What's this? - Firewalls

This is a discussion on What's this? - Firewalls ; Hi, If this is the wrong place to post this, I apologize and would appreciate if someone would point me to the correct newsgroup. This is the log from my firewall: http://i11.tinypic.com/40ac2us.jpg Can someone help me understand what is going ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: What's this?

  1. What's this?

    Hi,
    If this is the wrong place to post this, I apologize and would
    appreciate if someone would point me to the correct newsgroup.

    This is the log from my firewall:
    http://i11.tinypic.com/40ac2us.jpg

    Can someone help me understand what is going on here? I get about 10-20
    of these per minute.

    Date/Time :2007-04-07 18:45:18
    Severity :Medium
    Reporter :Network Monitor
    Description: Inbound Policy Violation (Access Denied, IP =
    91.124.195.18, Port = 35865)
    Protocol: UDP Incoming
    Source: 91.124.195.18:4672
    Destination: 192.168.1.66:35865
    Reason: Network Control Rule ID = 5

    Help.

  2. Re: What's this?

    On Sat, 07 Apr 2007 19:42:00 -0700, BDS wrote:

    > Hi,
    > If this is the wrong place to post this, I apologize and would
    > appreciate if someone would point me to the correct newsgroup.
    >
    > This is the log from my firewall:
    > http://i11.tinypic.com/40ac2us.jpg
    >
    > Can someone help me understand what is going on here? I get about 10-20
    > of these per minute.
    >
    > Date/Time :2007-04-07 18:45:18
    > Severity :Medium
    > Reporter :Network Monitor
    > Description: Inbound Policy Violation (Access Denied, IP =
    > 91.124.195.18, Port = 35865)
    > Protocol: UDP Incoming
    > Source: 91.124.195.18:4672
    > Destination: 192.168.1.66:35865
    > Reason: Network Control Rule ID = 5
    >
    > Help.


    This looks like a log from Comodo firewall. Am I correct? WHOIS lookup
    shows:

    Information related to '91.124.0.0 - 91.124.255.255'

    inetnum: 91.124.0.0 - 91.124.255.255
    org: ORG-USTC1-RIPE
    netname: UA-UKRTELECOM-20061006
    descr: JSC "Ukrtelecom"
    country: UA
    admin-c: ARM3-RIPE
    tech-c: DKZ1-RIPE
    notify: *******@ukrtel.net
    status: ALLOCATED PA
    mnt-by: RIPE-NCC-HM-MNT
    mnt-lower: AS6849-MNT
    mnt-routes: AS6849-MNT
    changed: **********@ripe.net 20061006
    source: RIPE

    Information related to '91.124.0.0/16

    route: 91.124.0.0/16
    descr: AGGREGATE BLOCK FOR UKRTELECOM
    origin: AS6849
    mnt-by: AS6849-MNT
    changed: *******@ukrtel.net 20061006
    source: RIPE

    I don't know who your ISP is, but possibly Comodo is causing a
    communications problem between your router and ISP. Just a guess. Would
    be more helpful if I knew what Rule 5 is specifically.

    --
    Posted via a free Usenet account from http://www.teranews.com


  3. Re: What's this?

    Bullseye wrote:

    >On Sat, 07 Apr 2007 19:42:00 -0700, BDS wrote:
    >
    >> Hi,
    >> If this is the wrong place to post this, I apologize and would
    >> appreciate if someone would point me to the correct newsgroup.
    >>
    >> This is the log from my firewall:
    >> http://i11.tinypic.com/40ac2us.jpg
    >>
    >> Can someone help me understand what is going on here? I get about 10-20
    >> of these per minute.
    >>
    >> Date/Time :2007-04-07 18:45:18
    >> Severity :Medium
    >> Reporter :Network Monitor
    >> Description: Inbound Policy Violation (Access Denied, IP =
    >> 91.124.195.18, Port = 35865)
    >> Protocol: UDP Incoming
    >> Source: 91.124.195.18:4672
    >> Destination: 192.168.1.66:35865
    >> Reason: Network Control Rule ID = 5
    >>
    >> Help.

    >
    >This looks like a log from Comodo firewall. Am I correct? WHOIS lookup
    >shows:
    >
    >Information related to '91.124.0.0 - 91.124.255.255'
    >
    >inetnum: 91.124.0.0 - 91.124.255.255
    >org: ORG-USTC1-RIPE
    >netname: UA-UKRTELECOM-20061006
    >descr: JSC "Ukrtelecom"
    >country: UA
    >admin-c: ARM3-RIPE
    >tech-c: DKZ1-RIPE
    >notify: *******@ukrtel.net
    >status: ALLOCATED PA
    >mnt-by: RIPE-NCC-HM-MNT
    >mnt-lower: AS6849-MNT
    >mnt-routes: AS6849-MNT
    >changed: **********@ripe.net 20061006
    >source: RIPE
    >
    >Information related to '91.124.0.0/16
    >
    >route: 91.124.0.0/16
    >descr: AGGREGATE BLOCK FOR UKRTELECOM
    >origin: AS6849
    >mnt-by: AS6849-MNT
    >changed: *******@ukrtel.net 20061006
    >source: RIPE
    >
    >I don't know who your ISP is, but possibly Comodo is causing a
    >communications problem between your router and ISP. Just a guess. Would
    >be more helpful if I knew what Rule 5 is specifically.



