Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

54.192.39.218 incoming connection


  • Please log in to reply
19 replies to this topic

#1 bass740

bass740

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 23 April 2015 - 02:42 AM

So I got the above IP in my firewall as an incoming connection blocked.

 

It resolves to helionresearch dot com

 

Anyone have anything to add as to what this might have been about?

 

Thanks



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 23 April 2015 - 05:31 AM

Hi bass740 :)

From what I see, HelionResearch.com is the website of a Marketing Company that offer advertising and performance monitoring solutions for other companies. My guess is that some website(s) you went on uses their services and when loading that page, it tried to load content from HelionResearch.com as well, but your Firewall blocked it since it wasn't needed or unwanted. At one point, it almost looks like Adware or browsing tracking.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 23 April 2015 - 10:15 AM

So it's TCP?

And do you know to which port it wanted to connect?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 23 April 2015 - 11:38 PM

 TCP indeed, and port was 50484. Other strange things started happening at this same time which is why I posted this.


Edited by bass740, 23 April 2015 - 11:39 PM.


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 24 April 2015 - 01:52 AM

Are you sure this is the destination port number, and not the source port number? Because it's a high port number.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 24 April 2015 - 03:06 AM

 It was two attempts, the other attempt used port 50490. Probably the incoming is simply showing the source port.

     

This is the other IP that was also blocked as an incoming 93.184.215.191:50461

 

 

 

 


Edited by bass740, 24 April 2015 - 03:16 AM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 24 April 2015 - 12:06 PM

No, that's the source port.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 24 April 2015 - 12:44 PM

Why would it say incoming in my firewall? and would you know why it was using svchost.exe



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 24 April 2015 - 01:49 PM

Because it is an incoming connection, you said it yourself. Further more, the port number you gave me is in a range that makes it very likely the source port.

Every TCP connection has a source IP address and port, and a destination IP address and port. The destination port gives us an indication of the services.

We can not tell you what possibly happened if you can not tell us what the destination port was.

And please do not send me PMs for help, Bleeping Computer does not offer support via PMs. Write your questions here in this thread.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 24 April 2015 - 06:11 PM

I explained to you in fully what has occured a in PM, I dont think it entailed for you to act like a child here about it, a reply back telling me sorry you cant help would suffice. Furhtermpore I just gave more details of what has occured, no where in my message did I ask you on what steps I should take, it was simply more information that I did not want to share here. Again sorry I dont know in pm would have been sufficient. I also did not ask you twice and came back here to check for a reply as it was totally fine if you did not want to reply. I also had no idea PM was off limits so I will be more careful next time, thanks for the headsup.


Edited by bass740, 24 April 2015 - 06:18 PM.


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 25 April 2015 - 02:53 AM

Act like a child? Well, well...

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 O.T.T.

O.T.T.

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:33 AM

Posted 25 April 2015 - 04:39 AM

How did you know that the IP "51.192.39.218" resolves to "helionresearch dot com" ?

All I get is an Amazon Cloudfront server...

 

OTT

 

Edited for misspellings...  :wink: 


Edited by O.T.T., 25 April 2015 - 04:42 PM.

Please ask Google why some of my links don't work anymore !


#13 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 25 April 2015 - 06:27 AM

,

That defintely has changed, if you search the ip and helion you can still get 2 cached pages with past searches on virustotal and down or blocked.

 

The site is now on  54.192.39.10

 

And now 54.192.36.163 I guess this is part of their mystery shopping technique, I am not familiar with such behavior.

 

The location also changed.


Edited by bass740, 25 April 2015 - 06:36 AM.


#14 O.T.T.

O.T.T.

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:33 AM

Posted 25 April 2015 - 04:38 PM

ATM all the IP's you name resolve to Cloudfront or an Amazon server...

Not a chance to know more about that !

 

Sorry, I can't help you further.

 

OTT


Please ask Google why some of my links don't work anymore !


#15 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 25 April 2015 - 08:41 PM

My main reasons for posting here is advise the community if there is a risk. The IP'S are changing for this domain constantly and it might be due to the type of business theyre in.

 

So whatever IP you got in the AM its already has changed.

 

Also you have to ping the site or resolve its address, it appears your simply looking up the IP address.


Edited by bass740, 25 April 2015 - 08:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users