commplex-main?

Hello,
I have a question about this. My zonelog analyzer says that there have been over 500 hits in the last 2 weeks from a service called commplex-main. I searched through my zone logs(back to end of April and this type of attempt didn't show up until a couple of weeks ago. I searched on google and found very little. The target port is always 5000 and the source is always my isp. It seems that this has something to do with plug and play(which is disabled on my machine). So my questions are:
1. what is commplex-main?
2. Is there some way to determine where the packets are coming from? I
know they are coming *through* my isp(level3), but that doesn't mean
they are coming *from* my isp? Or are they?
Thanks.

 

Hi bluekey23

There was a spike in firewall events to local port 5000. It was associated to a number of things, for some comments this page at Internet Storm Center explains a few.

commplex-main is just a name/service officially associated with port 5000. Much like pop3 is associated with port 110. (iana port assignment list) This does not always mean or indicate what the port is actually being used for.

I doubt it is your ISP specically. The way these worms, viruses and trojans work, it is not unusual to see a higher number of scans from compromised systems on the same subnet you are on (other customers of your ISP). This would be in addition to the scans from outside your subnet. The source IP from your firewall logs is the easiest way to determine this.

Regards,

CrazyM

 

Hi CrazyM,
Thankyou for the excellent info. You're posts and knowledge are much appreciated!