Constant Attack

Its been going on for afew days now, I’m getting constant attacks from an IP in IRELAND - 89.124.137.168

http://www.ip-adress.com/ip_tracer/89.124.137.168

http://i45.tinypic.com/2vagtqh.jpg

http://i45.tinypic.com/2vagtqh.jpg

What should I do?

Have no fear my friend 8) You are doing nothing wrong. Your firewall IS BLOCKING A THREAT It’s doing exactly what it’s designed to do. Same problem here. Come join if you like.
https://forums.comodo.com/firewall-help/some-what-fixed-dcom-exploit-bypassing-comodo-blocked-by-avast-t52004.0.html

When did you first notice this activity? And in that time frame did you download any installers, .exe’s, etc. could be a virus injection maybe a backdoor/trojan. You should do a full virus scan using any of the many free online virus scanners from different AV vendor websites if you dont want to download and install additional virus/malware protection software.

As far as doing an IP Trace, i highly recomend this site http://ip-address-lookup-v4.com/ as it reveals a lot of info

I don’t remember exactly when it started but it was afew days ago. I did do a full eset nod32 scan on the 20th, it found “probably a variant of Java/TrojanDownloader.Agent.AV trojan” which was in c:\users\me\appdata\locallow\sun\java\deployment\cashe\6.0.… two files which had size figures of 3466 and 3469. I’m not sure whether it relates to the problem. Also regarding scanning, should i try another anti virus or is eset good enough? should i scan with super antispyware to be on the safe side?

Plus another completely different issue, something i can’t get my head around, its been going on for ages, it hasn’t just started. I’m wired up to a modem (virgin media) on a stand alone pc, no internet connection sharing at all, i think i’ve turned everything off with system services and config’d my firewall to act as a stand alone, invisble pc but when i log on and check network connections i shows the following,

this one stays locked in the firewall from when i switch on to switch off,

svchost - UDP OUT - 0.0.0.0:xx - 255.255.255.255:xx - bytes in vary, bytes out normally 1.0KB

this one dissappears after afew second at boot/logon, its sometimes two or three 239 connections

svchost.exe - UDP OUT - 92.XXX.XX.XX:XXXXX - 239.255.255.250:1900 - Bytes In 0KB but may vary and Bytes out 1.0KB, again may vary.

whats that all about?

Please read here for the different issue

You should perform another scan using a different AV software, I like microsoft security essentials and malwarebytes (free version) but you could also try super antispyware.
Issue with svhost is okay no need to worry about it.

eeeeeeeeee INCORRECT

Use ‘Sysinternals Process Explorer’ to look into Svhost (Right-click > Properties).

If you think you’re infected, do this: Click here.

I assume the IP address 89.124.137.168 is not yours. So, we are talking about a situation of uncalled for incoming traffic. Please forget the advice from the others to check your computer because the problem is coming from the outside not from inside your computer.

Apparently somebody is trying to connect to your computer. You may consider reporting the offending IP address to the ISP.

The whois information, http://www.ip-adress.com/whois/89.124.137.168 , gives us the following:

emarks: Please do NOT send abuse complaints to the contacts listed. remarks: Please check remarks on individual inetnum records for abuse contacts, or remarks: failing that email abuse reports to abuse[at]irishbroadband.ie

I had to read the above several times. It means that when the IP address has no abuse report facility you can email the ISP at the given email address.

The address starting with 239. only stays in my firewall connections for afew seconds when logging on then disappears. The 255. connection stayed locked, I think its Virgin just making sure my connection doesn’t mess up.

done a scan with super antispyware, it only found cookies. malwarebytes takes too long and I can’t be bothered with online scanners, they take too long too.

I’ve never used this before, i may need help with it. I’ve just had a look on google and its something i’ll probably need help with so I’m not going to mess around with it just yet.

I contacted Virgin Media, my ISP before i posted on here and they said they couldn’t do anything and put down the phone. No offence to anyone outside the the UK working for UK based companies but this is why I hate being put through abroad as no one seems to be able to help me out with my problems. My problems seems to be more advance than the usual reset modem ■■■■!! It hasn’t happened today yet so I’m hoping its gone away but

heres my svchost policy in D+

http://i49.tinypic.com/8wl9pf.jpg

http://i49.tinypic.com/8wl9pf.jpg

http://i45.tinypic.com/11t4wsz.jpg

http://i45.tinypic.com/11t4wsz.jpg

could you give it the once over and offer any advice on changes i may need to make please. thanks in advance.

