Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure if I have been hacked or not.


  • Please log in to reply
1 reply to this topic

#1 Xirw

Xirw

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 21 October 2014 - 11:08 AM

This can be either a very challenging problem or a simple misunderstanding on my part. While viewing the remote addresses on Process Hacker, I came across random processes using addresses that were blacklisted by MalwareDomainList. They are also supposedly blacklisted on my computer as well inside my host file with the usual "127.0.0.1" method.

 

TaskManager_zpsbe42c725.png

 

 

 

 

0koryu0.easter.ne.jp is blocked by my hosts file, so why is it running on remote and local ports? Comodo killswitch found other local and remote addresses that are supposedly blocked by my hosts file running too.

 

COMODO_zps97f9d7e1.png

 

 

 

I am 99% sure I don't have any active infections on my computer so why is this happening? Why are malicious addresses all over my processes?

 



BC AdBot (Login to Remove)

 


#2 jkr4m3r

jkr4m3r

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 March 2015 - 07:00 PM

OK, grave-digging a bit here in case this helps someone out there who might have been wasting time being paranoid like I did for a few hours. I stumbled upon this thread Googling so eventually another person will do the same and be more at ease after reading.

 

 

I, too, had the same issue as the OP above. Spent a few hours over a couple weeks time trying to solve this issue. In reality, it's not an issue at all. What I found was I have been using hostman to keep my hosts file updated to protect against ads and malware, or both.

 

What suddenly occurred to me after combing though the hosts file is that 

127.0.0.1 0koryu0.easter.ne.jp

is the first entry in the entire file that uses 127.0.0.1 as localhost, after a lengthy list of redirects to 0.0.0.0. 

 

So, I created and entry right above this first 127.0.0.1 that looked like this:

127.0.0.1 00mylogin.anydomain.net     #test

Notice the 2 zeros, that was to make it be the first of the 127.0.0.1 entries in the host file. I suspect hostman or the people who create the MVPS hosts file like to keep it alphabetical.

 

After I did this netstat -a showed the domain I inserted (made up no less) instead of the suspicious looking  0koryu0.easter.ne.jp domain.

 

So, if you have redirects in your hosts file such as the above and fiddle with netstat you're going to see connections to the first one in the hosts list, instead of the familiar "localhost" or the name of your machine. (I've seen both testing this).

 

Mystery solved, we're not hacked.


Edited by jkr4m3r, 06 March 2015 - 07:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users