BleepingComputer.com: Incoming tcp to port 5000 various source ip addresses

First of all I'm not panicking -yet- as my firewall has this all under controll, but I want to know what exactly I should do to permanently stop these incoming tcp and udp packets.

Recently I've been receiving a few tcp packets while using my computer along with many udp packets. I've come to a conclusion that the udp packets are merely from microsoft when I use windows live messenger by checking up the ip addresses and by checking when the udp packets appear as blocked. Tcp on the otherhand is confusing me to tooth grinding degree.

MAIN INFORMATION

Here are two of the ip addresses I've been receiving tcp packets from (both are now blocked with my router) 38.99.76.159 and 173.194.10.220
They've both been sending a handfull of tcp packets from port 80 to port 5000 and my firewall is telling me they are some type of trojan such as bubbel, backdoor setup, or sockets de troie V1

I recently removed a backdoor trojan infection which would cause my computer to run extremely slowly, opened 4 pages of a website (something like infomoneyservice.com) upon opening firefox and crash while using any internet browser.

I have tried to change my ip address but the problem proceeds.
The thing is these IP addresses seem to be from legit companies according to these web pages
https://dns.l4x.org/38.99.76.159 apparently from PSInet's ip address
https://dns.l4x.org/173.194.10.220 apparently from google's ip address


Here is a log of the blocked tcp and udp packets recorded by my rogers online protection. X's will hide most of my ip address.

Protocol Direction Source IP S. Port Destination IP D. Port Date/Time
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1440 8/10/2010 7:28:05 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1440 8/10/2010 7:28:01 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1440 8/10/2010 7:28:00 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1440 8/10/2010 7:27:59 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1440 8/10/2010 7:27:59 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1440 8/10/2010 7:27:58 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1435 8/10/2010 7:27:52 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1435 8/10/2010 7:27:49 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1435 8/10/2010 7:27:47 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1435 8/10/2010 7:27:46 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1435 8/10/2010 7:27:46 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1435 8/10/2010 7:27:46 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1422 8/10/2010 7:27:39 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1422 8/10/2010 7:27:36 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1422 8/10/2010 7:27:35 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1422 8/10/2010 7:27:34 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1422 8/10/2010 7:27:33 PM
udp Incoming 207.46.125.253 7001 192.XXX.X.XXX 1422 8/10/2010 7:27:32 PM (logged into live messenger again)
tcp Incoming 38.99.76.159 80 192.XXX.X.XXX 5000 8/10/2010 7:04:30 PM (MAIN PROBLEM)
tcp Incoming 38.99.76.159 80 192.XXX.X.XXX 5000 8/10/2010 7:04:30 PM (MAIN PROBLEM)
tcp Incoming 38.99.76.159 80 192.XXX.X.XXX 5000 8/10/2010 7:04:24 PM (MAIN PROBLEM)
tcp Incoming 38.99.76.159 80 192.XXX.X.XXX 5000 8/10/2010 7:04:24 PM (MAIN PROBLEM)
tcp Incoming 38.99.76.159 80 192.XXX.X.XXX 5000 8/10/2010 7:04:21 PM (MAIN PROBLEM)
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4458 8/10/2010 6:52:47 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4458 8/10/2010 6:52:44 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4458 8/10/2010 6:52:42 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4458 8/10/2010 6:52:41 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4458 8/10/2010 6:52:41 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4458 8/10/2010 6:52:41 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4455 8/10/2010 6:52:34 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4455 8/10/2010 6:52:31 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4455 8/10/2010 6:52:30 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4455 8/10/2010 6:52:29 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4455 8/10/2010 6:52:28 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4455 8/10/2010 6:52:28 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4421 8/10/2010 6:52:22 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4421 8/10/2010 6:52:18 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4421 8/10/2010 6:52:17 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4421 8/10/2010 6:52:16 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4421 8/10/2010 6:52:16 PM
udp Incoming 65.54.189.253 7001 192.XXX.X.XXX 4421 8/10/2010 6:52:15 PM (Just logged into live messenger)

The two previously stated ip addresses are now blocked with my router but I'm sure I haven't blocked one of the few tcp sending addresses yet. Is this truly a problem or is there no reason to be concerned?

So far I haven't received any more tcp packets (all blocked in my router's firewall), but I'd still like to know what exactly it does and how to permanently stop them from trying to access my system.

