Jump to content

need some info on the following IPs


myrti

Recommended Posts

Hi,

I have a user that has posted here: http://forums.malwarebytes.org/index.php?showtopic=112814

I've checked the logs and they appear clean, however MBAM is blocking outgoing connections from svchost to china once or twice a day, which makes us think that there may still be something in the bushes. I haven't been able to track down why MBAM is blocking said IPs and would be greatful if you could give us some further information.

These are the blocked connections:

On the 17th.

2012/07/17 06:39:04 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 06:39:12 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 06:39:20 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 11:18:39 +0800 CHRIS-PC Chris IP-BLOCK 58.240.186.242 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:43 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:43 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:51 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:51 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

On the 18th

2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:49:56 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:49:56 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

On the 19th

2012/07/19 15:00:00 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:00 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

I'd be greatful if you could give us an indication as to why the IPs are being blocked and if they're directly connected to malicious activity.

thanks &regards

myrti

Link to post
Share on other sites

  • Staff

Can you provide a link to the bleeping computer thread please?

Have you tried seeing whats under there?

http://www.bleepingc...ostexe-process/

Would also check winlogon.exe and explorer.exe against virustotal to make sure they aren't patched. Some of the chinaware does this and would drive you crazy.

Also a

netstat -b -f

You can whip up a quick bat file to redirect to notepad:

netstat -b -f >> netstat.txt
start notepad netstat.txt

from command prompt might yield more information

This has to be run from a admin command prompt.

Link to post
Share on other sites

MBAM popped up again, same port was used once again.

Going into Process Explorer and using the PID I found off netstat -ano, under svchost in TCP/IP there is the process "iphlpsvc" using that same port of which has been used to try connect outbound; being blocked by mbam.

I don't know where to go with that, I've ran all of these things through virustotal, virustotal gave 1/42 for svchost though.

Any ideas?

Link to post
Share on other sites

  • Staff

Have the link for virustotal scan of svchost? I doubt its that but some file running in its space.

Some ideas..

check the netsvc listing key in regedit to see whats running under there. iphlpsvc is a normal dll maybe submit that to vt also.

Run wireshark and set a filter for those ips. Then you can capture the traffic at least that is going there.

http://www.wireshark.org/

Mysteryfcm may have to chime in though. he may have more info on why those ips were blacklisted.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.