dstrzemienski
asked on
Should I be concerned about 204.152.184.139 ?
I have 2 Windows XP computers on a small LAN sharing files in a Workgroup. They use IP addresses 192.168.1.50 and 192.168.1.99. Intermittently I lose connection between the two. Kaspersky Internet Security 2010 on 192.168.1.50 is logging a Network Attack from 192.168.1.99 and closing all incoming connections from that computer.
Detected: Intrusion.Win.NETAPI.buffe r-overflow .exploit
TCP from 192.168.1.99 to local port 445
While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 204.152.184.139. Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner. When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"
I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 204.152.184.139 on port 80?
Seems that the calls out to 204.152.184.139 may be related to the buffer-overflow exploit attempt; am I reading too much into it?
Thanks!
Detected: Intrusion.Win.NETAPI.buffe
TCP from 192.168.1.99 to local port 445
While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 204.152.184.139. Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner. When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"
I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 204.152.184.139 on port 80?
Seems that the calls out to 204.152.184.139 may be related to the buffer-overflow exploit attempt; am I reading too much into it?
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sjklein42, your explanation makes sense.
Great information from both of you. Thanks!