Its been going on for afew days now, I’m getting constant attacks from an IP in IRELAND - 89.124.137.168
http://www.ip-adress.com/ip_tracer/89.124.137.168
http://i45.tinypic.com/2vagtqh.jpg
http://i45.tinypic.com/2vagtqh.jpg
What should I do?
Have no fear my friend 8) You are doing nothing wrong. Your firewall IS BLOCKING A THREAT It’s doing exactly what it’s designed to do. Same problem here. Come join if you like.
https://forums.comodo.com/firewall-help/some-what-fixed-dcom-exploit-bypassing-comodo-blocked-by-avast-t52004.0.html
When did you first notice this activity? And in that time frame did you download any installers, .exe’s, etc. could be a virus injection maybe a backdoor/trojan. You should do a full virus scan using any of the many free online virus scanners from different AV vendor websites if you dont want to download and install additional virus/malware protection software.
As far as doing an IP Trace, i highly recomend this site http://ip-address-lookup-v4.com/ as it reveals a lot of info
I don’t remember exactly when it started but it was afew days ago. I did do a full eset nod32 scan on the 20th, it found “probably a variant of Java/TrojanDownloader.Agent.AV trojan” which was in c:\users\me\appdata\locallow\sun\java\deployment\cashe\6.0.… two files which had size figures of 3466 and 3469. I’m not sure whether it relates to the problem. Also regarding scanning, should i try another anti virus or is eset good enough? should i scan with super antispyware to be on the safe side?
Plus another completely different issue, something i can’t get my head around, its been going on for ages, it hasn’t just started. I’m wired up to a modem (virgin media) on a stand alone pc, no internet connection sharing at all, i think i’ve turned everything off with system services and config’d my firewall to act as a stand alone, invisble pc but when i log on and check network connections i shows the following,
this one stays locked in the firewall from when i switch on to switch off,
svchost - UDP OUT - 0.0.0.0:xx - 255.255.255.255:xx - bytes in vary, bytes out normally 1.0KB
this one dissappears after afew second at boot/logon, its sometimes two or three 239 connections
svchost.exe - UDP OUT - 92.XXX.XX.XX:XXXXX - 239.255.255.250:1900 - Bytes In 0KB but may vary and Bytes out 1.0KB, again may vary.
whats that all about?
Please read here for the different issue
You should perform another scan using a different AV software, I like microsoft security essentials and malwarebytes (free version) but you could also try super antispyware.
Issue with svhost is okay no need to worry about it.
eeeeeeeeee INCORRECT
Use ‘Sysinternals Process Explorer’ to look into Svhost (Right-click > Properties).
If you think you’re infected, do this: Click here.
I assume the IP address 89.124.137.168 is not yours. So, we are talking about a situation of uncalled for incoming traffic. Please forget the advice from the others to check your computer because the problem is coming from the outside not from inside your computer.
Apparently somebody is trying to connect to your computer. You may consider reporting the offending IP address to the ISP.
The whois information, http://www.ip-adress.com/whois/89.124.137.168 , gives us the following:
emarks: Please do NOT send abuse complaints to the contacts listed. remarks: Please check remarks on individual inetnum records for abuse contacts, or remarks: failing that email abuse reports to abuse[at]irishbroadband.ie
I had to read the above several times. It means that when the IP address has no abuse report facility you can email the ISP at the given email address.
The address starting with 239. only stays in my firewall connections for afew seconds when logging on then disappears. The 255. connection stayed locked, I think its Virgin just making sure my connection doesn’t mess up.
done a scan with super antispyware, it only found cookies. malwarebytes takes too long and I can’t be bothered with online scanners, they take too long too.
I’ve never used this before, i may need help with it. I’ve just had a look on google and its something i’ll probably need help with so I’m not going to mess around with it just yet.
I contacted Virgin Media, my ISP before i posted on here and they said they couldn’t do anything and put down the phone. No offence to anyone outside the the UK working for UK based companies but this is why I hate being put through abroad as no one seems to be able to help me out with my problems. My problems seems to be more advance than the usual reset modem ■■■■!! It hasn’t happened today yet so I’m hoping its gone away but
heres my svchost policy in D+
http://i49.tinypic.com/8wl9pf.jpg
http://i49.tinypic.com/8wl9pf.jpg
http://i45.tinypic.com/11t4wsz.jpg
http://i45.tinypic.com/11t4wsz.jpg
could you give it the once over and offer any advice on changes i may need to make please. thanks in advance.
