Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sterjo NetStalker Blocked Connection


  • Please log in to reply
9 replies to this topic

#1 drgoodie

drgoodie

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 20 December 2017 - 10:34 PM

How do I find out who is being blocked?  There were 46 blocks of the same connection attempt yesterday and as many or more today.  The Remote Address being blocked is almost identical to my Local Address.  This is the first time for a blocked connection after a couple of months using Netstalker.  I have looked for a site that explains the software and have not found one.  Thanks for any explanations, directions.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 23 December 2017 - 04:01 AM

I assume you do not want to share the IP addresses.

 

But at least provide this information: are the IP addresses (local and remote) private IP addresses, and are they in the same subnet?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 drgoodie

drgoodie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 23 December 2017 - 05:51 PM

Didier, the SterJo Netstalker log shows my private Local IP Address and the blocked Remote IP Address are in the same network.  It always attempts connection from the SAME Remote Port.  My second laptop was blocked until I set up a Rule to accept it - it also made multiple attempts but always from DIFFERENT Remote Ports.  I don't know the significance of this difference.  I just started reading about IP Addresses yesterday, and know little.  At a lookup site, there are numerous complaints about the address making multiple attempts to connect to others.   Thanks for responding!



#4 drgoodie

drgoodie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 23 December 2017 - 06:28 PM

Too funny.  After reading much and scrambling much, I discovered it is Windows Media Player which I downloaded a few days ago.  I think.  I had no idea it would become part of my network - I thought it was software.  So much to learn.  I won't set up a Rule to accept it until I hear from you in response to my private message.  Since I don't know what I am doing.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 26 December 2017 - 05:30 PM

Here is more info regarding private and public IP addresses: https://www.bleepingcomputer.com/forums/t/536252/how-to-tell-if-you-have-a-private-ip-address-or-a-public-ip-address/

 

You can share your private IP addresses here, they can not be used to identify your machines on the Internet. But if you don't want to, no problem.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 drgoodie

drgoodie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 26 December 2017 - 10:00 PM

Thank you for the link.  My HP's IP address is 192 168 1 66.  I have an Acer on the same network that is 192 168 1 64 (it was being blocked by Netstalker until I set up a Rule to accept it.)   I saw in my Network the HP, the Acer, DirecTV, and Windows Media Player.  I uninstalled WMP, thinking it was the 192 168 1 68 that is being blocked (197 times in one day).  However, the "68" is still attempting to connect.  Also a new concern:  After I uninstalled WMP, a new entry showed up in my Network:  

 

Network Infrastructure(1)

Internet Gateway Device

 

I have never seen that entry before.  I read some things about that being used at times by hackers and took some suggested precautionary action:  In order to disable Universal Plug and Play, I turned off Network Discovery file and printer sharing and public folder sharing.  (Windows 7)   I dig the hole deeper into not knowing what I am doing.  But since I don't know what part of my network "68" could be, I am afraid it could be disguised malware.  Since I've never seen the Internet Gateway Device listed on my network, I am afraid it could be the hack that I read is becoming common via that entry.  (I'm trying to justify what I think is probably dumb scurrying on my part.)  Thank you so much for helping me.  I'm hoping you can say "no worries" - okay to allow "68"
to connect and don't worry about the Internet Gateway Device showing up suddenly.  But I will wait to hear from you.



#7 drgoodie

drgoodie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 26 December 2017 - 10:01 PM

192 128 etc.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 27 December 2017 - 05:36 PM

No, 192.168.1.68 is not malware, it's a device on your network. You will have to identify it. Could be a smartphone or a tablet, if you have no other computers. Or an IoT device.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 drgoodie

drgoodie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 02 January 2018 - 09:45 PM

When I turned off Windows Media Services, the connection attempts stopped.  Thank you for your time and assistance.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 03 January 2018 - 01:07 PM

You're welcome!


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users