in this way, is probeing, exploitation and unauthorized. No one is to attempt a connection without prior contact and expressed permission and the appropriate keys and passwords… no one has these.
Thank you for looking into these further, i’ll take a look at your attached document.
i wonder if this new user profile named “anonymous” has anything to do with that hax group xD
i’d like to remove a bunch of profiles that were created recently…
Without seeing your logs it is hard to comment. They could still be using an open port on your router. Please show us screenshots.
Why do you need screenshots? Of my router logs? ???
i am tripple (router,and 2 pc’s) blocking associated ip’s. On pc’s all ports are normally blocked, unless given permission, And stealthed by comodo. Cause usually ip’s come first? And the router is configured to allow only local ports, and only from certain pc’s. not mine… So most associated ip’s with those ports (which changes) I block on my pc’s…and others are per request, and users know how to configure their software and router accordingly. These ip’s are not local… And i have posted them here, for many reasons, but i don’t think i’m comfortable with shareing my router log. Just the offensive parts, or abuseive parts. Particulary things the communty might find concerning/of interest??
I have no prior knowledge of what these ip’s are, So i’m asking for help in determining what they are, and WHat their purpose is. Even if i have already checked some myself…But it’s behaviour is abnormal, a second pair of eyes and another point of view, can’t hurt right ? One attack seemed to have been triggered by me turning my wifi adapter on. yet my logs only see trusted ip’s and lan devices attempting a connection…I belive the router works with what it’s programmed to know. And that some how a wifi connection got through, and probably executed some kind of script or small program that disables firewalls…Knowing this makes it possible that these are legit in every way, but don’t see a problem, either inside or outside their networks
All comodo protections were on…but no new connections being detected, commodo might not log them particularly during startup. the downed pc has lots of screen shots and logs. And I have another pc i had to wipe… I’lll do what i can to recover the info before i do more wipeing and checking… includeing the S.M.A.R.T. diagnostics that was suggested.
I believe Eric was referring to the CIS firewall and D+ logs, not your router logs, although they may be of interest if the CIS logs show little.
As I said in your other thread, posting a list of IP addresses, without any additional information, is near useless. Please post you CIS firewall logs showing the connections from these IP addresses.
If you want help, listen to what is asked for and comply.
Why do you need screenshots? Of my router logs? ???
You have been asked, several times, for the CIS Firewall logs and the CIS Defense+ logs.
i am tripple (router,and 2 pc's) blocking associated ip's. On pc's all ports are normally blocked, unless given permission, And stealthed by comodo. Cause usually ip's come first? And the router is configured to allow only local ports, and only from certain pc's. not mine... So most associated ip's with those ports (which changes) I block on my pc's...and others are per request, and users know how to configure their software and router accordingly. These ip's are not local... And i have posted them here, for many reasons, but i don't think i'm comfortable with shareing my router log. Just the offensive parts, or abuseive parts. Particulary things the communty might find concerning/of interest??
You may not be comfortable sharing some details, but quite often we need to see ALL available information so we can put each transaction into a specific context to build up an overall picture of what is happening on your system.
One attack seemed to have been triggered by me turning my wifi adapter on. yet my logs only see trusted ip's and lan devices attempting a connection..
If you believe that you are in a suspect environment, why on earth would you switch on a new adaptor without previously making sure CIS was configured to monitor/protect it.
I belive the router works with what it's programmed to know. And that some how a wifi connection got through,
Your wireless conection is unsecured???
and probably executed some kind of script or small program that disables firewalls...
for it to be executed, it would first have to have reached your system bypassing D+ and then it would have to bypass CIS’s termination protection. The CIS firewall and D+ logs would be invaluable here.
[b]Please provide the info that has been requested.
If you are not comfortable posting it on the public boards, PM one of the responders and work out a suitably private means of exchanging the logs.[/b]
previously syn-packets were able to bypass protections.
Since ddos’s succeeded in denieing lan connections, I attempted to connect via wifi, it’s secured by all known and available methods. I never got ctc working properly, and it would first need a secure connection to be completely secure as well. probably why it never worked right to begin with.
recently on another pc, i noticed that the wifi adapter attempted briefly to connect to multiple wifi connections, when told to connect to only one… I forgot the ipconfig commands used to list hidden or in range adapters and services. =c even then i’d have to sniff a bunch of packets to see if anything is malicous. I’m no pro at this, nor am i a lawyer…but i do feel this would be infringeing on people’s right’s to privacy, unless i can pinpoint somehow, an adapter or device that is obviously suspect.
SYN isn’t a packet, it’s a flag in the TCP header.
Since ddos's succeeded in denieing lan connections, I attempted to connect via wifi, it's secured by all known and available methods. I never got ctc working properly, and it would first need a secure connection to be completely secure as well. probably why it never worked right to begin with.
Connect to what, via WiFi?
recently on another pc, i noticed that the wifi adapter attempted briefly to connect to multiple wifi connections, when told to connect to only one... I forgot the ipconfig commands used to list hidden or in range adapters and services. =c even then i'd have to sniff a bunch of packets to see if anything is malicous.
