Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Body4u.diy.myrice.com


  • This topic is locked This topic is locked
21 replies to this topic

#1 CptCranky

CptCranky

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 12 May 2014 - 10:57 PM

Hello,

 

I'm new to these forums.  I'm not sure if I'm posting in the correct forum or not, but here goes. I'm running Windows 7 x64.  My firewall is blocking body4u.diy.myrice.com from my source pc IP address on UDP port 137 and 138 - to - a xxx.xxx.xxx.255:137/138 udp port on my same network.  I ran the typical combofix, adware, Malwarebytes, root kit scans known to man, and can't find anything on my computers.   I still get, for example, body4u.diy.myrice.com from 192.168.1.xxx:137 to 192.168.1.255:137.  This makes no sense to me.  It's intermittently being blocked, so it's not constant.  I did a Google search on the web and found nothing explaining what is really happening.  Has anyone seen this before, thoughts?


Edited by hamluis, 13 May 2014 - 06:31 AM.
Moved from Gen Security to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:32 PM

Posted 13 May 2014 - 12:08 AM

UNSAFE PAGE

 

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

 

DO NOT OPEN LINK IN ORIGINAL POST!


Edited by TsVk!, 13 May 2014 - 12:44 AM.


#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:32 PM

Posted 13 May 2014 - 03:27 PM

You can remove the rule below from your firewall rules. It is also part of NoScript in Firefox which protects you from cross scripting browser attempts.

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

This will weaken your local security and leave you vulnerable to some XXS attacks.

 

(It's possible the site has become victim to attack itself, which is why the sudden change)


Edited by TsVk!, 13 May 2014 - 03:29 PM.


#4 CptCranky

CptCranky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 14 May 2014 - 06:43 PM

Thanks everyone for the response.  I'm not sure if I want to open myself up to XXS attacks at this point.  I'm still monitoring all systems.  There was really not a lot of info on this issue when I googled it.  I ran scans on all of my systems and still can't find something.  I would rather find the cause vs. messing with my firewall at this point.  Earlier, someone from Germany mentioned they witnessed this as well.  I'm in AZ, not sure if location matters at this point as it seems that it crosses boarders.  Thanks again for the input.


Edited by CptCranky, 14 May 2014 - 06:44 PM.


#5 elearnorscake

elearnorscake

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 16 May 2014 - 09:34 AM

Does anybody know anything more about this?

 

I logged onto my PC yesterday, and noticed some very strange activity in Peerblock.

 

Peerblock was blocking connection attempts from body4u.diy.myrice.com, and then started blocking countless connections from ranges such as US Gov't Blacklist (several a second, for about two hours), BBC, Guardian News, Vietnam Internet Network, among others. I couldn't browse at all with peerblock on, but could when I disabled it (not sure why I decided it was a good idea to disable it, but I couldn't understand what was happening) Has my connection been hijacked? What can I do?

 

I've done the usual malware, rootkit scans but haven;t found anything.

 

It's calmed down now (I can broswe normally with peerblock enabled), but it's still periodically blocking body4u.diy.myrice.com.



#6 BLACKB0X

BLACKB0X

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 16 May 2014 - 12:23 PM

Does anybody know anything more about this?

 

I logged onto my PC yesterday, and noticed some very strange activity in Peerblock.

 

Peerblock was blocking connection attempts from body4u.diy.myrice.com, and then started blocking countless connections from ranges such as US Gov't Blacklist (several a second, for about two hours), BBC, Guardian News, Vietnam Internet Network, among others. I couldn't browse at all with peerblock on, but could when I disabled it (not sure why I decided it was a good idea to disable it, but I couldn't understand what was happening) Has my connection been hijacked? What can I do?

 

I've done the usual malware, rootkit scans but haven;t found anything.

 

It's calmed down now (I can broswe normally with peerblock enabled), but it's still periodically blocking body4u.diy.myrice.com.

No one really knows yet. Ive tried doing more and more research on the connection. I found it in a program I was using called Plex. Everytime I turned on the home media server BOOM tons of UDP protocols flying across my screen.

 

I would just double check any new software you have installed. I also did notice that SearchProtect slipped in under my C:\Program Data so double check that as well. The only way i got it to stop was just removing plex media server. 



#7 CptCranky

CptCranky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 17 May 2014 - 01:17 AM

Thanks again everyone for your input.  I'm still puzzled.  I saw that a couple of you use Peerblock. So I downloaded and subscribed.  I found that the list that was blocking it was from I-block list called for Pornography.  I installed Peerblock on all my systems.  I found that everyone of them was "blocking" body4u.diy.myrice.com.  Background: I'm an IT Specialist that is good at a lot of stuff, but master of none.

