Receive connection from another computer?

Status
Not open for further replies.

Habylab

Posts: 264   +0
I keep getting ranodm poppups from comodo firewall from a different ip adress, but same port, asking me for interent request...
Have a look at the info below.

Details from Comodo
svchost.exe 66.99.18.9 - TCP
ms-rpc (135)
Svchost.exe could not be recognised and is about to receive a connection from another computer.

What do you think?
 
This describes port 135

First, find your lan router address (something like 192.168.0.1)

Knowing this, add two rule2 to your firewall:
allow in/out src (192.168.0.2--192.168.0.254) tcp port 135
deny in/out tcp port 135 NOLOGGING​
The allow restricts port 135 usage to only your lan and the deny stop all other
sources.

It is true that he Exchange Server computer, an RPC- based application, uses TCP port 135,
but the server will not be used on your personal home network and
at work the server will be located within the ip-range noted above.

The above will stop the firewall from logging and annoying you any further,
but as-is, your firewall is already protecting you nicely and there's nothing wrong with your system :)
 
the two rules shown will block ALL sites not attached to your Lan

the order of the rules matter; those higher in the list take control before any below.

you can
  1. delete your specific one-for-one blocking and use the generic two shown
  2. keep all the one-for-one
  3. and/or push the generic below your existing specific one-for-one

NORMALLY, we push ALLOW rules to the top and DENY to the bottom,
unless there's a hot reason to ensure some rule will force a deny that
some other might allow.
 
Ok i have done that but now an application called System 137 nbname is doing this.
All this info is coming from Comodo By the way.
 
Comodo is catching the event. I doubt it caused the event.

Go to the two original rules and add port 137,138,139,445 to BOTH.
This will allow full print/file sharing ONLY on your LAN and silently ignore (and block)
all traffic from these ports :)
 
I'm getting this now14.07.2008 16:58:31 DCOM Exploit attack
from 85.20.242.17:135
21.07.2008 17:56:53 LSASS Exploit (SXP) attack
from 84.222.243.79:445
21.07.2008 18:05:14 LSASS Exploit (SXP) attack
from 192.129.26.10:445
21.07.2008 20:32:12 LSASS Exploit (SXP) attack
from 92.10.142.140:445
23.07.2008 12:08:10 LSASS Exploit (SXP) attack
from 118.111.25.94:445
 
you did one of two things:
  1. failed to restrict the ALLOW to your local LAN addresses
  2. forgot to move the allow ABOVE the deny and the deny should be NOLOG

if your router is at 192.168.0.1, the the rule will look like
allow in/out 192.168.0.2-192.168.0.254 tcp/udp ports 135-139,445 nolog
deny ports 135-445 nolog​
 
I have done that already, Screenshot:
myrouter.jpg
 
Rule #4 is defeating rules 1,2,3

Either delete rule 4 or change the WAN addresses ANY to be the same as in rule #3
 
A comment, irrespective of setting up those rules:

The purpose of a firewall is to 'listen' at ports. A good firewall listens at both incoming and outgoing ports. Some ports, due to the nature of type of traffic they carry are closed. IF you have the firewall sending Alerts, it is going to notify you every time there is a scan. Scans go on second by second by hour by day by week, etc. Hundreds, thousands, millions, looking for unprotected ports.

If you firewall is configured correctly- and most firewalls come already configured correctly, is stopping access from a scan, it is doing it's job. Reset the firewall to the default and turn off the alert, you will be a much happier camper, letting the firewall do it's job, every second of every hour of every day and soon.
 
Do i really need all this firewall on my router blovking and allowing? You have told me what to do, which i thank you for, but why are you asking me to do it. Is it someone trying to hack in to my computer?
 
why are you asking me to do it. Is it someone trying to hack in to my computer?
I will relate my experience on this. You can make your own choice.

I used the paid ZoneAlarm firewall for years. I had it logging and I frequently checked the logs. I made myself a bit crazy asking myself the same question: "Is someone trying to hack into my computer"? The answer was Yes, but I took it personally- it was MY computer! Finally, after enough time had passed and enough advice had been given that I finally accepted the fact and understood:
Thousands of scans are part of internet traffic every day. The senders are looking for an unprotected system. Those are the systems that DON'T have the firewall blocking those ports or users who don't understand how a firewall works and when being given an alert, allow access instead of blocking it.