The rule for svchost is fine.
The unsolicited traffic from Ireland, even though it fills up your logs, gets blocked. Blocking unsolicited traffic from the web is a firewall’s first task; in short; you are safe. There are two ways of getting traffic from this IP blocked from your logs. Managing CIS’s Global Rules or use a router. When using a router the router will simply block that traffic without you even being notified.
The svchost traffic from 0.0.0.0 to 255.255.255.255 is part of the Bootstrap protocol. Bootstrap protocol is used to assign IP addresses to computers in network. It is a predecessor of the mostly used DHCP protocol; part of the routers that use DHCP still support Bootstrap. Bootstrap is also used by cable internet providers. In short nothing to worry about.
The traffic to 239.255.255.250:1900 is your computer broadcasting to see if a Universal Plug and Play (uPnP) router is around. But since you are directly connecting, without a router, to the web it best to disable this. Follow these guidelines to disable it: Completely disable Universal Plug and Play (UPnP) .
Sorry, I thought you wanted to look into svhost to see what’s running inside it, which is why I recommended Sysinternals Process Explorer (it’s just a better alternative to Windows Task Manager).
Just follow EricJH’s instructions. 
I’m using Vista Ultimate, does it matter or do the same rules apply for uPnP?
done, i’ll post up anything I notice as in change whether its attack related or issues with me connecting to the internet, thank you EricJH
No worries J2897, thanks for replying.
YOu can follow that guide in Vista as well. The list of Services is a very universal thing in Windows; it’s on the same spot in Xp, Vista, Win 7…
HELP HELP HELP
lol
I have tryed & tryed & tryed to REMOVE MY SELF from this thread but i still keep getting notifyed of posts on this one.
Mod – please remove me from THIS thread
thanks
You mean even after clicking on the NOTIFY button to unsubscribe yourself and seeing this alert?
[attachment deleted by admin]
Here’s another method:
[attachment deleted by admin]
could someone please give this a once over… I came across symantecs online scanner via a thread on here and done a scan. Although everything came back safe, I did go into detail to see what they scanners and heres, the results,
can i stealth the closed ports as closed is still visible right?
by the way grc comes back as everythings stealth although i don’t know if the two below are stated as stealth
Hacker Exposure Check
closed status are next to;
135 - Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.
445 - Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords.
with stealth next to the rest;
ICMP Ping - Ping. Ping is a network troubleshooting utility. It asks your computer to acknowledge its existence. If your computer responds positively to a ping, hackers are more likely to target your computer.
21 - FTP (File Transfer Protocol). FTP is used to transfer files between your computer and other computers. Port 21 should be open only if you’re running an FTP server.
22 - SSH. TCP connections to this port might indicate a search for SSH, which has a few exploitable features. SSH is a secure replacement for Telnet. The most common uses of SSH are to securely login and copy files from a server.
23 - Telnet. Telnet can be used to log into your computer from a terminal anywhere in the world. This port should be open only if you’re running a Telnet server.
25 - SMTP (Simple Mail Transfer Protocol). A protocol for host-to-host mail transport. This port should be open only if you’re running a mail server.
79 - Finger. Finger is an Internet utility that allows someone to obtain information about you, including your full name, logon status, and other profile information.
80 - HTTP (Hypertext Transfer Protocol). HTTP is used to transfer Web pages over the Internet. Port 80 should be open only if you’re running a Web server.
110 - POP3 (Post Office Protocol). Internet mail servers and mail filter applications use this port. This port should be open only if you’re running a mail server.
113 - Ident / Authentication. This service is required by some mail, news, or relay chat servers to allow access. A stealth result on this port could cause performance problems.
139 - NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information.To learn more about preventing connections to your NetBIOS ports, see: NetBIOS Information and Configuration Instructions
143 - IMAP (Internet Message Access Protocol). IMAP is a sophisticated protocol for electronic mail delivery. This port should be open only if you’re running an IMAP server.
