Intrusion attempt by unknown IPs. Please help.

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
21

Your absolutely right :-TU Thanks for the reminder :wink:

22

Ronny,

Upon your suggestion I put Firefox as web browser and it turns out I am getting intrusion attempt now. I attached a copy of it. What should I do now?

[attachment deleted by admin]

23

First of all this is not a “real” intrusion because the packets are going from your system to other systems, but that’s just a detail, it looks like some Yahoo pages used this port in combination with some adobe stuff could be flash or air.

This is the result of the “Block and log all unknown requests” on the predefined “Web browser”.
If you would like to get alerted, you can use the following to tune your browser rules.

Double click on the Firefox firewall policy rule, chose custom, select, copy from, predefined rules, web browser.
Select the “Block all unknown” rule and remove that from this policy, now if you apply this the Firewall will alert you for this traffic on port 843, you can also create the rule manually during the above procedure (Add, Allow, TCP, Outgoing, Src Any, Dst Any, Src Port Any, Dst port 843).

24

Here is the Adobe article explaining the use of tcp 843:

http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html

25

skboss.
You don’t have any problem with that situation.

those of IPs you show with screen shots is fine.
It’s Akamai net.
What is Akamai?
It 's a company that works with lots of software companies for updating softwares and
distribute files ex)Microsoft, Adobe etc.
Akamai provides automatic updates for softewares with Akamai’s own server with getting money
from lots of software companies.
You can check about Akamai here

Don’t worry about those IP address on you screen shots that’s not attacks.

your problem: wrong networks security policy

recommend:
1.change the policy your Web Browsers to Predefined security policies to ‘WEB BROWSER(recommanded)’

or ‘Trusted(not recommanded)’.
2.Delete old firewall and defend policies for softwares that you installed before.
3.If CIS asks you allow(if you trust the vender) or block new software rules, allow them.
(I think you’s ve blocked all most all updates some software like a windows automatic update, adobe
automatic updates etc.You have to allow them all if you don’t want to have those alerts anymore.)

40 intrusion alerts are not many alerts per day.If you use p2p(like torrent), you will see over 1000 alerts every 30min.
lol

[attachment deleted by admin]

26
skboss,

…
Do you have any idea what this file is ?
C:\Users<your username>\Desktop\j369qkr4.exe

ave removed the gmer.doc after saving it.[/i]

SkBoss,

I think you have had one of those ITW trojan. Check taskmanager if you have a process called “csrcs.exe” running?

If you do, kill the process, then set your folder option to reveal hidden files and folders. go to %windir%/system32 and delete csrcs.exe. For more detail, check the text file attached. found it some where on the web but forgotten where. sorry to the original poster… :frowning:

*edit
Otherwise you can try using Kaspersky’s free online scan to confirm it.

*end edit

[attachment deleted by admin]