When you see the firewall blocking an attempt to access, it is doing exactly what it is suppose yo do. There are unique circumstances where a particular port access has to be allowed for some reason, but that is something an individual user must deal with. My experience with firewall shows they come preconfigured to block the ports they should and when uncertain, will give an alert and ask the user whether to block or allow.

Eventually I got a router to take advantage of the hardware firewalls. I ran ZoneAlarm along with it for several months. I did not get a single hit- my system was 'invisible' on the internet. Eventually, I uninstalled ZoneAlarm and have remained safe.

The DCOM Exploit attack is infected systems trying to spread to infection to your system. If your firewall let these things through it is not setup correctly. Conversely, if the firewall stops them, it's doing it's job. You can explore both the DCOM Exploit attack and the LSASS Exploit (SXP) attack here:
http://www.bleepingcomputer.com/forums/topic59382.html

Or by searching Google for each. If you want to identify the IP, use this: http://www.arin.net/whois/
IP 85.20.242.17 is an address on the RIPE Network
To further identify use this: RIPE Network Coordination Centre: http://www.db.ripe.net/whois
IP 85.20.242.17 is registered to IT-ALBACOM (IT being the country code for Italy)

You can find information about Port 135 here: http://isc.sans.org/port.html?port=135

Your original post about a Comodo finding for IP 66.99.18.9 is for the Illinois Century Network
svchost.exe 66.99.18.9 - TCP
msrpc (135)
Svchost.exe could not be recognised and is about to receive a connection from another computer.

The best all round information for understanding firewalls is: "Firewall Forensics- What am I seeing?" Robert Graham originally assembled the information and it is referred to frequently. Here is a copy:
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html

Understanding what a firewall does, what the ports do, the different types of ports and much more is essential in trying to understand information you are being given. Only then can you make an assessment of "what am I seeing"?!
 
Ok Thank you for writing up such a good and long post. I have done what jobeard said and have deleted the rule #4. I'll post my latest log:
23.07.2008 12:08:10 LSASS Exploit (SXP) attack
from 118.111.25.94:445
23.07.2008 12:30:04 LSASS Exploit (SXP) attack
from 81.198.246.97:445
24.07.2008 15:28:27 LSASS Exploit (SXP) attack
from 81.137.216.248:445
24.07.2008 15:47:26 LSASS Exploit (SXP) attack
from 91.65.132.110:445
24.07.2008 16:08:31 LSASS Exploit (SXP) attack
from 84.44.228.48:445
24.07.2008 17:34:03 LSASS Exploit (SXP) attack
from 85.177.182.97:445
25.07.2008 10:55:42 LSASS Exploit (SXP) attack
from 80.65.113.176:445
26.07.2008 10:57:18 LSASS Exploit (SXP) attack
from 91.65.198.166:445
26.07.2008 11:42:23 LSASS Exploit (SXP) attack
from 80.133.101.17:445
28.07.2008 10:28:02 LSASS Exploit (SXP) attack
from 80.145.220.113:445
Bearing in mind i deleted rule #4 after the time listed, but...
 
You seem to have a penchant for posting images on all your threads. This is not necessary. A description or one example would do. There is nothing in your log that needs us to deal with that you cannot do yourself using the instructions I left. It's just wasting 'space'.
 
25.07.2008 10:55:42 LSASS Exploit (SXP) attack from 80.65.113.176:445
26.07.2008 10:57:18 LSASS Exploit (SXP) attack from 91.65.198.166:445
Notice the short time span between the two entries, the differing IP addresses and the common port 445

Yes, someone is attempting to penetrate into your system.

Some observations:
1- you must have your system connected directly to a modem without a router or
you're router is forwarding port 445 into your system (IT SHOULD NOT!)

2- your firewall is configured to protect you, but you seem to still get logging or alerts from rule 6.
NOLOG means drop all information from the events being tracked to conserve time and file space. Where are you seeing these entries?

