commplex-main?

Discussion in 'other firewalls' started by bluekey23, May 24, 2004.

Thread Status:
Not open for further replies.
  1. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hello,
    I have a question about this. My zonelog analyzer says that there have been over 500 hits in the last 2 weeks from a service called commplex-main. I searched through my zone logs(back to end of April and this type of attempt didn't show up until a couple of weeks ago. I searched on google and found very little. The target port is always 5000 and the source is always my isp. It seems that this has something to do with plug and play(which is disabled on my machine). So my questions are:
    1. what is commplex-main?
    2. Is there some way to determine where the packets are coming from? I
    know they are coming *through* my isp(level3), but that doesn't mean
    they are coming *from* my isp? Or are they?
    Thanks.
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi bluekey23

    There was a spike in firewall events to local port 5000. It was associated to a number of things, for some comments this page at Internet Storm Center explains a few.

    commplex-main is just a name/service officially associated with port 5000. Much like pop3 is associated with port 110. (iana port assignment list) This does not always mean or indicate what the port is actually being used for.

    I doubt it is your ISP specically. The way these worms, viruses and trojans work, it is not unusual to see a higher number of scans from compromised systems on the same subnet you are on (other customers of your ISP). This would be in addition to the scans from outside your subnet. The source IP from your firewall logs is the easiest way to determine this.

    Regards,

    CrazyM
     
  3. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hi CrazyM,
    Thankyou for the excellent info. You're posts and knowledge are much appreciated!
     
Thread Status:
Not open for further replies.