Jump to content

RTP detection every 4 minutes


Recommended Posts

Hi,

Malwarebytes is notifying me of a blocked website every 4 minutes. I've read previous posts and my case sounds similar to ones that require Windows Remote Desktop to remain enabled.

File: C:\Windows\System32\svchost.exe

Type: Inbound Connection

Port: Seems random, generally 50000+. Example of the most recent alert is 55894.

 

What I really do not understand is how these requests even make it to my computer. I have a router setup that port forwards traffic to my computer only if they use specific ports, none of which are mentioned on these Malwarebyte reports. How can these inbound requests even make it to my computer? All traffic on ports I have not port-forwarded would be terminated at the router level and never make it to my computer so what could these block notifications be?

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

 

The real-time protection of Malwarebytes is keeping the system safe.  It is advising you of that.  

The "potential" threat is Stopped.    The system is being protected.

 

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article

"How to Enable Your Wireless Router's Built-in Firewall"

https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

.

 

What is the Windows version  & is it a Pro edition ?   Does it have Remote Desktop enabled ?

We have to see the detection logs in order to have full details about these Block event notices.

The web protection / Malwarebytes real-time protection is keeping the pc safe from potential harm.   Whatever "it" was, it is STOPPED.

 

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm.

A block notice is an advisory of the "block".   The web protection has STOPPED any potential harm.

 

It  indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each  block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

Sincerely,

Maurice

Link to post
Share on other sites

Hi Maurice,

I am using Windows 10 Pro with Remote Desktop enabled.

Here are the results from running the Malware Bytes Support Tool as requested:

mbst-grab-results.zip

 

I read the link you provided about the router firewall and I do have it enabled. The only port inbound traffic is allowed on is 3389 so it still does not make sense to me that my computer is receiving traffic on ports such as 60868.

 

Link to post
Share on other sites

Thank you for the report-file.   If you are not really needing Remote Desktop, then turn that off.

The probers look for systems that may have remote desktop.

But do understand, that any attempts are being Stopped.  That is what a block message means.

.

Looking at the reports, it seems as if at that time, there was not a installation in place for Malwarebytes for Windows.

Here is how to go about doing a new install.    Start by closing any open work files and save it as needed.   Then close the apps.

 

Please prepare by first closing any open work; saving any work in progress. Close them so you can have better view. 

Ideally, if possible, do a Windows Restart. Then proceed. 

 

the Malwarebytes installer is at this link 

 

  •  download and save the setup file . It will automatically download. Just SAVE first. 
     

1.    RIGHT-click mb4-setup-consumer- 4.1.2.179-1.0.1003-1.0.nnnnn   .exe & select “Run as Administrator”   to start the Malwarebytes for Windows setup. 
2.    Follow the installation instructions to complete setup. 

 
Watch all of the process. Have lots of patience. 
Let me know how it goes. When setup has completed, my suggestion is always to do a Windows Restart. 
 
Please let me know how this goes. 

 

Once the setup has completed, please do one Scan run with Malwarebytes for Windows.

Sincerely. 

Link to post
Share on other sites

Hi,

I reinstalled Malwarebytes for Windows and ran a scan. Detections say: 0.

 

I understand that the incoming requests are blocked. What I would like clarity is how these incoming requests are possible given my firewall. As a test, I disabled port-forwarding 3389 to my computer. Malwarebytes reported 0 detections for 24 hours. Once I re-enable port-forwarding 3389 to my computer, Malwarebytes immediately blocked an inbound connection on port 50459. Is there some explanation to this? Port 50489 cannot reach my computer. Only port 3389 is open. So why does Malwarebytes report the detection as inbound to port 50459?

Link to post
Share on other sites

The attempts on various ports are tried by bots.   But they are STOPPED  by the Malwarebytes real-time web protection.

Malwarebytes is protecting your system.

See this article  https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

 

In most cases the attempted probes will eventually stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

 

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

.

Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

 

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

 

Link to post
Share on other sites

Hi,

Thank you for the links. I do need to keep remote desktop enabled. However, I am looking for an explanation of what Malwarebytes is reporting. Remote desktop runs on port 3389, right? And if that is the only port on my computer that is open, why is Malwarebytes reporting that my computer is receiving connections on port 50489?

