Pinged From Afar

Fidelis

Weird one, this... For the last few days, I've been using a mobile phone to connect a PC to the internet on the Vodafone network. The two devices are connected wirelessly over Bluetooth.

I was downloading some files and noticed that the speeds indicated on the file download didn't match up with the speed being recorded by NetMeter, e.g. the file was shown to be downloading at 1.5k while NetMeter was showing a download rate of 3.2k. I checked ZoneAlarm and noticed a large amount of packets being sent to me. I generally notice one every few minutes from various non-conspicuous servers dotted around Europe, but this was different. They were *all* coming from one particular server in Romania, with dial.xnet.ro at the end of each source IP. At one point, they were coming in every few seconds and slowing down the PC. I thought it was some kind of random hack so I just disconnected and ran Ad-Aware, AVG, SpybotS&D just to be sure. Nothing was found so I went back online but the same thing happened again - bombarded by all these packets from this server in Romania.

I noticed that the source IP's were pretty similar to my IP, first 2 parts at least, so I did a whois on one of the source IP's and came up with a company called Connex in Romania, a mobile operator - partly owned by Vodafone. I'm not sure what to make of this. Could it be malicious with just the coincidence that it's all originating from this affiliate of Vodafone or could it be benign?

Here's a screencap of what it looked like on ZoneAlarm (sorry, it's a bit big - 100k).

Anyone any ideas? Possibly malicious?

MiCr0

it might think you're its samba server

"Among the new ports used by Windows 2000, Windows XP and Windows Server 2003, is TCP port 445 which is used for SMB over TCP."

http://www.petri.co.il/what_is_port_445_in_w2kxp.htm

mneylon

Sounds like a virus.
Zone Alarm Pro is crap anyway, so I would dump it.

If you dig around you will find that there are a lot of viruses using those ports, so it could easily be one of them.

Cake Fiend

Almost certainly one of the recent worms using port 445 to propogate. As an example, here is one of the traits of the recent 'Sasser' worm (note underlined part)

From symantec.com

Generates another IP address, based on one of the IP addresses retrieved from the infected computer.

25% of the time, the last two octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, C and D will be random.
23% of the time, the last three octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, B, C, and D will be random.
52% of the time, the IP address is completely random.

Fidelis

Ah nuts. Thanks for the feedback guys. I was hoping it wasn't serious - this is my first infection! I have AVG patched up and all that jazz, obviously not doing the job.

What's do I do now?

Cake Fiend

No, I didn't mean you're the one infected - it's the machines that are sending all these connection attempts to your computer that are likely infected! Widespread worms like Sasser and co. cause all sorts of congestion throughout the internet as a result of their aggressive infection attempts. As long as you're patched up and running a firewall and AV software, you should be relatively safe. Update your AV software and run a full scan if you want to be certain.

Fidelis

Ah right, I get you now Thanks for the info, Sico.

Does this mean that all these infection attempts on my PC are eating up my bandwidth?

dogs

Originally posted by Fidelis

Does this mean that all these infection attempts on my PC are eating up my bandwidth?

Eh from your screenshot it's one or two packets per host. Although there's probably quite a few machines it's still not exactly a flood. I think you just have to accept that there'll always be "background noise" and get back to porn surfing.

irishgeo

Originally posted by blacknight
Sounds like a virus.
Zone Alarm Pro is crap anyway, so I would dump it.

what do you mean by that comment. I have it installed on both my laptop and my main pc and i have yet to have any problems with it.

It keeps my invisible on the net so it does me fine.


if it is so crap can you recommend a good firewall that is as easy to use and setup as zonealarm and that doesnt remind you every 30 secs that you have been port scanned.:mad:

Fidelis

Originally posted by dogs
Eh from your screenshot it's one or two packets per host. Although there's probably quite a few machines it's still not exactly a flood. I think you just have to accept that there'll always be "background noise"

Well I dunno, maybe the data in the screenshot doesn't show enough but it's a little more than background noise. Out of 4Kbps being downloaded, at least 2k appears to be in use by something other than any of the programs I'm in control of. I've never noticed anything like this before, have to say it pretty much sucks.