Can Someone Please Shed Further Light On This?

[Deserted]

Greetings, I have recently installed Comodo firewall as I noticed my computer had begun to behave strangely. After a lot of tweeking, I have found the settings that suite me most. Security is set high but not to 'paranoid mode' as that involves too much work. However, I've noticed this keeps happening every 4 minutes. Could someone please tell me what is going on here:

Application: system

Action: blocked

Protocol: tcp

Source IP 192.168.2.154

Source Port 58243

Destination IP 192,168,2,111

Destination Port 139

I then get the destination Ip trying to come in as another user through internet explorer, though this only happens once or twice a day.

Could someone give me an idea of what is going on here. Friend thinks spammer is trying to use my pc as a zombie but I really don't know.

The reason I've posted this is that the log list created, even though I've had the program running less than a week is enormous for this one action alone!

Edited April 2, 2011 by Deserted

[Tywais]

TCP Port 139

Common Use

Netbios Session Service is used for resource sharing on Windows 9x, ME and NT. This is the port that is used to connect file shares for example.

Inbound Traffic

Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share.

If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet.

Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.

Outbound Traffic

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.

linklogger.com

More info > CERT Advisory

[Deserted]

Thanks, actually I would like to correct some of the information I've given, the event is occurring every 4 seconds, not 4 minutes. The destination port is 139 though occasionally 5357. The source port does vary and so does the last 3 digits of the source IP, other than that comodo keeps blocking. Noticed that ram and cpu power are being run down drastically, so would like to get to the bottom of what's going on. I'm no expert (as you may have already noticed) but no novice either, just don't know what best way to proceed is.

WOuld you suggest I install a variety of anti-viruses, go off line and see if one of them can flush it out. Don't mind paying for esset or kasperky. Have always used avira and threat fire is firewall, clearly this hasn't been enough as comodo has revealed an enormous list of activities, of which I was previously unaware.

[manarak]

192.168.*.* addresses are on your local network.

So that's devices on your LAN communication with each other, maybe some media server or other computers looking for shared media files.

It may also be some malware scanning what's available on your LAN.

In your place I would be careful and authorize applications one by one for accessing internet, because worms can also POST or GET data on normal http protocol.

Probably safe to block for now. If later your wife or daughter complain that they can't find their MP3 collection or the holiday pics, you know what to do.

[Deserted]

Thanks, I have had some disruptions of that nature, nothing serious. I guess its just wanting to know what the numbers and the actions really signify for something to be happening so much is concerning. At any given point I've got over 2000 intrusions being blocked. That can't be right surely, and yet when I sweep for viruses (have several programs) comes up clean everytime!

Perhaps I should add, I use google chrome. I've heard it is prone to security issues and have had them with it before. Could this be a primary cause of vulnerability?

Edited April 2, 2011 by Deserted

[manarak]

Thanks, I have had some disruptions of that nature, nothing serious. I guess its just wanting to know what the numbers and the actions really signify for something to be happening so much is concerning. At any given point I've got over 2000 intrusions being blocked. That can't be right surely, and yet when I sweep for viruses (have several programs) comes up clean everytime!

Perhaps I should add, I use google chrome. I've heard it is prone to security issues and have had them with it before. Could this be a primary cause of vulnerability?

a computer is vulnerable from the moment software runs on it.

[Deserted]

Agreed: but it is the nature of that vulnerability in the context of the original post that is of importance here.

[colinthailand20005]

If you connected directly to the internet, eg dsl router in your home this will be your solution.

All dsl routers have built in firewalls that are more than sufficent, you do not need an additional firewall except windows basic one.

If you are connecting to your own wi-fi are you protected by wpa-psk security, if you are only protected by wep someone can get your password in about 5 mins, so get secure if you are not, you can login to your router from your pc, if you don't know how reply with the make and model of your router and I'll tell you how to do it.

If you are running WIndows XP and above uninstall any antivirus & 3rd parth firewall software and install Microsoft Security Essentials for malware, antivirus etc & its free works in the background most of the time, and my computer is virus etc free!

-----------------------------------------------------------------

If you are connected through an apartment Wi-Fi.

I would use if I was having your problem, Norton 360 or Norton Internet Security. Both packages can be downloaded with 90 day free trials, and there might be ways to extend them.

I hope this helps you.

[Supernova]

How secure is your Windows network? Setting one up is a no-brainer, but securing it requires a little bit of work.

Have you:

- Set folder permissions and limit access to specific users and not 'Everyone'

- Turn off Simple File Sharing (XP) or Sharing Wizard (Vista/Win7)

- Only enable File and Printer Sharing when it's needed

- Disable the 'Guest' account

- Password protect network shares

- Keep operating system up-to-date with the latest patches

- Enable Windows Firewall and scan for malware/viruses on a regular basis

If you can answer "Yes" to all the above, I don't think you have anything to worry about.

[Valentine]

Could it be anything to do with the fact Comodo was hacked recently?

[Deserted]

How secure is your Windows network? Setting one up is a no-brainer, but securing it requires a little bit of work.

Have you:

- Set folder permissions and limit access to specific users and not 'Everyone'

- Turn off Simple File Sharing (XP) or Sharing Wizard (Vista/Win7)

- Only enable File and Printer Sharing when it's needed

- Disable the 'Guest' account

- Password protect network shares

- Keep operating system up-to-date with the latest patches

- Enable Windows Firewall and scan for malware/viruses on a regular basis

If you can answer "Yes" to all the above, I don't think you have anything to worry about.

Yes to all of these.

I'm using wi-fi, my apt has networks and 4 routers for each floor.

Edited April 3, 2011 by Deserted