Link to post
Share on other sites

My concern is that we are fixating on just one port only,  and looks like we are going off side on tangential things.

You seem to be only considering one port.   When the "probers" do send out probes to all sorts of ports.

Windows has many ports.

Again, the Malwarebytes is STOPPING anything when it has Blocked a attempted connection.

Lets keep focus on what is happening at this time.....today.

Are there any block events happening right now ?   today ?  within say the past 3 hours or less ?

If yes, did you jot down the IP  addresses   and the ports involved ?

 

If the list of those IP's  is not super large, you can look at listing those IP addresses  to be blocked by the firewall.

You may also consider either shitting down your machine altogether for say 3-4 hours  so that the probers will just go away.

When your system is shutdown,  no one is able to try any communication & they should then go away.

at least see about fully shutting down your system overnight tonight.

or

disconnect the WIFI connection to this machine   ( thru Windows Settings )   and disconnecting any other connection to the internet

in the hopes that the "probers"  will just cease.

If there have been no Block events today then that is great and fine.

What I am getting to is that we cant just go round-n-round asking about all these types of events.    The data logged by Malwarebytes is limited.

.

Perhaps you want to consider running a few scans,  just to allay some concern.

[    1    ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

[    2    ]

I would suggest that you do a scan with a scan tool from ESET  to just only scan the C drive.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Custom scan    ( the choice on far-right side)

We want just the C drive to be scanned.

In the display "Select custom scan targets"  keep the top 3 lines ticked,  plus the one for the C drive   ( which should be your Windows drive)

UN-tick the other drives   ( D, E, F,   etc...)

Then click on the blue button "Save and continue"

 


Leave as is   the radio selection "Disable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.


Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.  Look for it on the bottom left, in bleu.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

The goal here is to see if there are suspicious or actual threats on the C drive.

 

 

Link to post
Share on other sites

Hi,

I understand Windows has many ports. I am not concerned with an intrusion at this moment because I do trust Malwarebytes is stopping them. I am simply trying to get more understanding of what Malwarebytes is reporting. And yes, I am fixated on one port because that is the only port open on my router firewall and I simply do not understand how Malwarebytes is detecting external traffic to unopen ports.

Some more background:

  1. Router has port 3389 open for RDP
  2. Router forwards 3389 to my computer
  3. Router has NO other ports open, and NO other ports forwarded to my computer
  4. Malwarebytes on my computer reports a blocked incoming connection attempt on port 54613

How is #4 possible with this setup? Shouldn't the incoming connection port be shown as 3389?

As a test:

  1. Disabling port forward 3389 from router to my computer
  2. Malwarebytes reported NO incoming connections on any port for over 24 hours

This test seems to imply that the ONLY way traffic can reach my computer is via port 3389 and by disabling it on the router, no connections on any port were able to reach my computer.

Is there a chance Malwarebytes is reporting the incorrect port on these incoming connections?

Link to post
Share on other sites

No,  the reporting by the Malwarebytes real-time protection is not mistaken.    The fact it is reporting the probe attempts is pointing to the fact that the hardware is not in fact  blocking or has disabled all the other ports.   The other factor is, as restated more than once,  that the bots will keep on attempting all sorts of other ports.

 

Did you shutdown your machine overnight like I suggested ?

As to your last test  ( described above) ,   you may want to do a different adjustment.   and that is to change the port number for remote desktop.

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

 

and lets please not get re-lost when mentioning remote desktop.   The fact is is that the bad guys are trying to find machines that are capable of RDP in the first place  ( as a  way to try to get into a business network)   and then try to flood them with different attempts on different ports.

 

Lets collect a fresh report set to see what the most recent block reports show.

open your Downloads folder
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Edited by Maurice Naggar
Link to post
Share on other sites

  • Staff

Just as a heads up - We are blocking IPs that are known to use Bruteforce attacks (especially via RDP), but might also via other ports. This is why you see these alerts and we are blocking them.

In the near future, this will be more finetuned, where it will focus on RDP ports only and its blocking of suspicious IPs, this in order to reduce the noise.

