Jump to content

Inbound connections every 15 mins


Recommended Posts

I'm not sure what is going on but I been getting inbound connection attempts every 15 mins it seems today. It appears to have started in the early hours of the morning.

The computer has been rendering 4k footage all last night and today so it hasn't really been used as it CPU and GPU has been working non-stop.

The attacks started out spread apart and have now gone to about 15 - 20 mins apart. They seem to use different IP's.

Anyone have any info on this ?

Ports are usually in the 50000's range and up. Only a few have been lower numbers. Never the same port number.

File is always C:\Windows\System32\svchost.exe

I attached an image of the ones that been caught by MalwareBytes.Inbound.thumb.jpg.85d336fc1a6c7c779b70144457dd462b.jpg

I do not run any P2P services or torrent services on this system. I really don't know why I am getting these inbound connection attempts. I have only two other systems other then my Desktop on this network that share the same router. A laptop, and a NAS box.  

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

  • Staff

Greetings,

That is odd and it is possible the system may be infected based on the fact you aren't using any P2P software.  Just to be safe I'd recommend following the instructions in this topic then creating a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning the system of any threats.

I hope the system is not infected and that the source of the blocks is innocent, but better safe than sorry so I'd definitely recommend getting it checked to be sure.

Link to post
Share on other sites

Hey, I'm not going reply to every thread, but at least for this behaviour detection add to the list of things to check for users reporting it as there seems to be a surge in this at the present:


Microsoft RDP being exposed to the internet.

For our situation we discovered that someone had opened up port 3389 (though I imagine any port forwarded to 3389 would be just as vulnerable) to the internet.
On inbound connections to that port either malformed packets are allowing alternate port attacks or the RDP engine itself is randomising the ports.

Link to post
Share on other sites

  • Staff

There has been a recent surge in these types of detections/blocks, so they can't all be due to someone deliberately opening a port.  I believe there is a new Trojan, worm, bot, backdoor or similar threat at work here that is as of yet unknown.  I'm hopeful that samples will be captured and analysed for detection soon.

Link to post
Share on other sites

On 5/11/2020 at 10:29 AM, exile360 said:

There has been a recent surge in these types of detections/blocks, so they can't all be due to someone deliberately opening a port.  I believe there is a new Trojan, worm, bot, backdoor or similar threat at work here that is as of yet unknown.  I'm hopeful that samples will be captured and analysed for detection soon.

I am with ya on this front.  I have always seen some attempts to brute force my rdp even though I have a different port that I found isn't even used for most people.  But recently I am getting several attempts a second  and that is unusual though mwb has been great and protecting even in light of this.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.