Boro

iTrader: (1)

Just lately my browser has been refusing to open up new pages "page unavailble". My firewall log is showing ALOT of activity of ports 135 & 445. Maybe an attempt every 20secs or so.

The source and destination IP are very similar with only the last .???.??? being different, if i reconnect, its ok for a minute and then the same thing starts to happen. Is this my own computer making these requests?

The source DNS is from by own service provider everytime.

Any help greatly appreciated.

Boro.

Boro

iTrader: (1)

13 attempts in 60 seconds, surely thats not normal internet traffic?

Boro

iTrader: (1)

any ideas?

Nicks VR4

See below hope this helps

Nick


TCP Port 135
Common Use
Microsoft Remote Procedure Call (RPC) service.

Inbound Scan
Currently inbound scans are likely the Nachi or MSBlast worms.

Outbound Scan
Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.

TCP Port 445
Common Use
Microsoft-DS Service is used for resource sharing on Windows 2000, XP, 2003, and other samba based connections. This is the port that is used to connect file shares for example.

Inbound Traffic
Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share. If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet. Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.

Lately TCP Port 445 has become the target of LSASS exploiting worms like Sasser and Korgo.

Outbound Traffic
Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.

Boro

iTrader: (1)

Thanks Nick, im still gettin these by the bucket load by the minute.

Even after reconnecting which gives me a different ip address, within seconds they start again. Am i being targeted or could this just be general trojan/virus activity?

Suresh

Boro, the message is that your computer is infected with a worm/virus.
Do you have an uptodate virus scanner?

Suresh

DJ Dunk

iTrader: (5)

Almost certainly a virus. Check your hosts file for loopbacks. Could be Agobot, it loops back loads of antivirus websites to localhost so they can't be accessed.

Boro

iTrader: (1)

Host files for loopbacks?

Ive ran two virus scans and picked up nothing.

DJ Dunk

iTrader: (5)

Do a search on your C drive for a file called "hosts" and just check that there are no entires like . . . .

www.sophos.com 127.0.0.0.1

R1916v

Or its just the internet worms doing the rounds, hitting your firewall which is stopping them and logging it??

It even says so on the post by Nicks.

The viri target the rpc port, and I'm sure there are other viri (these might do it as well) that also target file share ports.