DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]

[OliPicard]

@polonus good find/research!

[OliPicard]

additional IP's attacking

211.90.10.236:80
95.172.68.150:80 (is on a list http://www.projecthoneypot.org/ip_95.172.68.150)
184.173.127.67:80 (The Planet/Softlayer)
91.190.216.51:12350 (Skype Node Port/Previous Traffic on Dynamic?)
 

[polonus]

That is nearing in, and here with this comment spammer, you see the UK USA connection: http://myip.ms/view/comp_ip/1605125270/95.172.68.150
re: http://myip.ms/view/ip_owners/8597/Inap_Zscaler.html
And then here, BINGO, only to be found in the cache (thank you old goggles): http://webcache.googleusercontent.com/search?q=cache:YU41e62QfDcJ:http://pastebin.com/E7FEiLE2%2Babuse+211.90.10.236&client=flock&channel={flock%3Acontext}&oe=utf-8&hl=en&ct=clnk
see attached and now look for these IPs

polonus

[OliPicard]

Im guessing they are probing for more cores to add to there network. Great spot by the way. My only question is this, Do you still think its trojen related or mainly a probe net?

[polonus]

Are you on Vista? According to me it is a man in the middle attack that your provider should not allow. Additional question - Did you disable java? If not is it fully being upgraded/updated?
Think when you will finally  migrate this probing will also subside,

polonus

[OliPicard]

@polonus Java has been uninstalled for a couple of days (due to high profile requests of it being removed/disabled etc before then it was disabled for browser side too. Every plugin i have is uptodate for the rest of things and its being kept in check too. It does seem ISP side, I shall await for any additionl instructions from Essexboy whom is looking at the wireshark capture.

[OliPicard]

The only other thing i havent checked is could the router have malware on it? Is there anyway of checking a router for this? Im guessing that DNS redirect check GRC would of shown some issues.

[OliPicard]

So to round up whats happened today (i gotta log for tonight )

1) We think we have discovered the source of the issue.
2) We have installed Combofix/OTL ran additional scans
3) We removed Combofix
4) We ran Wireshark to see if anything odd was going on.

Outstanding questions: Is there a way to test the router for any wrongdoing?, Can i delete the folder Recovery which is on A:/Recovery ? it seems locked at the moment with no files inside i belive its creation was during the Combofix installation (if anyone could confirm this and if its safe to delete that would be super i think after doing research it may connected to the windows recovery console/recovery system which generates after using combofix but am unsure as of yet) In addition Essexboy is currently looking at the wireshark capture and am currently waiting for any additonal instructions for OTL.

Have a good night!

[polonus]

Just check here: http://www.dcwg.org/
Can you read that message?

polonus

P.S. Have a good night's rest,

Damian

[essexboy]

My thoughts Damien are that the router may well be infected.  A restore to factory settings should clear that possibility

[polonus]

Hi essexboy,

Some more protect measures he could implement, re: http://www.dcwg.org/protect/
and some  interesting observations from James Middleton here: http://www.infosecnews.org/hypermail/0111/5046.html
{quote] These murky parts of the internet could also be used to intentionally
'black hole' a target network's traffic. [/quote]
Yep, and not staying with default settings that can be read out...

polonus

[OliPicard]

Hi Guys,

Its showing up green.

In addition ive had the following IPs attacking.

Code: [Select]

173.194.78.188:5228 x3 (Google? Might be search engine related on research this port is used by google for there Play store however we havent visited the play store.)
Before the above attack i got one in from this address. 64.88.242.90:80 it seems this is a private server attacking this time.
In addition ive also seen a new IP trying to run thought the port num 188.138.9.7:80


I also want to ask a couple of questions, Since running Combofix ive noticed some strange files in the tmp folder (under appdata can PM details of file strings.. with long strings ~DF****************** replace * with numbers/charactors with files being created on an hourly basis and some of them being given special permissions (padlock on the files.)

[essexboy]

Once combofix is uninstalled it has gone for good

Could you give some examples of the temp files

Also what is reporting these apparent attacks

[essexboy]

The temps sound like windows updates or something similar, when did you last empty the temporary files ?

[OliPicard]

Hi Essexboy, ill PM you some of the examples, In addition the recovery folder is connected as during a Combofix the machine sets up a recovery folder as a fallback if anything bad happenes. The reports are coming off the router's logs. I shall send some examples via the PM too.

Thanks