Solved

Should I be concerned about 204.152.184.139 ?

Posted on 2011-03-16
3
1,211 Views
Last Modified: 2012-05-11
I have 2 Windows XP computers on a small LAN sharing files in a Workgroup.  They use IP addresses 192.168.1.50 and 192.168.1.99.  Intermittently I lose connection between the two.  Kaspersky Internet Security 2010 on 192.168.1.50 is logging a Network Attack from 192.168.1.99 and closing all incoming connections from that computer.

Detected: Intrusion.Win.NETAPI.buffer-overflow.exploit
TCP from 192.168.1.99 to local port 445

While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 204.152.184.139.  Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner.  When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"

I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 204.152.184.139 on port 80?
Seems that the calls out to 204.152.184.139 may be related to the buffer-overflow exploit attempt; am I reading too much into it?

Thanks!
0
Comment
Question by:dstrzemienski
3 Comments
 
LVL 33

Assisted Solution

by:paulmacd
paulmacd earned 200 total points
ID: 35151891
It looks as if the machine may be compromised:
http://www.cyber-ta.org/releases/malware-analysis/public/2009-09-04-public/

http://answers.yahoo.com/question/index?qid=20091227203802AA3iDVD

I'd keep it (and the other machine) off the Internet, clean them up and make sure you lock them down well before putting them back.

Good luck!
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 300 total points
ID: 35151945
Yes, it sounds like you have the "conflicker" virus on at least one machine.

204.152.184.139  is a "sinkhole" address set up by the Conflicker Working Group to try to absorb these messages generated by the virus.

http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders

And please be sure you secure your router with a non-default admin password if not already.
0
 

Author Closing Comment

by:dstrzemienski
ID: 35152803
paulmacd, I had seen the link to yahoo answers, but I didn't really follow what they were saying.  Thank you for the cyber-ta link.

sjklein42, your explanation makes sense.

Great information from both of you.  Thanks!
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now