Jump to content

Recommended Posts

I have read the stickies on the False Postive board and elsewhere, but am still a bit bewildered. What is going on when I get a message such as "89.248.171.50 (Type: incoming, Port: 80, Process: svchost.exe)". I see that this is incoming.

 

what is going on in this context? Are there other steps I need to take to protect my home network?

 

Thanks!

Link to post
Share on other sites

  • Root Admin

Incoming means just that.  Some remote system has attempted to reach your computer from outside your network.

 

What is actually doing it and what has triggered it though would require some amount of work.  Your computer could have sent out a request to contact server x for say music, video, or one of hundreds of other reasons.  So then server x replies back but the reply back could be from a server that resides on a known IP range that is known for threat activity.

 

It could also be that your system is being probed but in most cases it's rather difficult to probe a computer that would trigger it.  How often it happens can also play into whether or not it may be a concern or not.  If it was a one time deal or a few times over the course of a day or so then it's probably nothing to be concerned about.  If it happens frequently, daily, constantly then yes you would want to check into it further to determine what's going on.

 

The first place to start would be to ensure that the computer is clean and not known to be infected.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks

 

 

Information on that IP address

 

IP address: 89.248.171.50
Host name: hosted-by.ecatel.net
89.248.171.50 is from Netherlands(NL) in region Western Europe

Link to post
Share on other sites

Just would like to add I'm being probed from the same IP, to my CentOS web server. The traffic is below.

 

89.248.171.50 - - [26/Dec/2013:09:51:08 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 243

89.248.171.50 - - [26/Dec/2013:09:51:12 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 223

 

This continues for about 50 lines, probing multiple PHPMyadmin related scripts.

 

I contacted the IP registrar's abuse e-mail at abuse@ecatel.info

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.