1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Receive connection from another computer?

By Habylab ยท 25 replies
Jul 17, 2008
  1. I keep getting ranodm poppups from comodo firewall from a different ip adress, but same port, asking me for interent request...
    Have a look at the info below.

    Details from Comodo
    What do you think?
  2. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    Just got another one now, i will post here whenever i get a new one...
  3. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    This describes port 135

    First, find your lan router address (something like

    Knowing this, add two rule2 to your firewall:
    allow in/out src ( tcp port 135
    deny in/out tcp port 135 NOLOGGING​
    The allow restricts port 135 usage to only your lan and the deny stop all other

    It is true that he Exchange Server computer, an RPC- based application, uses TCP port 135,
    but the server will not be used on your personal home network and
    at work the server will be located within the ip-range noted above.

    The above will stop the firewall from logging and annoying you any further,
    but as-is, your firewall is already protecting you nicely and there's nothing wrong with your system :)
  4. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    I have blocked the ones that have come up, so should i remove them?
  5. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    the two rules shown will block ALL sites not attached to your Lan

    the order of the rules matter; those higher in the list take control before any below.

    you can
    1. delete your specific one-for-one blocking and use the generic two shown
    2. keep all the one-for-one
    3. and/or push the generic below your existing specific one-for-one

    NORMALLY, we push ALLOW rules to the top and DENY to the bottom,
    unless there's a hot reason to ensure some rule will force a deny that
    some other might allow.
  6. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    Ok i have done that but now an application called System 137 nbname is doing this.
    All this info is coming from Comodo By the way.
  7. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    Comodo is catching the event. I doubt it caused the event.

    Go to the two original rules and add port 137,138,139,445 to BOTH.
    This will allow full print/file sharing ONLY on your LAN and silently ignore (and block)
    all traffic from these ports :)
  8. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    I'm getting this now14.07.2008 16:58:31 DCOM Exploit attack
    21.07.2008 17:56:53 LSASS Exploit (SXP) attack
    21.07.2008 18:05:14 LSASS Exploit (SXP) attack
    21.07.2008 20:32:12 LSASS Exploit (SXP) attack
    23.07.2008 12:08:10 LSASS Exploit (SXP) attack
  9. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    you did one of two things:
    1. failed to restrict the ALLOW to your local LAN addresses
    2. forgot to move the allow ABOVE the deny and the deny should be NOLOG

    if your router is at, the the rule will look like
    allow in/out tcp/udp ports 135-139,445 nolog
    deny ports 135-445 nolog​
  10. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    I have done that already, Screenshot:
  11. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    Rule #4 is defeating rules 1,2,3

    Either delete rule 4 or change the WAN addresses ANY to be the same as in rule #3
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A comment, irrespective of setting up those rules:

    The purpose of a firewall is to 'listen' at ports. A good firewall listens at both incoming and outgoing ports. Some ports, due to the nature of type of traffic they carry are closed. IF you have the firewall sending Alerts, it is going to notify you every time there is a scan. Scans go on second by second by hour by day by week, etc. Hundreds, thousands, millions, looking for unprotected ports.

    If you firewall is configured correctly- and most firewalls come already configured correctly, is stopping access from a scan, it is doing it's job. Reset the firewall to the default and turn off the alert, you will be a much happier camper, letting the firewall do it's job, every second of every hour of every day and soon.
  13. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    Do i really need all this firewall on my router blovking and allowing? You have told me what to do, which i thank you for, but why are you asking me to do it. Is it someone trying to hack in to my computer?
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I will relate my experience on this. You can make your own choice.

    I used the paid ZoneAlarm firewall for years. I had it logging and I frequently checked the logs. I made myself a bit crazy asking myself the same question: "Is someone trying to hack into my computer"? The answer was Yes, but I took it personally- it was MY computer! Finally, after enough time had passed and enough advice had been given that I finally accepted the fact and understood:
    Thousands of scans are part of internet traffic every day. The senders are looking for an unprotected system. Those are the systems that DON'T have the firewall blocking those ports or users who don't understand how a firewall works and when being given an alert, allow access instead of blocking it.

    When you see the firewall blocking an attempt to access, it is doing exactly what it is suppose yo do. There are unique circumstances where a particular port access has to be allowed for some reason, but that is something an individual user must deal with. My experience with firewall shows they come preconfigured to block the ports they should and when uncertain, will give an alert and ask the user whether to block or allow.