    Thanks. Yes it is Comodo. Please see the screenshot
    http://i11.tinypic.com/40ac2us.jpg
    and you can see different IP addresses are constantly trying to connect
    to port 35865. I don't know what that port is. I'm thinking it's
    people scanning the 'Net for vulnerable machines. Anyone have any info?

  4. Re: What's this?

    On Sat, 07 Apr 2007 19:42:00 -0700, BDS wrote:

    >Hi,
    >If this is the wrong place to post this, I apologize and would
    >appreciate if someone would point me to the correct newsgroup.
    >
    >This is the log from my firewall:
    >http://i11.tinypic.com/40ac2us.jpg
    >
    >Can someone help me understand what is going on here? I get about 10-20
    >of these per minute.


    A good guess would be that you are running Skype or something similar
    which has the mentioned port stated as connection port.

    Use netstat or TCPview to check if an app is listening on this port.

  5. Re: What's this?

    BDS wrote:
    > If this is the wrong place to post this, I apologize and would
    > appreciate if someone would point me to the correct newsgroup.
    > This is the log from my firewall:
    > http://i11.tinypic.com/40ac2us.jpg
    > Can someone help me understand what is going on here? I get about 10-20
    > of these per minute.


    Yes, it means that you're using software, which you don't understand.
    It's useless to log all such things. And I hope, your software does not
    show you ridiculous popup windows for each event ;-)

    Yours,
    VB.
    --
    "Terror eignet sich mehr als irgendeine andere militärische Strategie dazu,
    die Bevölkerung zu manipulieren."
    (Dr. Daniele Ganser, 2005)


  6. Re: What's this?

    BDS wrote:
    > This is the log from my firewall:
    > http://i11.tinypic.com/40ac2us.jpg
    >
    > Can someone help me understand what is going on here? I get about 10-20
    > of these per minute.
    >
    > Date/Time :2007-04-07 18:45:18
    > Severity :Medium
    > Reporter :Network Monitor
    > Description: Inbound Policy Violation (Access Denied, IP =
    > 91.124.195.18, Port = 35865)
    > Protocol: UDP Incoming
    > Source: 91.124.195.18:4672
    > Destination: 192.168.1.66:35865
    > Reason: Network Control Rule ID = 5


    Well, UDP packets from various hosts on the Internet to port 35865/udp
    on your computer triggered Comodo's "Network Control Rule 5". Whatever
    that's supposed to be.

    First step should be to find out why your router forwards this traffic
    to your computer in the first place. Your computer has a private IP
    address, so it shouldn't receive any unrequested traffic from the
    Internet unless there's a good reason for it. Next step would be to find
    out what exactly "Network Control Rule 5" is, and why it is in place
    (IOW what purpose it serves). Any subsequent action would depend on the
    outcome of the aforementioned two steps.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  7. Re: What's this?

    Ansgar -59cobalt- Wiechers wrote:

    >BDS wrote:
    >> This is the log from my firewall:
    >> http://i11.tinypic.com/40ac2us.jpg
    >>
    >> Can someone help me understand what is going on here? I get about 10-20
    >> of these per minute.
    >>
    >> Date/Time :2007-04-07 18:45:18
    >> Severity :Medium
    >> Reporter :Network Monitor
    >> Description: Inbound Policy Violation (Access Denied, IP =
    >> 91.124.195.18, Port = 35865)
    >> Protocol: UDP Incoming
    >> Source: 91.124.195.18:4672
    >> Destination: 192.168.1.66:35865
    >> Reason: Network Control Rule ID = 5

    >
    >Well, UDP packets from various hosts on the Internet to port 35865/udp
    >on your computer triggered Comodo's "Network Control Rule 5". Whatever
    >that's supposed to be.
    >
    >First step should be to find out why your router forwards this traffic
    >to your computer in the first place. Your computer has a private IP
    >address, so it shouldn't receive any unrequested traffic from the
    >Internet unless there's a good reason for it. Next step would be to find
    >out what exactly "Network Control Rule 5" is, and why it is in place
    >(IOW what purpose it serves). Any subsequent action would depend on the
    >outcome of the aforementioned two steps.
    >
    >cu
    >59cobalt


    Thanks for everyone's help. I found out it was eMule listening for the
    packets. Now I'll try to figure out why.

  8. Re: What's this?

    On Sat, 14 Apr 2007 19:24:06 -0700, BDS wrote:


    > Thanks for everyone's help. I found out it was eMule listening for the
    > packets. Now I'll try to figure out why.


    If you use emaule to download anything, the other IP's will continue to
    probe that port for the entire session. If you are on a broadband
    connection, that will probably continue until you reboot your computer.
    Also, if you attempt to download with emule and don't have a specific rule
    created for it, you'll get those alerts from Comodo since the other peer
    IPs are not reaching the port emule is listening on. If your emule program
    is not running, it shouldn't be listening on that port. In that case, you
    might want to check task manager and make sure all the elements for emule
    are not running. I know that when I've used Bittorrent or Utorrent, once I
    close out the program the IP's will continue to probe until I go offline.
    Then, once I go back online, it will stop. You probably also want to
    create a specific rule for emule to receive packets at port 35865.

    --
    Posted via a free Usenet account from http://www.teranews.com


+ Reply to Thread