 

WARNING: Do NOT go to any of links or addresses posted in this message.  I probably shouldn't state the addresses, but I don't know how to get my point across without doing so.

 

I noticed in Peerblock that body4u.diy.myrice.com would do a series of 5 - 10 entries, followed by asnbm.myftpsite.net.  The asnbm.x.x Google results are produce less results that the original problem.  I'm still at a loss.

 

My Environment:

 

ESXi 5

VMs:  2 Domain controllers and a File server.  All 3 are running Windows Sever 2012.

This is a test environment so that I can learn my trade.

 

2 Desktops 1 Laptop:  All running Windows 7 x64 Pro

 

1 Linux Web server with Wordpress installed

 

When I first encountered this, I shut down my web server.  The symptoms persisted.

 

I installed Peerblock on every system, and found that body4u.diy.myrice.com was being blocked on each system/vm.  The blocking occurred at random times, it kind of seemed like a round robin kind of issue.

 

I downed my DC's and File server.  The issue persisted.  I downed the ESX server, and still had issues.  I downed each PC and the issue persisted.  My DHCP server is set for only 10 addresses between xxx.xxx.xxx.100 to xxx.xxx.xxx.110.  Why does it say its using x.x.x.255?  I have no idea. I shutdown my network, and all traffic from offending site stopped.  This tells me its definitely driven externally.  I shut down all devices.  I kept my ESX vm environment down.  I powered each pc up by itself, and peerblock still blocked the offending site. 

 

I've ran Malwarebytes plus its root kit scanner, Hitman, Combofix, AdwCleaner, TDSKiller, and RKill.  None of them found anything.  Is there another tool I should use?

 

There seems to be a  little more hits on this issue when doing a Google search lately.  They seem to lead towards a search engine, browser redirect, or malware issue.  However, none of the "fixes" resolved the problem.  There were several fixes that included the registry, but I saw none of the registry entries that applied to this issue.

 

Some of the symptoms found on searches are:  Browser redirects, pop up ads, slows down internet, and overall makes your system sluggish.  None of these seem to be affecting my systems.  Possibly could be because of my protection?  I don't know, that's what scares me.  It's what's going on in the background that has me worried.

 

I'm perplexed, and well, rather pissed.  I've never seen this before.  My instinct is to format and reload all of my systems.  But, If all of my systems are infected with this BS, how would I know that if I recover from backup that I wouldn't just get infected again.

 

Other sites have mentioned uninstalling recent software.  The only thing recent I downloaded was OCCT.  This is a hardware monitoring package that helps with system stability issues when overclocking.  I uninstalled it, and ran full malware/virus checks again.  I haven't installed anything else prior to this issue.

 

I apologize that this post is so long, but these are my steps and thought processes.  If someone knows of, or has a better idea of what I should do, PLEASE help me.  I'm humble, and can take constructive criticism well.  I just want to get to the bottom of this.



#8 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:32 PM

Posted 17 May 2014 - 04:20 AM

It seems to me that your logic and processing is very thorough, and the problem is the site or its' server rather than on your end.



#9 Naurhir

Naurhir

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 17 May 2014 - 10:47 PM

Also new here.  I tried the same steps with no luck either.  This is on my personal HTPC at home.  I ended up opting to disable Netbios, and set up a firewall rule on router / software firewall to block UDP ports 137:139.  This may be a bit overkill, but I don't have any need for Netbios in my home network, and will just wait for definition updates for Malwarebytes / my antivirus software.

 

An interesting note, my Comodo Dragon installation won't connect to any Google based service (tried turning off predict / secure dns settings, tried incognito without any extensions etc.).  This was happening before I eradicated Netbios, and is actually how I ended up locating this body4u thing.

 

My Chrome install is working just fine for now.

 

Edit: also doubt it is relevant, but I am also in AZ, using Cox as an ISP.  Only adding this since the OP stated they are in AZ.


Edited by Naurhir, 17 May 2014 - 10:48 PM.


#10 BLACKB0X

BLACKB0X

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 18 May 2014 - 03:47 PM

Ok so the latest update on this whole UDP thing going on with the system.

 

I installed a FRESH windows installation and upgraded to 8.1 right away. Did all the updates and started installing all the programs i needed. Peerblock + iblocklists is always the first thing i install. I didnt notice the the issue started when I installed the plex program as mentioned above. I uninstalled it beacause i thought it was just plex giving off that porno udp problem (and no there are not pornos in my movie database on my pc lol). I ended up installing DivX and I am using its DLNA server to host within my LAN and sure enough BOOM. It re-appears. I started getting curious about it and this is what my mini research came up on....