    Eventually I got a router to take advantage of the hardware firewalls. I ran ZoneAlarm along with it for several months. I did not get a single hit- my system was 'invisible' on the internet. Eventually, I uninstalled ZoneAlarm and have remained safe.

    The DCOM Exploit attack is infected systems trying to spread to infection to your system. If your firewall let these things through it is not setup correctly. Conversely, if the firewall stops them, it's doing it's job. You can explore both the DCOM Exploit attack and the LSASS Exploit (SXP) attack here:

    Or by searching Google for each. If you want to identify the IP, use this: http://www.arin.net/whois/
    IP is an address on the RIPE Network
    To further identify use this: RIPE Network Coordination Centre: http://www.db.ripe.net/whois
    IP is registered to IT-ALBACOM (IT being the country code for Italy)

    You can find information about Port 135 here: http://isc.sans.org/port.html?port=135

    Your original post about a Comodo finding for IP is for the Illinois Century Network
    The best all round information for understanding firewalls is: "Firewall Forensics- What am I seeing?" Robert Graham originally assembled the information and it is referred to frequently. Here is a copy:

    Understanding what a firewall does, what the ports do, the different types of ports and much more is essential in trying to understand information you are being given. Only then can you make an assessment of "what am I seeing"?!
  15. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    Ok Thank you for writing up such a good and long post. I have done what jobeard said and have deleted the rule #4. I'll post my latest log:
    Bearing in mind i deleted rule #4 after the time listed, but...
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You seem to have a penchant for posting images on all your threads. This is not necessary. A description or one example would do. There is nothing in your log that needs us to deal with that you cannot do yourself using the instructions I left. It's just wasting 'space'.
  17. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    Notice the short time span between the two entries, the differing IP addresses and the common port 445

    Yes, someone is attempting to penetrate into your system.

    Some observations:
    1- you must have your system connected directly to a modem without a router or
    you're router is forwarding port 445 into your system (IT SHOULD NOT!)

    2- your firewall is configured to protect you, but you seem to still get logging or alerts from rule 6.
    NOLOG means drop all information from the events being tracked to conserve time and file space. Where are you seeing these entries?

    3- rules 5,6,7 are explicit rules that duplicate the default action of all firewalls,
    eg: deny all inputs to all ports. Suggest simplification and delete 5,6,7

    4- why the DMZ rule? is exposed to everything and if you're going to
    use it, at least LOG what traffic is going there. Unless you know what a DMZ is used for and why you need it, DELETE IT or DISABLE the DMZ entry.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    According to the log, these scans are being sent FROM Port 445, not to the users Port 445.
    Port Authority Database
    Source: http://www.grc.com/port_445.htm

    Additional Information: Port 445: https://isc.sans.org/port.html?port=445

    Note description of LSASS: http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

    It appears this user is protected and the firewall is doing what it is suppose to do.
  19. jobeard

    jobeard TS Ambassador Posts: 10,432   +801

    oops -- of course. Typically however, port 445 is used on both ends.

    Regardless, tcp 445 has an equivalent upd 139 for print file sharing and
    from anything other than the local LAN, it should be denied.

    Still like to understand how the log entries were created with the NOLOG setting :confused:
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't think the person is having a problem. Unless it was some caused by changing ports around. Clearly the user doesn't know how to interpret a firewall log. Once that has been learned, I thing all this unnecessary log posting will stop.

    From the logs given, the port it from> it is not the destination port on his/her system. And the firewall is stopping it.
  21. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    I am connected to a router and the log is from avast, not my router
  22. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    I use this for my PS3 which has different ports for different games, and it is much easier to do this. Also, my router isn't compatible with the ps3 and Netgear are trying to help, so they suggest things now and then.
  23. Habylab

    Habylab TS Rookie Topic Starter Posts: 263

    Ahh I use NetBIOS so that would make sense
    I feel stupid now. This is yet another (possible) solution to my PS3 connection problems. Should i disable this, is it a security issue?
    Going on holiday tomorrow, so I won't be able to reply for 2 weeks
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    As long as the firewall continues to block attempts to access, leave it alone!
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you recently remove malware from this machine? Often attackers will keep trying to attack even after you have removed their programs - but they are right that is what the firewall is for
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...