Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird inbound connections to svchost.exe


  • Please log in to reply
4 replies to this topic

#1 DeusExIgnis

DeusExIgnis

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 January 2018 - 08:28 AM

Hi all,

 

I'm having a weird issue where Malwarebytes is blocking incoming connections to svchost.exe. The incoming connections vary in port, but one of the IP addresses associated with the connection, 80.82.70.133, is apparently located somewhere in Africa, which is setting off alarm bells in my head.

 

My question is, should I be concerned about any of this? If so, what steps can I take to stop it?

 

Known IP addresses used:

80.82.70.133

185.145.129.186

 

Known ports used:

10001

4443

2223

2222

2087

80

 

Running Windows 7 x64

 

Thanks!


Edited by hamluis, 10 January 2018 - 12:19 PM.
Moved to Am I Infected from Win 7 - Hamluis.


BC AdBot (Login to Remove)

 


#2 ranchhand_

ranchhand_

  • Members
  • 1,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest
  • Local time:10:04 AM

Posted 10 January 2018 - 09:01 AM

Two trace sites both verified 80.82.70.133 to be an island off the coast of Africa. Yes, I would be concerned also.

IP: 80.82.70.133 Decimal: 1347569285 Hostname: propet.seekkarma.net ASN: 29073 ISP: Novogara LTD Organization: Quasi Networks LTD. Services: None detected Assignment: Static IP Blacklist:   Continent: Africa Country: Seychelles sc.png State/Region: Anse-aux-Pins City: Anse aux Pins


Edited by ranchhand_, 10 January 2018 - 09:02 AM.

Help Requests: If there is no reply after 3 days I remove the thread from my answer list. For further help PM me.


#3 DeusExIgnis

DeusExIgnis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 January 2018 - 11:34 AM

Two trace sites both verified 80.82.70.133 to be an island off the coast of Africa. Yes, I would be concerned also.

IP: 80.82.70.133 Decimal: 1347569285 Hostname: propet.seekkarma.net ASN: 29073 ISP: Novogara LTD Organization: Quasi Networks LTD. Services: None detected Assignment: Static IP Blacklist:   Continent: Africa Country: Seychelles sc.png State/Region: Anse-aux-Pins City: Anse aux Pins

Thank you for confirming my suspicions. Do you know what I should do to stop this from happening, or should I just wait it out and hope they get bored? I've already set up rules in windows firewall to block any inbound or outbound connections from those IP addresses, but I don't know if that's enough.

 

EDIT: I've also done ipconfig /release /renew. Not sure if that would stop it, but I thought it wouldn't hurt to change my IP address.


Edited by DeusExIgnis, 10 January 2018 - 11:40 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,533 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 AM

Posted 11 January 2018 - 11:54 AM

I would get a deeper look..Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 bradybunch01

bradybunch01

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 07 February 2018 - 06:32 PM

Several of our systems were hit with the Pulpy Ransomware attack.  It didn't hit all our machines but a few older systems were running out dated malware detection.

 

Those machines were reporting the same traffic to the same IP addresses after we installed Malwarebytes.  We have since re-imaged those machines and no longer see the traffic.  I would suggest keeping an eye out for any files with an .aes file type.

 

Also there is an instruction.txt file that get created.

 

Best of Luck.

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users