Solved

Should I be concerned about 204.152.184.139 ?

Posted on 2011-03-16
3
1,218 Views
Last Modified: 2012-05-11
I have 2 Windows XP computers on a small LAN sharing files in a Workgroup.  They use IP addresses 192.168.1.50 and 192.168.1.99.  Intermittently I lose connection between the two.  Kaspersky Internet Security 2010 on 192.168.1.50 is logging a Network Attack from 192.168.1.99 and closing all incoming connections from that computer.

Detected: Intrusion.Win.NETAPI.buffer-overflow.exploit
TCP from 192.168.1.99 to local port 445

While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 204.152.184.139.  Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner.  When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"

I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 204.152.184.139 on port 80?
Seems that the calls out to 204.152.184.139 may be related to the buffer-overflow exploit attempt; am I reading too much into it?

Thanks!
0
Comment
Question by:dstrzemienski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 200 total points
ID: 35151891
It looks as if the machine may be compromised:
http://www.cyber-ta.org/releases/malware-analysis/public/2009-09-04-public/

http://answers.yahoo.com/question/index?qid=20091227203802AA3iDVD

I'd keep it (and the other machine) off the Internet, clean them up and make sure you lock them down well before putting them back.

Good luck!
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 300 total points
ID: 35151945
Yes, it sounds like you have the "conflicker" virus on at least one machine.

204.152.184.139  is a "sinkhole" address set up by the Conflicker Working Group to try to absorb these messages generated by the virus.

http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders

And please be sure you secure your router with a non-default admin password if not already.
0
 

Author Closing Comment

by:dstrzemienski
ID: 35152803
paulmacd, I had seen the link to yahoo answers, but I didn't really follow what they were saying.  Thank you for the cyber-ta link.

sjklein42, your explanation makes sense.

Great information from both of you.  Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question