443 - HTTP over TLS/SSL. A protocol for providing secure HTTP communication. It should be open only if you’re running a Web server.
1080 - SOCKS. This protocol allows computers access to the through a firewall. It is used when one IP address is shared among several computers. Generally this protocol only allows access out to the . However, it is frequently misconfigured to allow hackers to pass traffic inwards through the firewall.
Windows Vulnerability Check
Description:
Tests whether basic information, including your PC’s network identity, can be seen by hackers.
Analysis:
Your computer’s identity is secure. However, this does not mean you are completely safe from all Internet security threats.
Trojan Horse Check
everything came back as stealth
31 Master Paradise
41 DeepThroat
58 Dmsetup
146 FC Infector
531 RASmin
555 Stealth Spy
666 Bla, Attack FTP
911 Dark Shadow
999 DeepThroat
1001 Silencer
1010 Doly
1011 Doly
1012 Doly
1015 Doly
1024 Netspy
1025 Unused Windows Services Block
1026 Unused Windows Services Block
1027 Unused Windows Services Block
1028 Unused Windows Services Block
1029 Unused Windows Services Block
1030 Unused Windows Services Block
1042 Bla
1045 RASmin
1090 Extreme
1234 Ultor’s
1243 Backdoor/SubSeven
1492 FTP99CMP
1600 Shiva Burka
1807 Spy Sender
1981 ShockRave
1999 Backdoor/SubSeven, TransScout
2000 TransScout, Remote Explorer
2001 TransScout, Trojan Cow
2002 TransScout
2003 TransScout
2004 TransScout
2005 TransScout
2023 Trojan Ripper
2115 Bugs
2140 DeepThroat
2565 Striker
2583 WinCrash
2773 Backdoor/SubSeven
2774 SubSeven 2.1/2.2
2801 Phinneas Phucker
3024 WinCrash
3129 Master Paradise
3150 DeepThroat
3700 Portal of Doom
4092 WinCrash
4267 SubSeven 2.1/2.2
4567 Filenail
5000 Sokets de Trois v1.
5001 Sokets de Trois v1.
5321 FireHotcker
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5555 SERV-Me
5556 BO-Facil
5557 BO-Facil
5569 Robo-Hack
5742 WinCrash
6400 ‘The Thing’
6670 DeepThroat
6771 DeepThroat
6776 Backdoor/SubSeven
6939 Indoctrination
6969 GateCrasher, Priority
6970 GateCrasher
7000 Remote Grab
7215 Backdoor/SubSeven
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7597 QaZ
7789 ICKiller
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi Killer
10067 Portal of Doom
10167 Portal of Doom
10520 Acid Shivers
10607 COMA
11000 Senna Spy
11223 Progenic
12076 GJammer
12223 Keylogger
12345 NetBus
12346 NetBus
12361 Whack-a-Mole
12362 Whack-a-Mole
12363 Whack-a-Mole
12631 WhackJob
13000 Senna Spy
16959 SubSeven DEFCON8 2.1
20034 NetBus
21554 GirlFriend
22222 Proziack
23456 EvilFTP, UglyFTP
23476 Donald Dick
23477 Donald Dick
26274 Delta Source
27374 SubSeven 2.1/2.2
30100 NetSphere
30101 NetSphere
30102 NetSphere
31337 Back Orifice 2000
31785 Hack ‘A’ Tack
31787 Hack ‘A’ Tack
31788 Hack ‘A’ Tack
31789 Hack ‘A’ Tack
31791 Hack ‘A’ Tack
31792 Hack ‘A’ Tack
40421 Master Paradise
40422 Master Paradise
40423 Master Paradise
40425 Master Paradise
40426 Master Paradise
54283 Backdoor/SubSeven
54320 Back Orifice 2000
54321 Back Orifice 2000
60000
anyone?
can i stealth the ports below
135 - Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.
445 - Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords.
there coming back as closed on a norton scan.
also,
Windows Vulnerability Check
Description:
Tests whether basic information, including your PC’s network identity, can be seen by hackers.
Analysis:
Your computer’s identity is secure. However, this does not mean you are completely safe from all Internet security threats.
has it stated that because of the two ports above being closed and not stealthed?