There are no ipconfig commands to list “hidden or in range adapters and services”
I'm no pro at this, nor am i a lawyer...but i do feel this would be infringeing on people's right's to privacy, unless i can pinpoint somehow, an adapter or device that is obviously suspect. :'(
If by that you’re referring to making a connection to someone else’s WiFi, unless it’s a public hotspot or you have permission to make the connection, you’d be breaking the law.
ugh, it seems netstat may be what i was refering too…maybe i’ll try some sniffing software…and log stuff…I just want to eliminate the possibility that a device may be broadcasting viruses or assisting in malicous activity…an infected pc could do this un-knowingly…i believe malware called “storm” acted in such a way? I don’t seek to pirate wifi, if i have too i’ll call people and ask if i can connect and check for spyware. But i don’t expect a warm welcome =/ nor will i be useing comodo to look for it… Is that exploiting comodo? Or do i have to use geekbuddy to be exploiting? I want to avoid such things… I don’t yet feel comfortable with recommending people install comodo… I was for a long time… but i don’t want others being treated like i am now. That would be harmful to peoples pc’s and comodo.
syn headers/packets - what i’m refering to is the entire string of code. Somehow with cis version 3 or 4 these things got through. not sure how, but it allowed access. And eventually blocked access. Even disabled a router, overload?
Netstat also doesn’t offer the ability to find WiFi nodes. To actively search for a open WiFi connection you’d need to use something like Netstumbler, or some other similar software. The WiFi software in Windows, simply shows the networks in reach.
maybe i'll try some sniffing software...and log stuff...I just want to eliminate the possibility that a device may be broadcasting viruses or assisting in malicous activity...an infected pc could do this un-knowingly...i believe malware called "storm" acted in such a way?
Storm is a botnet, it and other botnets, don’t simply transmit viruses that float about in the aether, an infected PC actually has to have done something to install the software in the first place, such as visiting a dodgy website and clicking on a link to run an installation script, or downloading a piece of rogue software, which installs the malware when it’s executed. Email attachments are also another vector.
I don't seek to pirate wifi, if i have too i'll call people and ask if i can connect and check for spyware. But i don't expect a warm welcome =/ nor will i be useing comodo to look for it... Is that exploiting comodo? Or do i have to use geekbuddy to be exploiting? I want to avoid such things... I don't yet feel comfortable with recommending people install comodo... I was for a long time... but i don't want others being treated like i am now. That would be harmful to peoples pc's and comodo.
Sorry, can’t say I understand much of that?
syn headers/packets - what i'm refering to is the entire string of code. Somehow with cis version 3 or 4 these things got through. not sure how, but it allowed access. And eventually blocked access. Even disabled a router, overload?
What you’re probably referring to is a SYN flood, which is a type of DOS attack. These kinds of attack affect the Internet facing device, as you have a router, it would be this device that would have been the target, not a PC behind it. Because of this, CIS would not have been involved in either attack detection or mitigation.
Modern Operating systems such as Windows 7 have hardened TCP/IP stacks to help defend against these kinds of attack and XP can be hardened by manually applying various fixes to the registry. Also most good routers have options to defend against such attacks.
i have no idea ???
i’ve only seen mac addy’s with dashes and maybe ip6 with it… what is this?
Try running netstat -n it will convert your ‘strange’ names to ip addresses.
If you’re going to use tools like netstat try running netstst /? first.
18.104.22.168 belongs to Microsoft
22.214.171.124 belongs to Akamai a big hosting company. It is most likely for an updater of a program.
126.96.36.199 is the Comodo forums.
comodo event logs from recent strange activity. i’m hopeing the global hooks from microsoft apps are in there. it’s huge, and was exported as html, i changed the extension to txt, and compressed it. please remember to changge it back for easier reading.
I’ve uninstalled geekbuddy, i feel it may have been exploited previously and could be again. And as a free user, it serves no more purpose then any spyware would. It is unlikely that a GB tech could assit a free user with such things as many consider it a manual virus/malware removeal, or see no problems. I doubt i will use their services again. but i hope to gain info on how it could have been exploited when i begin restoreing data from the formatted drives.
I have more netstat images,
taken as the pc was wakeing up, not sure if a browser was open or not
and my pc sent data to a chinese? website i didn’t visit until i did a lookup. i believe it’s ip start with 50
i had spent a great deal of time putting a huge reply together with many links, but trying to upload the logs in html lost it all. it may be best to simply link to the entire album
after the first few pages it’s mostly cats, mostly successfully adopted, the race vids are really loud. danika got penalized =c if i recover screenshots this is where it will be.
All of the addresses in the netstat links you’ve posted are quite normal, just links to Comodo, Google, Yahoo, AKAMAI etc. The entry with the 188.8.131.52 address is Amazon.
I have no idea what I’m supposed to be looking for in your Photobucket album, and I’m not going to trawl through close on 600 images trying to guess.
[attachment deleted by admin]
Please be specific about what IP’s you think are suspicious. When checking Netstat or other IP logs please do your homework and check the IP’s with an online look up service to see what is being connected to. That way we can have a conversation instead of running around in clouds of suspiciousness and theories. For IP checks I use the whois service of cqcounter.
You say your system connected to an IP in the 50 range but I don’t see it in your image. You think it is China but you don’t know for sure nor do we get a screenshot where your computer actually connects to that IP. Without proper information I feel like I am running with you and that would be running after your tail.