Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1227
  • Last Modified:

Should I be concerned about 204.152.184.139 ?

I have 2 Windows XP computers on a small LAN sharing files in a Workgroup.  They use IP addresses 192.168.1.50 and 192.168.1.99.  Intermittently I lose connection between the two.  Kaspersky Internet Security 2010 on 192.168.1.50 is logging a Network Attack from 192.168.1.99 and closing all incoming connections from that computer.

Detected: Intrusion.Win.NETAPI.buffer-overflow.exploit
TCP from 192.168.1.99 to local port 445

While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 204.152.184.139.  Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner.  When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"

I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 204.152.184.139 on port 80?
Seems that the calls out to 204.152.184.139 may be related to the buffer-overflow exploit attempt; am I reading too much into it?

Thanks!
0
dstrzemienski
Asked:
dstrzemienski
2 Solutions
 
Paul MacDonaldDirector, Information SystemsCommented:
It looks as if the machine may be compromised:
http://www.cyber-ta.org/releases/malware-analysis/public/2009-09-04-public/

http://answers.yahoo.com/question/index?qid=20091227203802AA3iDVD

I'd keep it (and the other machine) off the Internet, clean them up and make sure you lock them down well before putting them back.

Good luck!
0
 
sjklein42Commented:
Yes, it sounds like you have the "conflicker" virus on at least one machine.

204.152.184.139  is a "sinkhole" address set up by the Conflicker Working Group to try to absorb these messages generated by the virus.

http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders

And please be sure you secure your router with a non-default admin password if not already.
0
 
dstrzemienskiAuthor Commented:
paulmacd, I had seen the link to yahoo answers, but I didn't really follow what they were saying.  Thank you for the cyber-ta link.

sjklein42, your explanation makes sense.

Great information from both of you.  Thanks!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now