Some food for thought. Don't know how much use that will be for you, but here goes.

Without having a clearer picture of what the computer was doing at the time of capture (everything you listed is incoming, nothing outgoing so part of the picture is obscured here), it is difficult to tell what those might be. The random (list-like) series of ports being targeted do look like port scans for specific vulnerabilities or exploitable software. As long as your firewall is blocking and logging, there really isn't that much to worry about.

As for these:

Quote

The IP is from imageshack's web server. The destination port (your end) is 5000, which can be used by uPnP (universal Plug-and-Play - http://en.wikipedia.org/wiki/Universal_Plug_and_Play ), or certain VPN (Virtual Private Network) software. If you have either of those enabled, they may be legitimate. Chances are though, that it is just background noise and that your firewall is just doing its thing. A couple of questions to consider based on this information:

• Are you on a wireless-enabled (Wi-Fi) network?
  
• Do you have any remote access software installed?
  
• Is this machine the only one on your network?
  
• Is the edited LAN IP in the log, actually the machine's IP?

Hmm, I don't use image shack(I've viewed but never uploaded) but I use Photobucket often..

I do have a Wi-Fi network
I have never installed any remote access software
I have one desktop computer(the one with the problem), 1 laptop computer, 2 nintendo ds systems, 1 nintendo wii system, and 1 ipod touch connected on my network.
According to http://www.whatismyip.com/ it actually isn't my ip address

the one in the above log is 192.168.X.XXX
and the one shown on whatismyip is 99.227.XXX.XXX

EDIT: oh yes and I do have uPnP enabled

This post has been edited by ArtistInNeed: 14 August 2010 - 01:32 PM

Quote

192.168.* addresses are always local. For instance my computer's IP is 192.168.1.65. Anyone outside my network (in other words, anybody NOT connected to MY router) cannot access my machine with that address. This is used for internal routing. Your actual IP is the 99.227.xxx.xxx one. That is what external servers and computers use to communicate with your router. The router then forwards according to the contents of the data packets (it's a little complex, but reading up on the OSI model is a good place to start to understand networking) the information to the correct device, using the appropriate internal (192.168.*) address.

You said you had multiple internet enabled devices on your network:

Quote

If they all connect to the internet through your router, they are also assigned their own local IPs (192.168.* - or LAN IP). What I meant to say was, does the IP you see in the log actually match the machine with the problem? Also, are any of the other machines active ON the network when those logs were captured?

Like I said though, unless you see actual signs of infection (pop ups, bandwidth usage spiking for no reason, processes crashing frequently, etc.) you shouldn't worry too much about the background noise provided by those logs. As long as this is blocked stuff, it's not an issue since it never gets past the router/firewall.

Does that help a bit?

Edited typo.

This post has been edited by Galadriel: 14 August 2010 - 02:37 PM

Wow, thanks Galadriel my computer's ip address is the 192.168.X.XXX one. And all of those items connect through my router. I'll run a little test to see if my firewall captures a tcp packets while one of the items are connected.

I feel relieved that it won't be getting past my firewalls (router and rogers firewall) I only have 1 more question, what will it mean if the tcp packet is captured when a different device is connecting to my router?

I really appreciate the help Galadriel

Well I got another bundle of tcp packets this ip is now added to the blocked list on my router

Protocol Direction Source IP S. Port Destination IP D. Port Date/Time
tcp Incoming 65.203.229.42 80 192.XXX.X.XXX 5000 8/14/2010 8:39:53 PM
tcp Incoming 65.203.229.42 80 192.XXX.X.XXX 5000 8/14/2010 8:39:46 PM
tcp Incoming 65.203.229.42 80 192.XXX.X.XXX 5000 8/14/2010 8:39:43 PM

I'm 90% sure nothing was connecting to the router at the time this came, with the only internet accessible thing even turned on (aside from the desktop with the problem) was my mom's ipod touch, if that counts towards anything.



wowowow, I was rummaging around some logs and found this...

20:58:49 preventing C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe to access 65.54.81.91 port 80 (N/A) over tcp
20:58:49 preventing C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe to access 65.54.81.89 port 80 (N/A) over tcp
20:58:50 preventing C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe to access 199.7.51.190 port 80 (N/A) over tcp

The strange thing is that rogers online protection is the program that blocked and logged it!!

This post has been edited by ArtistInNeed: 14 August 2010 - 11:51 PM