Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attempted connection to FTP server(?) from here


  • Please log in to reply
5 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,569 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:09 PM

Posted 10 July 2012 - 10:51 PM

About 10:30pm tonight I was reading few forum posts, some in AV section, some in tablets, maybe also XP. An hour later I looked in my firewall log and noticed that Opera (my browser) was blocked from going outbound to BSkyB over in the UK (2.127.74.112:21) by TCP from my computer ports 3444 and then 3446. Now I didn't do any FTP requests here or in the past 10 years. I confirmed that I was here at that time by looking in the router log.

Any idea what would cause it?

Edit: I'm not at this point 100%sure I was here. Router log rolled over, and few things don't match the timing. So if this is false alarm, I apologize.

Edited by tos226, 10 July 2012 - 11:29 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:09 AM

Posted 11 July 2012 - 06:02 AM

Hi,

It could be something as basic as someone having a picture hot-linked in a post (or in a signature, accounting for the repeating connections), that opera tried to fetch.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 11 July 2012 - 08:34 AM

Or you could have downloaded a file that was stored on an FTP server.

#4 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,569 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:09 PM

Posted 11 July 2012 - 08:24 PM

@myrti,
Could be a hot link. But then you'd think I would have seen alert in the fw over the years :)
After editing my post, I remembered I can see some rolled over entries in the router. So I got a screen shot.
Yes it does appear that the attempt was made while I was here or soon after.

There's an entry for a photobucket avatar picture in thread 456393 which is copied into a post. And an entry for bleepstatic.com.
http://img823.imageshack.us/img823/8319/blockedoutbound.jpg
Not sure it tells much. We also have a gap of few minutes in the log and I have no clue what was going on then when Opera wanted out.

I also remember that in few minutes AFTER posting, I could not get in here to edit, bleepingcomputer was temporarily unavailable. But it got opened up later. That's irrelevant actually being 1/2hr or more later.

@Grinler, thanks for joining :)
As far as I know, I did not download anything from any FTP site in ages.

I ran HJT - is clean or no different from a while back. I ran full scan by Avast - clean. I ran full scan by MalwareBytes - clean.
I think I have 2 options:
1. not going to lose any sleep over it, other than I can't stand it when I can't solve/learn something that I haven't seen before :(
2. trouble your overbusy malware removal forum section to see what I have that tried this connection and, hurray!, got defeated.

Edited by tos226, 11 July 2012 - 08:39 PM.


#5 Chris Appleyard

Chris Appleyard

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:09 PM

Posted 12 July 2012 - 12:49 PM

Hello,
Yeah that is my FTP server I use it for many images for fourms etc, I like to make my own dections on when downtime is and how much money I spend.. I hate Cloud services, so I am sorry for the inconvenience it may have caused, my IP isnt the most popular so yes your AV will pop up and say this maybe a intruder etc.. but forget about that because I don't transfer viruses across the Internet because well.. haha I dont know how to make them even though I am learning C#.
My server down times are in GMT 1am-9am ( I use my FTP server for my signature picture)
Thanks A lot
Chris Appleyard

"Education is the most powerful weapon which you can use to change the world"
-Nelson Mandela

 

 

Windows 7 Home Premium | AMD Athlon II 250 Dual Core CPU | 4.0 RAM Kingston | Nvidia GT 520 | Elite Group MCP61M-M3 Motherboard | COMODO Firewall | Avast! Free | Google Chrome.


#6 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,569 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:09 PM

Posted 12 July 2012 - 09:58 PM

Wow. Brilliant.
Thank you :thumbsup:
I'm so glad you stumbled on this thread and offered me a great explanation.
Indeed, on that day I did read this post of yours in iPad&tablets
http://www.bleepingcomputer.com/forums/topic459374.html
and just repeated reading it. The log shows the same events.

FYI - It wasn't AV that popped up. It was firewall. AV (avast) never had a chance to see anything in or out. My rule blocked outbound silently beforehand, but as I wrote before, I was worried about the possibility of some trojan since in 5 or more years riding on the same rules, I've never seen FTP port in alerts or blocks.


Cloud is poison, IMO. Can't learn how to write viruses? Gee, I believe if you google, you can join some groups they'll even send you code :hysterical:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users