 

Link to post
Share on other sites

Here are the latest logs as requested from "Gather Logs":

mbst-grab-results.zip

I did shutdown my machine overnight.

 

Here's a rough timeline of the past few days:

  1. 8/13/2020: Malwarebytes blocks incoming intrusions on high number ports (50000+)
  2. 8/14/2020: Malwarebytes continues to block incoming intrusions. I disable port forwarding on the router on port 3389.
  3. 8/15/2020: No incoming intrusions detected
  4. 8/16/2020: No incoming intrusions detected. Shutdown computer.
  5. 8/17/2020:
    1. No incoming intrusions detected.
    2. Change RDP port to something other than 3389 (Let's say port 3390 as an example).
    3. Re-enable port forwarding on router on port 3389 to 3390.
    4. Minutes later, Malwarebytes reports blocking incoming intrusion on port 55701.
    5. Change router port forwarding to forward 3390 to 3390.
    6. No incoming intrusions detected for almost an hour.

Based on the above experience the past few days, my hardware (router) is correctly blocking traffic on all ports other than the ones I explicitly port forward. Once I port forward 3389 to any port on my computer, Malwarebytes soon reports blocking intrusion attempts on ports that are not forwarded.

 

Link to post
Share on other sites

Thanks for the Malwarebytes log-reports.

Port number 55701 is not a known port as to what its purpose is.   If you have the means and if you are concerned about it, you can see about disabling it or perhaps setting it to stealth mode.


Here are some things you may want to consider,  just for overall security of your home internet network.
Check with your ISP  and also the hardware-maker of the router box to insure it has the latest firmware.
Check to see that the hardware router has your own unique / strong password  ( and not the manufacturer's default one).
Look on your router box.  You should see some sort of label identifying the maker and model number.
If you do not see it, check with your ISP.


This pc is running Malwarebytes for Windows in trial mode.  The trial period will end on or about 27th / 28th of August, after which, unless it has a Premium license, the real-time protections will end.


The version of Windows 10 currently on this pc is Version 1903.   You should see about getting a Microsoft Windows Update to Version 2004.

Version 1903 is from the spring of 2019  and will hit end of support on December 8, 2020.
.
There was only 1 block event on the 17th  & that was a IP block  on IP   92.63.194.47   which is from the Russian Federation.

It looks like this pc has OpenVPN
I'd recommend you check with your IT Support about tightening up security & seeing about blocking that IP.

If you work for a company or organization, I would definitely recommend you check with your IT Support.

 

Link to post
Share on other sites

Yeah, there was only one block before I changed the port forwarding rule on my router to forward a different port (not 55701).

My router is for sure not using the default credentials and is on a relatively recent version of ddwrt. I trust that the firewall is set correctly based on the experience as explained above. The only port available to my computer is what my router port forwards to my computer and that is a single port and not 55701.

I do have OpenVPN but I do not connect to it often and haven't during this period.

I am indeed on the trial version, and was investigating to see whether Malwarebytes is something I should purchase. In order for me to be comfortable with that, I need to understand what it's doing and what's being reported. I still do not understand what Malwarebytes is reporting based on my experience above. The ports being reported as blocked incoming connections do not make sense to me because those cannot get past the router because they are not port forwarded. They are neither the source port nor the target port on the port forward rule.

I believe it has to do something with this: https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista

I do not understand it fully but while RDP may serve on port 3389, internally, Windows may allocate and use ports from the dynamic port range (hence all the high number ports I keep seeing) and doing some magic behind the scenes to serve an incoming connection on that port instead. If that is the case, I think it's a bit misleading that the reports show the port from the dynamic port range instead of the true service port since that is much more meaningful from a diagnostic perspective. The port from the dynamic range is near meaningless, but if it showed 3389 instead, that's much more useful to act on.

Link to post
Share on other sites

The block events by the real-time web protection is  all about blocked I P   addresses.   That is the key factor to always keep in mind.

The IP's   are ones that the web protection team has determined are those of threats   out on the web.

The block events are ir-regardless of port communiction attempted by the probers.

There is no on-board malware on your machine.   The attempted probes were stopped by the program.

Beyond the advice already mentioned,  there is not much more that can be done.

I do wish you all the best.

You may delete any tools I had you download.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.