 

So first off i use Peerblock to block unwanted IPs. Here is a screenshot of what it looks like with the UDP protocol constantly trying to connect.

 

2yyb3pg.png

 

Now noticed this is constantly being requested via port "137/138" After seeing the source coming from my computer i decided to run a netstat to see what cooking under the engine.

 

Following command i used was: netstat -a -n -p udp -b

Output:

Active Connections

  Proto  Local Address          Foreign Address        State
  UDP    0.0.0.0:500            *:*                    
  IKEEXT
 [System]
  UDP    0.0.0.0:1900           *:*                    
 [DivXMediaServer.exe]
  UDP    0.0.0.0:1900           *:*                    
 [DivXMediaServer.exe]
  UDP    0.0.0.0:4500           *:*                    
  IKEEXT
 [System]
  UDP    0.0.0.0:49444          *:*                    
  Bonjour Service
 [System]
  UDP    0.0.0.0:63409          *:*                    
 [DivXMediaServer.exe]
  UDP    127.0.0.1:1900         *:*                    
  SSDPSRV
 [System]
  UDP    127.0.0.1:49442        *:*                    
 [AppleMobileDeviceService.exe]
  UDP    127.0.0.1:49443        *:*                    
 [AppleMobileDeviceService.exe]
  UDP    127.0.0.1:60156        *:*                    
  SSDPSRV
 [System]
  UDP    127.0.0.1:63413        *:*                    
 [DivXMediaServer.exe]
  UDP    127.0.0.1:63419        *:*                    
 [DivXMediaServer.exe]
  UDP    192.168.1.18:137       *:*                    
 Can not obtain ownership information
  UDP    192.168.1.18:138       *:*                    
 Can not obtain ownership information
  UDP    192.168.1.18:1900      *:*                    
  SSDPSRV
 [System]
  UDP    192.168.1.18:5353      *:*                    
  Bonjour Service
 [System]
  UDP    192.168.1.18:63411     *:*                    
 [DivXMediaServer.exe]
  UDP    192.168.1.18:63417     *:*                    
 [DivXMediaServer.exe]

Notice above shows on port 137 its DivX Media Server which also "Can not obtain ownership information". The moment i kill the media server it stops but then of course i cant share the media within my LAN so I do kinda need it. Anyways the second command i used was to see what PID was running with the corresponding port number:

netstat -ano -p udp

Output:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  UDP    0.0.0.0:500            *:*                                    420
  UDP    0.0.0.0:1900           *:*                                    3956
  UDP    0.0.0.0:1900           *:*                                    3956
  UDP    0.0.0.0:4500           *:*                                    420
  UDP    0.0.0.0:49444          *:*                                    1924
  UDP    0.0.0.0:63409          *:*                                    3956
  UDP    127.0.0.1:1900         *:*                                    3156
  UDP    127.0.0.1:49442        *:*                                    1720
  UDP    127.0.0.1:49443        *:*                                    1720
  UDP    127.0.0.1:60156        *:*                                    3156
  UDP    127.0.0.1:63413        *:*                                    3956
  UDP    127.0.0.1:63419        *:*                                    3956
  UDP    192.168.1.18:137       *:*                                    4
  UDP    192.168.1.18:138       *:*                                    4
  UDP    192.168.1.18:1900      *:*                                    3156
  UDP    192.168.1.18:5353      *:*                                    1924
  UDP    192.168.1.18:63411     *:*                                    3956
  UDP    192.168.1.18:63417     *:*                                    3956

Above we see this is coming from PID 4. Now of course in the regular task manager you would not really be able to see every single PID so I downloaded the Process Explorer from [ Sysinternals.com ]. Here is what i found in the program.

 

2zjdq1f.png

 

Here you see PID number 4 is coming from System?!?! And also you see DivXMediaServer.exe coming from PID 3956.  IDK whats going on here im lost for my words. I've also ran wireshark but i get nothing. Its like its deep within the system. lol. Let me know what all of your thoughts are. 

 

:)



#11 CptCranky

CptCranky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 19 May 2014 - 10:44 PM

Thanks BLACKBOX!

 

Very good info.  Unfortunately, I came up with similar results.  Except when you did first netstat, you got a reference to Divx.  I did not.  I received only "Can not obtain ownership information".  I get this result on all of my systems (see above, yes includes servers... way scary). 

 

When I do a netstat -ano -p udp I get the same result.  PID 4 for SYSTEM.  Pretty damn scary if you ask me. Lord only knows what their getting at this point. 

