Solved

Should I be concerned about 204.152.184.139 ?

Posted on 2011-03-16
3
1,214 Views
Last Modified: 2012-05-11
I have 2 Windows XP computers on a small LAN sharing files in a Workgroup.  They use IP addresses 192.168.1.50 and 192.168.1.99.  Intermittently I lose connection between the two.  Kaspersky Internet Security 2010 on 192.168.1.50 is logging a Network Attack from 192.168.1.99 and closing all incoming connections from that computer.

Detected: Intrusion.Win.NETAPI.buffer-overflow.exploit
TCP from 192.168.1.99 to local port 445

While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 204.152.184.139.  Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner.  When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"

I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 204.152.184.139 on port 80?
Seems that the calls out to 204.152.184.139 may be related to the buffer-overflow exploit attempt; am I reading too much into it?

Thanks!
0
Comment
Question by:dstrzemienski
3 Comments
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 200 total points
ID: 35151891
It looks as if the machine may be compromised:
http://www.cyber-ta.org/releases/malware-analysis/public/2009-09-04-public/

http://answers.yahoo.com/question/index?qid=20091227203802AA3iDVD

I'd keep it (and the other machine) off the Internet, clean them up and make sure you lock them down well before putting them back.

Good luck!
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 300 total points
ID: 35151945
Yes, it sounds like you have the "conflicker" virus on at least one machine.

204.152.184.139  is a "sinkhole" address set up by the Conflicker Working Group to try to absorb these messages generated by the virus.

http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders

And please be sure you secure your router with a non-default admin password if not already.
0
 

Author Closing Comment

by:dstrzemienski
ID: 35152803
paulmacd, I had seen the link to yahoo answers, but I didn't really follow what they were saying.  Thank you for the cyber-ta link.

sjklein42, your explanation makes sense.

Great information from both of you.  Thanks!
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question