VideoHelp Forum




+ Reply to Thread
Results 1 to 4 of 4
  1. 23rd Nov 2009 22:01 #1
    deadrats
    deadrats is offline
    Banned
    Join Date
    Nov 2005
    Location
    United States
    Search Comp PM
    i have to admit, every once in a while i run across something that catches me completely by surprise.

    i'm currently running xp 64 with all the updates installed, recently (as in 2 days ago) i let a buddy of mine use my pc when he came over to chill. while playing around on the net he inadvertently infect my pc with a number of different types of malware, including a trojan backdoor (namely backdoor.bot), a keylogger and a virus (basically i got the trifecta).

    the keylogger i removed with spybot, the virus and the trojan were found by clam antivirus, so fearing the worst i did complete scans of my system with avg free, clam antivirus, spybot, malwarebytes, adaware and microsoft defender, all of which came back clean.

    i however am the suspicious type and decided to switch from the built in windows firewall i was using (which only stop inbound traffic on xp) and tried a couple of after market firewalls. one of them kept reporting some activity, but the free version was crippled and wouldn't allow me to explore the issue further, so i switched to what i think is one of the best windows firewalls available: pc tools firewall plus.

    now this firewall is doing it's job and well, which has resulted in me making a very interesting discovery: someone is hammering my firewall from 71.207.241.72. doing a trace rt on it shows that it's located somewhere in the montgomery alabama, when i do a whois on it i get this:

    OrgName: Comcast Cable Communications, Inc.
    OrgID: CMCS
    Address: 1800 Bishops Gate Blvd
    City: Mt Laurel
    StateProv: NJ
    PostalCode: 08054
    Country: US

    NetRange: 71.192.0.0 - 71.207.255.255
    CIDR: 71.192.0.0/12
    NetName: ATT-COMCAST
    NetHandle: NET-71-192-0-0-1
    Parent: NET-71-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS101.COMCAST.NET
    NameServer: DNS102.COMCAST.NET
    NameServer: DNS103.COMCAST.NET
    Comment:
    RegDate: 2005-07-27
    Updated: 2008-10-31

    OrgAbuseHandle: NAPO-ARIN
    OrgAbuseName: Network Abuse and Policy Observance
    OrgAbusePhone: +1-856-317-7272
    OrgAbuseEmail:

    OrgTechHandle: IC161-ARIN
    OrgTechName: Comcast Cable Communications Inc
    OrgTechPhone: +1-856-317-7200
    OrgTechEmail:

    CustName: Comcast Cable Communications, Inc.
    Address: 1800 Bishops Gate Blvd
    City: Mt Laurel
    StateProv: NJ
    PostalCode: 08054
    Country: US
    RegDate: 2006-08-01
    Updated: 2006-08-01

    NetRange: 71.207.192.0 - 71.207.255.255
    CIDR: 71.207.192.0/18
    NetName: HUNTSVILLE-8
    NetHandle: NET-71-207-192-0-1
    Parent: NET-71-192-0-0-1
    NetType: Reassigned
    Comment:
    RegDate: 2006-08-01
    Updated: 2006-08-01

    OrgAbuseHandle: NAPO-ARIN
    OrgAbuseName: Network Abuse and Policy Observance
    OrgAbusePhone: +1-856-317-7272
    OrgAbuseEmail:

    OrgTechHandle: IC161-ARIN
    OrgTechName: Comcast Cable Communications Inc
    OrgTechPhone: +1-856-317-7200

    this part makes me a bit leary: Network Abuse and Policy Observance, but here's the best part: i am not a comcast customer, i have verizon dsl and even if i did have cable, comcast doesn't service my area, time warner does.

    furthermore this is an inbound connection that uses the udp protocol, port 6881, both of which point to the connection attempts being related to a torrent client, but i don't have one running nor am i downloading anything.

    i'm at a loss to explain what is going on, but i can prove via the firewall logs that comcast's computers are actively trying to connect to my pc at a rate of about once every 30 seconds, almost as if someone has a script running that runs the ping command at regular intervals and i would really like to know why.

    i'm thinking about letting this go on for a month or so, and then show the logs to a lawyer, the press, the da's office and possibly a few news shows.
    Quote Quote  
  2. 23rd Nov 2009 22:16 #2
    MOVIEGEEK
    MOVIEGEEK is offline
    Member MOVIEGEEK's Avatar
    Join Date
    Mar 2002
    Location
    USA
    Search Comp PM
    Download Currports and kill any port that shows up pink:
    http://www.nirsoft.net/utils/cports.html
    Quote Quote  
  3. 23rd Nov 2009 22:31 #3
    aedipuss
    aedipuss is offline
    aBigMeanie aedipuss's Avatar
    Join Date
    Oct 2005
    Location
    666th portal
    Search Comp PM
    just because it is in the comcast ip range for that area doesn't have anything to do with it being from "comcast" the company, it is just one of their users. you'd need a court order to find the actual individual using that ip. the rest of the info is just standard isp info.

    did you also check to see if you have been rootkitted? the programs you list won't find one if it's on your computer. try gmer or avast free.
    --
    "a lot of people are better dead" - prisoner KSC2-303
    Quote Quote  
  4. 23rd Nov 2009 22:58 #4
    johns0
    johns0 is offline
    I'm a Super Moderator johns0's Avatar
    Join Date
    Jun 2002
    Location
    canada
    Search Comp PM
    Most likely you are being attacked by the same trojan that got on your system,the attacking computer is probably being used as a remote robot and the user has no clue.
    I think,therefore i am a hamster.
    Quote Quote  



Similar Threads

« Previous Thread | Next Thread »
Visit our sponsor! Try DVDFab and backup Blu-rays!