Author Topic: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]  (Read 37961 times)

0 Members and 1 Guest are viewing this topic.

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #15 on: March 12, 2013, 03:48:23 PM »
certainly! (heres one from the scan last night.)


OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #16 on: March 12, 2013, 03:57:05 PM »
Hi Essexboy
since last posting we have had an additional attack
In addaition we have had an additional attack
Code: [Select]
84.93.233.34:44300 x2
« Last Edit: March 12, 2013, 03:59:01 PM by OliPicard »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #17 on: March 12, 2013, 04:01:43 PM »
The IP's resolve to virtually all parts of the globe with a preponderance of them being European

I would like to reset various net items next, this one may take a few minutes to run 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Files
Netsh firewall reset /c
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
netsh winsock reset catalog /c
netsh int ip reset /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #18 on: March 12, 2013, 04:10:49 PM »
Hi, While running the test the following error occured.

Code: [Select]
failed to create cmd.bat.
now its stuck on killing processes (its been like it for 10 mins. not sure if thats normal.)
« Last Edit: March 12, 2013, 04:12:41 PM by OliPicard »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #19 on: March 12, 2013, 04:18:04 PM »
Hi essexboy,

The so-called IP attacks or repeated requests could have come from bitcoint dot org, like bitcointalk dot org etc. : http://myip.ms/info/whois/109.201.133.65/k/4080771760/website/bitcointalk.org
Does this ring some bell with the OP?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #20 on: March 12, 2013, 04:24:02 PM »
Hi polonus I dont use bitcoins however i do use p2ping with steam downloads however these are delivered over limelight networks.

I decided to Quit the application after the cmd.bat wouldnt be created during the OTL (it went into a locked up mode.) so i exited the application and went back in, copied and pasted everything EB posted (on the newest post) and it went smooth without issues!
Please find attached the new results. Ive also seen OTL has created 2 new folders in _OTL (under root) i was wondering do i move the files back to there original places? (the ones which are being moved to a root folder.)


In addition find attached the requested log from the latest scan.
« Last Edit: March 13, 2013, 09:53:35 PM by OliPicard »

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #21 on: March 12, 2013, 04:29:51 PM »
Also to keep you updated ive discovered additonal ip's also attacking. (see below)

Code: [Select]
107.20.145.76:443 x3 dropbox (we dont not use dropbox so found this weird.) in addition it seems to be tired to an EC2 VM https://stat.ripe.net/107.20.145.76#tabId=at-a-glance AMAZON-02 - Amazon.com, Inc.
31.13.64.23:443 x2 (facebook ireland)
23.61.255.57:80 AKAMAI-ASN1 - Akamai International B.V.
173.194.34.111:443 Google
50.19.81.238:443 (Another Amazon EC2 Instance)

« Last Edit: March 12, 2013, 04:43:09 PM by OliPicard »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #22 on: March 12, 2013, 04:57:25 PM »
Dropbox may have been the images I use in my posts as that is where I stuff them all

Quote
:OTL
@Alternate Data Stream - 994 bytes -> C:\Users\Oliver\AppData\Local\Temp:X02gGPI7EmhUVHobjK4u6XhMubHP
Did you run this first OTL fix as the ads is very suspect

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #23 on: March 12, 2013, 05:28:29 PM »
Dropbox may have been the images I use in my posts as that is where I stuff them all

Quote
:OTL
@Alternate Data Stream - 994 bytes -> C:\Users\Oliver\AppData\Local\Temp:X02gGPI7EmhUVHobjK4u6XhMubHP
Did you run this first OTL fix as the ads is very suspect

Hey Essexboy, i didnt run the first test because i thought it may not work with the newer test you sent me. Should i copy everything in or just the :OTL @Alternate Data Stream ?

In addition the following IP has also sent out a DoS

Code: [Select]
67.227.200.203:80 (from the bot website another IP address thought.
Previously attacked at 11:54:30 AM same port.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #24 on: March 12, 2013, 05:42:07 PM »
Hi OliPicard,

Yes we must look for some mining backdoor malware variant, like Bitminer or Graybird like suspicious riskware, because of this Virginia Ashburn IP, also known from W32/BitCoinMiner.A, namely IP 50.19.81.238 that you also mention...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #25 on: March 12, 2013, 05:48:19 PM »
Ok, Glad we are on the case of figuring this out polonus! Now its trying to figure out the removal. Also @Essexboy should i run the datastream one using the OTL with everything you have posted previously.

Thanks
Oliver

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #26 on: March 12, 2013, 06:00:16 PM »
Ive ran a OTL scan with the new scan as requested by Essexboy

In addition ive rebooted then ran a Quickscan, have included both extras and OTL log.


« Last Edit: March 13, 2013, 09:53:53 PM by OliPicard »

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #27 on: March 12, 2013, 06:21:37 PM »
Have also just had another attack. Upon looking into this IP it seems connected to another IP which sent a simular request a couple of hours ago.

Code: [Select]
178.33.61.70:80 Seems to be related to 67.227.200.203:80 which attacked at 03:28:29 PM 

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #28 on: March 12, 2013, 06:26:45 PM »
It keeps doing that because something is blocking this bot restarter program's authentication - could be either av or firewall...

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

OliPicard

  • Guest
Re: DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]
« Reply #29 on: March 12, 2013, 06:28:28 PM »
Strangely enough we dont have a bot setup, this could be a malware/botnet? I think we both discovered it might be related to W32/Downloader.F.gen!Eldorado (alternative name dorkbot)
« Last Edit: March 12, 2013, 06:31:12 PM by OliPicard »