Is someone trying to gain access to my system?

Discussion in 'malware problems & news' started by SweX, Feb 12, 2010.

Thread Status:
Not open for further replies.
  1. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    So I am not a big firewall expert so I really have to ask a few questions.

    I am using CIS Full suite. And a Draytek 2820 router with a firewall.

    And yesterday the CIS Firewall popup and said that someone from the internet is trying to access your system huh? So I blocked it.
    And then it happen a second time ysterday 7 hours laiter. Blocked again.

    And yet today I get a popup from the Firewall saying that someone is trying to access the computer what a hell?

    So, first popup yesterday was from System.

    Protocol: TCP - 192.168.1.11
    source port 49166- and goes up to 49490! Port scanning attack or what?
    Dest IP 192.168.1.10
    And Destination port is always 139
    This was yesterday.

    And today I got another popup from the FW wich was UDP this time saying following.

    Protocal: UDP
    192.168.1.11
    Source port: 138
    Dest IP: 192.168.1.10
    Dest port: 138
    And this popup occured today now around around 12.50 PM

    I don't really get this is the router trying to connect to it self?
    Or what is going on....o_O

    Thanks, SweX

    PS. Tell me if you want a screen shot from the FW log.
     
  2. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    It looks like another device on your internal LAN is trying to connect using Windows NetBIOS. If it was an inbound port scan the ports would change for the destination, which is your PC. If you aren't using Windows File/Printer sharing, you can create a rule to silently block any connections where ports 137-139 are the destination. It would be better to figure out which device 192.168.1.11 is and disable the Windows NetBIOS service.

    Another thing to put your mind at ease is that 192.168.0.0/16 addresses are non-routable. This means that it is not a computer from the internet cloud trying to make these connection attempts.
     
    Last edited: Feb 13, 2010
  3. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Thanks for your reply!

    Just an update, When i Started the computer today the Firewall pop up and say it has detected another "Local network" with IP: 169.254.135.43 <. WhoisInfo: http://who.is/whois-ip/ip-address/169.254.135.43/
    Wich I did not add to my networks of course.

    And that IP is not from from my Router wich is 192.168.1.1 .

    And then another warning from the FW saying that an incoming connection from "nbdgram138" wanting to connect.

    And regarding that other device on my local LAN I actually have no idea what that can be, since I do not have another device connected except for this one and only computer, no printers or anything like that.

    I attached the FW log, and you can see the dates to the right.

    Thanks, SweX
     

    Attached Files:

    Last edited: Feb 13, 2010
  4. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    If your computer is the only one in your house, then someone from the neighborhood is connecting to your wireless network. To block anyone outside from connecting you should enable MAC address filtering in your router's settings. Depending on your router, it may show the MAC addresses of whatever is connected currently. To determine your MAC address, you can type "ipconfig /all" at a Windows command prompt. Your MAC address is the Physical Address in a format like 00-00-00-00-00-00. Enter this into the allowed MAC addresses and select to block anything else.

    I would also turn off SSID broadcasting, change the SSID name to something less obvious than the default, and enable WPA2 encryption.

    If you haven't done so already, you should change the router's password from whatever the default is. If the default no longer works, the neighbor has already changed it for you and you'll have to do a hard reset.:eek:

    These changes will mean more manual work for you initially when connecting a new device to your network, but it will keep everyone else out.

    The 169.254.135.43 address is one in a range (169.254.0.0/16) that is assigned by Windows when there is no DHCP response or a manual IP assigned. This may be another system that your wireless router is picking up. I think enabling the MAC address filtering on the router will make this alert go away as well.
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Again thanks for answering.

    Hmmm...Well I do not use the wireless option in my router, it's already turned off o_O

    BTW I made a search on the nbdgram138 and I found many many results from users that are using Comodo's firewall that where seeing these connection attemps, and many said not to worry about them just choose Allow :rolleyes:

    So I thought what the heck and I pushed Allow,
    and afterwards I saw an incoming connection for about 10 sec, and that's about it.

    I also found a thread at Comodos forum suggesting to turn of the NetBIOS TCP/IP service in the controlpanel, wich I have done now. So now I 'll wait a few days to see if the connection attempts will get gone :)

    Maybe you have any other suggestions?

    Thanks, SweX

    P.S here is a live web demo of the user interface of my router!
    http://draytek.com/user/SupportLiveDemoDetail.php?ID=5

    If you push on the Firewall tab and then DoS defense, I have ALL of those check boxes checked in my router
     
  6. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    With wireless turned off, this mystery connection is very strange. I'm stumped as to where it is originating from. Do you use a VM, like MS Virtual PC, Sun VM, or VMware? That could be a possible answer. Your logs clearly show 2 devices, so something else is there. Weird. o_O

    I don't use Comodo and I'm not sure why the advice given in their forum would be to allow a connection attempt that is undetermined as to it's source. I would recommend to default denying the connection and any connection that I was unsure of. You can always reverse that once you figure out that it is benign or if it breaks something from working.

    I think disabling the NetBIOS service is a good idea if you aren't using it. You may want to take a look at Black Viper's web site to see if there are any other services you can safely disable (Remote Registry, Telnet, and Universal PnP are three that come to mind). Another thing you might want to look into is system hardening. A good resource is maintained by Wilder's member ako at Gizmo's freeware.

    Just make sure you have a backup plan and keep track of each change in case something breaks.
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Maybe there is a rogue Cygwin in his Windows?
    Or maybe a blue pill, but don't know if that would turn up on guest firewall?

    My cousins neighbor had no security on his wifi. He had a Belkin with the default password. Someone was peeking through the pages and found all who connected to his device, 14 people. They added 7 to the mac filter list and changed the default password to "Belkin". 1. To improve the bandwidth for the leecher/cousin and 2. To prevent any of the other leechers from making any changes.
    Running a Nessus scan on the network showed everyone had some type of infection, according to the report it generated, no wonder there were bandwidth issues.
     
  8. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi guys!

    No I do not use Any VM of any kind as VMware or such.

    But I have to say say that since I Allowed the Connection from nbdgram138 ONCE yesterday I haven't seen any connection attemps what so ever.
    But idk if that is a Good or Bad thing :doubt:

    And regarding the Rouges, first thing I did on the first day was to Scan with Mbam and SAS to make sure nothing has slipped through the Firewall, Av, and D+ layers. And nothing where found by either Mbam or SAS.

    And YES, I have changed the default Password on my router to something else.

    But as I said since no other network has been found, and no other connection attempt has been made I feel just a little calmer now anyway ;)

    Even though, we still don't know WHAT and WHY that wanted to connect yet hmmm....

    Thanks for the help so far guys :thumb: , SweX
     
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Should have captured some packets to see what occurred when you chose to allow.
     
Loading...
Thread Status:
Not open for further replies.