?
Solved

Should I be concerned about 204.152.184.139 ?

Posted on 2011-03-16
3
Medium Priority
?
1,232 Views
Last Modified: 2012-05-11
I have 2 Windows XP computers on a small LAN sharing files in a Workgroup.  They use IP addresses 192.168.1.50 and 192.168.1.99.  Intermittently I lose connection between the two.  Kaspersky Internet Security 2010 on 192.168.1.50 is logging a Network Attack from 192.168.1.99 and closing all incoming connections from that computer.

Detected: Intrusion.Win.NETAPI.buffer-overflow.exploit
TCP from 192.168.1.99 to local port 445

While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 204.152.184.139.  Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner.  When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"

I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 204.152.184.139 on port 80?
Seems that the calls out to 204.152.184.139 may be related to the buffer-overflow exploit attempt; am I reading too much into it?

Thanks!
0
Comment
Question by:dstrzemienski
3 Comments
 
LVL 35

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 800 total points
ID: 35151891
It looks as if the machine may be compromised:
http://www.cyber-ta.org/releases/malware-analysis/public/2009-09-04-public/

http://answers.yahoo.com/question/index?qid=20091227203802AA3iDVD

I'd keep it (and the other machine) off the Internet, clean them up and make sure you lock them down well before putting them back.

Good luck!
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 1200 total points
ID: 35151945
Yes, it sounds like you have the "conflicker" virus on at least one machine.

204.152.184.139  is a "sinkhole" address set up by the Conflicker Working Group to try to absorb these messages generated by the virus.

http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders

And please be sure you secure your router with a non-default admin password if not already.
0
 

Author Closing Comment

by:dstrzemienski
ID: 35152803
paulmacd, I had seen the link to yahoo answers, but I didn't really follow what they were saying.  Thank you for the cyber-ta link.

sjklein42, your explanation makes sense.

Great information from both of you.  Thanks!
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
When you have multiple client accounts to manage, it often feels like there aren’t enough hours in the day. With too many applications to juggle, you can’t focus on your clients, much less your growing to-do list. But that doesn’t have to be the cas…

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question