The rule for svchost is fine.

The unsolicited traffic from Ireland, even though it fills up your logs, gets blocked. Blocking unsolicited traffic from the web is a firewall’s first task; in short; you are safe. There are two ways of getting traffic from this IP blocked from your logs. Managing CIS’s Global Rules or use a router. When using a router the router will simply block that traffic without you even being notified.

The svchost traffic from 0.0.0.0 to 255.255.255.255 is part of the Bootstrap protocol. Bootstrap protocol is used to assign IP addresses to computers in network. It is a predecessor of the mostly used DHCP protocol; part of the routers that use DHCP still support Bootstrap. Bootstrap is also used by cable internet providers. In short nothing to worry about.

The traffic to 239.255.255.250:1900 is your computer broadcasting to see if a Universal Plug and Play (uPnP) router is around. But since you are directly connecting, without a router, to the web it best to disable this. Follow these guidelines to disable it: Completely disable Universal Plug and Play (UPnP) .

Sorry, I thought you wanted to look into svhost to see what’s running inside it, which is why I recommended Sysinternals Process Explorer (it’s just a better alternative to Windows Task Manager).

Just follow EricJH’s instructions. :slight_smile:

I’m using Vista Ultimate, does it matter or do the same rules apply for uPnP?

done, i’ll post up anything I notice as in change whether its attack related or issues with me connecting to the internet, thank you EricJH

No worries J2897, thanks for replying.

YOu can follow that guide in Vista as well. The list of Services is a very universal thing in Windows; it’s on the same spot in Xp, Vista, Win 7…

HELP HELP HELP
lol
I have tryed & tryed & tryed to REMOVE MY SELF from this thread but i still keep getting notifyed of posts on this one.

Mod – please remove me from THIS thread
thanks

You mean even after clicking on the NOTIFY button to unsubscribe yourself and seeing this alert?

[attachment deleted by admin]

Here’s another method:

[attachment deleted by admin]

could someone please give this a once over… I came across symantecs online scanner via a thread on here and done a scan. Although everything came back safe, I did go into detail to see what they scanners and heres, the results,

can i stealth the closed ports as closed is still visible right?

by the way grc comes back as everythings stealth although i don’t know if the two below are stated as stealth

Hacker Exposure Check

closed status are next to;

135 - Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.

445 - Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords.

with stealth next to the rest;

ICMP Ping - Ping. Ping is a network troubleshooting utility. It asks your computer to acknowledge its existence. If your computer responds positively to a ping, hackers are more likely to target your computer.

21 - FTP (File Transfer Protocol). FTP is used to transfer files between your computer and other computers. Port 21 should be open only if you’re running an FTP server.

22 - SSH. TCP connections to this port might indicate a search for SSH, which has a few exploitable features. SSH is a secure replacement for Telnet. The most common uses of SSH are to securely login and copy files from a server.

23 - Telnet. Telnet can be used to log into your computer from a terminal anywhere in the world. This port should be open only if you’re running a Telnet server.

25 - SMTP (Simple Mail Transfer Protocol). A protocol for host-to-host mail transport. This port should be open only if you’re running a mail server.

79 - Finger. Finger is an Internet utility that allows someone to obtain information about you, including your full name, logon status, and other profile information.

80 - HTTP (Hypertext Transfer Protocol). HTTP is used to transfer Web pages over the Internet. Port 80 should be open only if you’re running a Web server.

110 - POP3 (Post Office Protocol). Internet mail servers and mail filter applications use this port. This port should be open only if you’re running a mail server.

113 - Ident / Authentication. This service is required by some mail, news, or relay chat servers to allow access. A stealth result on this port could cause performance problems.

139 - NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information.To learn more about preventing connections to your NetBIOS ports, see: NetBIOS Information and Configuration Instructions

143 - IMAP (Internet Message Access Protocol). IMAP is a sophisticated protocol for electronic mail delivery. This port should be open only if you’re running an IMAP server.

443 - HTTP over TLS/SSL. A protocol for providing secure HTTP communication. It should be open only if you’re running a Web server.

