Jump to content

Incoming connections on port 445 (tcp)

tommy456
 Share

Recommended Posts

tommy456

tommy456 11

Posted
Posted

I the EIS network protection troubleshooting menu Eset has been blocking incoming connection requests from unknown IP's  on port 445 (TCP) Is this background chatter from bots, probes ect, or could it be a sign of something more sinister?

1226417092_esetblock.thumb.JPG.46a7ea8587cbf2d1f950f68539c5459f.JPGBrowse

 

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted

First up is the Microsoft Publication Service Device Host that is connecting to a Russian IP address per Robtex lookup:

Quote

5.145.203.195

whois
Smoltelecom PPPoE (dynamik IPs pool2)
route
5.145.192.0/18
bgp
AS44265
asname
SMOLTELECOM-NET
descr
Dummy description for 5.145.192.0/18AS44265
location
Smolensk, Russia

 

Per Microsoft:

Quote

Publication Services enables a WSD device to advertise (publish) its functionality and then offer its functions as Web services over IP-based networks. It also enables devices to find (discover) and access Web services of other devices and computers on the same network. From a user's perspective, NCD technologies will largely eliminate the experiential difference between using devices directly connected to a computer and those virtually connected over a network (including the Internet). As explained above, typically a developer will uniformly access NCDs using higher-level publication services and function discovery.

https://msdn.microsoft.com/en-us/library/bb756908.aspx/

Why that process is running let alone installed on an end user PC is beyond me.

 

 
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)

As far as the inbound port 445 traffic, your router should be blocking any unsolicited inbound traffic on that port. That means something on your PC is most likely sending outbound TCP traffic on port 445. This is a no-no in my security book but the Eset firewall by default rule will allow it. The culprit my best guess is the above noted process.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
17 minutes ago, tommy456 said:

Well since my last, there has been at least 1 attempt to connect via Port 1900 

SSDP Eset firewall blocks are the norm. I just disabled the service in Windows since I was tired of my associated Win Event log filling up with blocked entries. 

Link to comment
Share on other sites
novice

novice 20

Posted
Posted
1 hour ago, itman said:

This is a no-no in my security book but the Eset firewall by default rule will allow it.

So, what the point in running ESET firewall in default mode if something which is no-no in your security book is allowed out????

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
40 minutes ago, novice said:

So, what the point in running ESET firewall in default mode if something which is no-no in your security book is allowed out????

If a worm is able to install itself, the first thing it will try to do is connect outbound TCP port 445.

Eset by default doesn't block outbound TCP port 445 since if your on a internal network and share files or printers, it is valid communication. I am not on a network and as such, don't share files or printers.

Link to comment
Share on other sites
novice

novice 20

Posted
Posted (edited)
9 hours ago, itman said:

If a worm is able to install itself, the first thing it will try to do is connect outbound TCP port 445.

Eset by default doesn't block outbound TCP port 445 since if your on a internal network and share files or printers, it is valid communication. I am not on a network and as such, don't share files or printers.

The worm should be something like "worm".exe, so the firewall should let me know when an ".exe" is trying to access the internet, not to wide open tcp445.

For example TCP80 and TCP443 are used for IE ; this doesn't mean a firewall should be open BY DEFAULT   on ports 80 and 443 .

Otherwise, in default configuration there is no difference between Win Firewall (built in ) and ESET firewall.

Edited by novice
Link to comment
Share on other sites
tommy456

tommy456 11

Posted
  • Author
Posted

SSDP Disabled  which also disabled UPnP, (win 7) but that has stopped these inbound attacks or whatever they were, All those IP addresses  did appear in  Wireshark, but i didn't save the Pcap, i have since installed a Microsoft tool that works like Wireshark, but shows the process that is sending /receiving , Eset scans find nothing within the O/S  or 3rd party S/W installed on the PC , So if it's a worm Eset isn't detecting it

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
2 hours ago, tommy456 said:

SSDP Disabled  which also disabled UPnP, (win 7) but that has stopped these inbound attacks or whatever they were

Are you stating that this stopped the inbound port 445 blocked connections you originally posted?

Link to comment
Share on other sites
tommy456

tommy456 11

Posted
  • Author
Posted

I ain't 100% sure it was solely down to disabling  that service, or them both,  the only problem that is apparent is that streaming to my smart tv is no longer working as a result,

I did prior to this close port via CMD, I will re-enable both services at some point and try and find which process or processes are generating the traffic  to those IP's  i recently found out that the s/ware i use to control the cooling fans and RGB on my GPU 

https://www.bleepingcomputer.com/news/security/asus-gigabyte-drivers-contain-code-execution-vulnerabilities-pocs-galore/

So could be this S/w or it may be something else,

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...