 

As soon as I change NETBIOS to disabled, the traffic stops.  However, I then get a bunch of blocked traffic from (PLEASE DON'T GO TO FOLLOWING LINK, REF ONLY) asnbm.myftpsite.net.  When I do a Google search on body4u... I get a bunch of links that I don't trust, or have nothing to do with issue at hand.  When I do a search on asnbm..., I get absolutely nothing that I would risk clicking on. 

 

Background.  I restored a laptop from backup from two months ago (well before this horse crap), I installed Peerblock, Malwarebytes, and Anti-virus software....  I got the same damn results.

 

IMHO this seems to be a fairly recent issue, and there is not a lot of good results.  I'm hoping that there is a fix for this, but Lord only knows the affect it's had thus far.

 

I've been dealing with cryptolocker crap at work, that's easier than this...



#12 BLACKB0X

BLACKB0X

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 21 May 2014 - 09:17 PM

I checked my whole LAN and its coming just from my pc. I have my mini media server running off the desktop and I have another server (Ubuntu) in the house I just built today and nothing coming from that one. Its only from my Desktop PC.

Im also getting the myftpstie as well. The IP that one is coming out of is 0.0.0.0:68

I totally agree on how odd this is. This has to be VERY new/recent. I just find it odd after a clean genuine install of windows 8.1 there is this crap happening. Its really starting to get me quite angry.

And yeah same here been dealing with infections/cryptolocker at work as well and it seems more easier than my issue here at home lol. :(

 

On a side note....

 

I emailed the domain registrars ( godaddy & ename ) and notified both of them about these issues that are occurring. Hopefully they look into the domains and shut down the websites or figure out whats going on because this is such a headache!



#13 CptCranky

CptCranky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 22 May 2014 - 01:08 AM

Amen brother! 

 

Quote Blackbox

"I emailed the domain registrars ( godaddy & ename ) and notified both of them about these issues that are occurring. Hopefully they look into the domains and shut down the websites or figure out whats going on because this is such a headache!"

 

I hope your successful in your efforts!  I reloaded both my DC's from backup and still have the issue.  I shutdown my DC's and Web server, and I'm sure it's coming from my personal pc as well.  Not sure how to tell which pc it's "coming" from, as they all have the same symptoms. 

 

I did a search on centralops.net for their domain. And it came up with and address lookup of 192.168.1.255.  It also showed it's handle as 192.168.1.255.   Lame... I'm going to change my DHCP to something different to see if that helps.  I also noticed it was from China... 

 

Gawd I hope they resolve this soon..



#14 CptCranky

CptCranky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 22 May 2014 - 02:03 AM

Ok... I changed my DHCP private to something other than 192.168.1...  I always heard this was best practice, but I'm an $ass..lol.  I'm no longer getting the body4u crap. I turned NetBIOS back on, still don't get body4u....  However, I'm still getting asnbm.myftpsite bull$#!T.  I ran malwarebytes, adware, root kits, and virus scanner hoping that they updated their def. files, but nothing showed up as of 5/21/14.  I did a centralops on myftpsite, which looks to be hosted by Godaddy.  I believe this is where Blackbox got his info from, but just assuming at this point....  I hope the query by BlackBox will fix this issue as I'm tired of this $H!T. 

 

If I don't hear anything soon, I'm going to call Godaddy on asnbm.myfpsite myself. 



#15 elearnorscake

elearnorscake

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 22 May 2014 - 09:26 AM

I've come across something odd in relation to this body4u.diy.myrice stuff.

 

Recently I've been cleaning up the backlink profile of a relative's website, helping them get rid of the spam links pointing to their site after they made the mistake of employing an SEO company to work on it. Anyway, this has meant visiting a lot of pretty dodgy websites - spam article directories and the like - in order to get links removed, and I've suspected that whatever's infected my computer came from one of these.

 

Sure enough, going through the list of links to be removed today and visiting some of the sites in question, I've found one that seems to be connected to body4u. When I visit (obviously don't click on this) tripideas(dot)co(dot)uk peerblock throws up a load of blocks for body4u.diy.myrice.com. Peerblock has been doing this periodically anyway - every 5 minutes or so, I'll see about 5 entries for it - but it throws up several without fail every time I try to access this particular site, so I think it's related.

 

Whether this helps us or not I don't know!

 

Also, I mentioned above that when I first had this problem peerblock was showing a massive number of connections to IPs with the ranges 'US Gov't Blacklist', Guardian Media, BBC News, Vietnam Internet Network etc. Several connections a second for a couple of horus. This has now stopped, but I'm worried my connection was being hijacked for DDOS attacks by some Chinese (based on the targets) hacker or something. Is this possible, or am I being neurotic?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users