1080 - SOCKS. This protocol allows computers access to the through a firewall. It is used when one IP address is shared among several computers. Generally this protocol only allows access out to the . However, it is frequently misconfigured to allow hackers to pass traffic inwards through the firewall.

Windows Vulnerability Check
Description:
Tests whether basic information, including your PC’s network identity, can be seen by hackers.

Analysis:
Your computer’s identity is secure. However, this does not mean you are completely safe from all Internet security threats.

Trojan Horse Check

everything came back as stealth

31 Master Paradise

41 DeepThroat

58 Dmsetup

146 FC Infector

531 RASmin

555 Stealth Spy

666 Bla, Attack FTP

911 Dark Shadow

999 DeepThroat

1001 Silencer

1010 Doly

1011 Doly

1012 Doly

1015 Doly

1024 Netspy

1025 Unused Windows Services Block

1026 Unused Windows Services Block

1027 Unused Windows Services Block

1028 Unused Windows Services Block

1029 Unused Windows Services Block

1030 Unused Windows Services Block

1042 Bla

1045 RASmin

1090 Extreme

1234 Ultor’s

1243 Backdoor/SubSeven

1492 FTP99CMP

1600 Shiva Burka

1807 Spy Sender

1981 ShockRave

1999 Backdoor/SubSeven, TransScout

2000 TransScout, Remote Explorer

2001 TransScout, Trojan Cow

2002 TransScout

2003 TransScout

2004 TransScout

2005 TransScout

2023 Trojan Ripper

2115 Bugs

2140 DeepThroat

2565 Striker

2583 WinCrash

2773 Backdoor/SubSeven

2774 SubSeven 2.1/2.2

2801 Phinneas Phucker

3024 WinCrash

3129 Master Paradise

3150 DeepThroat

3700 Portal of Doom

4092 WinCrash

4267 SubSeven 2.1/2.2

4567 Filenail

5000 Sokets de Trois v1.

5001 Sokets de Trois v1.

5321 FireHotcker

5400 Blade Runner

5401 Blade Runner

5402 Blade Runner

5555 SERV-Me

5556 BO-Facil

5557 BO-Facil

5569 Robo-Hack

5742 WinCrash

6400 ‘The Thing’

6670 DeepThroat

6771 DeepThroat

6776 Backdoor/SubSeven

6939 Indoctrination

6969 GateCrasher, Priority

6970 GateCrasher

7000 Remote Grab

7215 Backdoor/SubSeven

7300 NetMonitor

7301 NetMonitor

7306 NetMonitor

7307 NetMonitor

7308 NetMonitor

7597 QaZ

7789 ICKiller

9872 Portal of Doom

9873 Portal of Doom

9874 Portal of Doom

9875 Portal of Doom

9989 iNi Killer

10067 Portal of Doom

10167 Portal of Doom

10520 Acid Shivers

10607 COMA

11000 Senna Spy

11223 Progenic

12076 GJammer

12223 Keylogger

12345 NetBus

12346 NetBus

12361 Whack-a-Mole

12362 Whack-a-Mole

12363 Whack-a-Mole

12631 WhackJob

13000 Senna Spy

16959 SubSeven DEFCON8 2.1

20034 NetBus

21554 GirlFriend

22222 Proziack

23456 EvilFTP, UglyFTP

23476 Donald Dick

23477 Donald Dick

26274 Delta Source

27374 SubSeven 2.1/2.2

30100 NetSphere

30101 NetSphere

30102 NetSphere

31337 Back Orifice 2000

31785 Hack ‘A’ Tack

31787 Hack ‘A’ Tack

31788 Hack ‘A’ Tack

31789 Hack ‘A’ Tack

31791 Hack ‘A’ Tack

31792 Hack ‘A’ Tack

40421 Master Paradise

40422 Master Paradise

40423 Master Paradise

40425 Master Paradise

40426 Master Paradise

54283 Backdoor/SubSeven

54320 Back Orifice 2000

54321 Back Orifice 2000

60000

anyone?

can i stealth the ports below

135 - Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.

445 - Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords.

there coming back as closed on a norton scan.

also,

Windows Vulnerability Check
Description:

Tests whether basic information, including your PC’s network identity, can be seen by hackers.

Analysis:
Your computer’s identity is secure. However, this does not mean you are completely safe from all Internet security threats.

has it stated that because of the two ports above being closed and not stealthed?