3- rules 5,6,7 are explicit rules that duplicate the default action of all firewalls,
eg: deny all inputs to all ports. Suggest simplification and delete 5,6,7

4- why the DMZ rule? 192.168.0.25 is exposed to everything and if you're going to
use it, at least LOG what traffic is going there. Unless you know what a DMZ is used for and why you need it, DELETE IT or DISABLE the DMZ entry.
 
According to the log, these scans are being sent FROM Port 445, not to the users Port 445.
Port Authority Database
Port 445
Name: microsoft-ds
Purpose: Microsoft Directory Services
Description: This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.
Related Ports:
137, 138, 139
Source: http://www.grc.com/port_445.htm

Additional Information: Port 445: https://isc.sans.org/port.html?port=445

Note description of LSASS: http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

It appears this user is protected and the firewall is doing what it is suppose to do.
 
oops -- of course. Typically however, port 445 is used on both ends.

Regardless, tcp 445 has an equivalent upd 139 for print file sharing and
from anything other than the local LAN, it should be denied.

Still like to understand how the log entries were created with the NOLOG setting :confused:
 
I don't think the person is having a problem. Unless it was some caused by changing ports around. Clearly the user doesn't know how to interpret a firewall log. Once that has been learned, I thing all this unnecessary log posting will stop.

From the logs given, the port it from> it is not the destination port on his/her system. And the firewall is stopping it.
 
Notice the short time span between the two entries, the differing IP addresses and the common port 445

Yes, someone is attempting to penetrate into your system.

Some observations:
1- you must have your system connected directly to a modem without a router or
you're router is forwarding port 445 into your system (IT SHOULD NOT!)

2- your firewall is configured to protect you, but you seem to still get logging or alerts from rule 6.
NOLOG means drop all information from the events being tracked to conserve time and file space. Where are you seeing these entries?

3- rules 5,6,7 are explicit rules that duplicate the default action of all firewalls,
eg: deny all inputs to all ports. Suggest simplification and delete 5,6,7

4- why the DMZ rule? 192.168.0.25 is exposed to everything and if you're going to
use it, at least LOG what traffic is going there. Unless you know what a DMZ is used for and why you need it, DELETE IT or DISABLE the DMZ entry.

I am connected to a router and the log is from avast, not my router
 
Notice the short time span between the two entries, the differing IP addresses and the common port 445

Yes, someone is attempting to penetrate into your system.

Some observations:
1- you must have your system connected directly to a modem without a router or
you're router is forwarding port 445 into your system (IT SHOULD NOT!)

2- your firewall is configured to protect you, but you seem to still get logging or alerts from rule 6.
NOLOG means drop all information from the events being tracked to conserve time and file space. Where are you seeing these entries?

3- rules 5,6,7 are explicit rules that duplicate the default action of all firewalls,
eg: deny all inputs to all ports. Suggest simplification and delete 5,6,7

4- why the DMZ rule? 192.168.0.25 is exposed to everything and if you're going to
use it, at least LOG what traffic is going there. Unless you know what a DMZ is used for and why you need it, DELETE IT or DISABLE the DMZ entry.


I use this for my PS3 which has different ports for different games, and it is much easier to do this. Also, my router isn't compatible with the ps3 and Netgear are trying to help, so they suggest things now and then.
 
According to the log, these scans are being sent FROM Port 445, not to the users Port 445.
Port Authority Database

Source: http://www.grc.com/port_445.htm

Additional Information: Port 445: https://isc.sans.org/port.html?port=445

Note description of LSASS: http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

It appears this user is protected and the firewall is doing what it is suppose to do.
Ahh I use NetBIOS so that would make sense
I feel stupid now. This is yet another (possible) solution to my PS3 connection problems. Should i disable this, is it a security issue?
Going on holiday tomorrow, so I won't be able to reply for 2 weeks
 
Did you recently remove malware from this machine? Often attackers will keep trying to attack even after you have removed their programs - but they are right that is what the firewall is for
 
Status
Not open for further replies.
Back