Jump to content

Outbound TCP port 80 to Botnet IP


Recommended Posts

Hi.. haven't had any trace of malware in a long time, I keep stuff pretty tight.

I run Windows Firewall + MSE, the firewall is set to block outbound and inbound unless there's an allow rule.

I also run Windows Firewall Notifier, which detects new connections and asks me if I'd like to allow/block (thus creating a rule).

Today I saw an alarming outbound connection asking for permission.

Path: \windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Target: 63.148.207.142 & 63.148.207.127 ,both TCP port 80

Googled the ips and found them to be botnet associated. I've run a malwarebytes scan and MSE scan, nothing showing as infected. The mscorsvw.exe process is running (although it's a normal system process).

Any ideas?

Link to post
Share on other sites

Hello csjesse and :welcome:

here is a bit of information on those IP's

63.148.207.142

63.148.207.127

Qwest Communications Company, LLC

# Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function.

# Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates (for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ usually run on these Ports.

# Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.