Topic: ISP Thinks I Might Have a Bug

[WeatherHost]

I'm not so sure, but I can't interpret these things:

Code: [Select]

Mar 27 14:44:41 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=80.99.16.55 DST=NN.NN.NNN.NN LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=19575 DF PROTO=TCP SPT=4047 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0  
Mar 27 14:44:44 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=80.99.16.55 DST=NN.NN.NNN.NN LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=19988 DF PROTO=TCP SPT=4047 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0  
Mar 27 14:48:51 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=221.206.124.19 DST=NN.NN.NNN.NN LEN=40 TOS=0x00 PREC=0x00 TTL=96 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0  
Mar 27 14:59:20 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=175.41.179.143 DST=NN.NN.NNN.NN LEN=40 TOS=0x00 PREC=0x00 TTL=232 ID=63843 DF PROTO=TCP SPT=42388 DPT=27977 WINDOW=512 RES=0x00 SYN URGP=0  
Mar 27 15:10:37 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=178.45.1.85 DST=NN.NN.NNN.NN LEN=48 TOS=0x00 PREC=0x00 TTL=100 ID=27693 DF PROTO=TCP SPT=13836 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0  

MSE and MWBytes have never indicated anything, but I have a Full Scan running at the moment.

(NN.NN.NNN.NN is my edit masking the IP address)

[Bushman]

Interesting IP address locations in your log (Russia, Hungary etc.)

[mackbig]

China too.   Plus the dreaded amazon.com

Aside from the amazon, scary list.

Andrew

Interesting IP address locations in your log (Russia, Hungary etc.)

[Bushman]

If I were you I would restart in SAFE mode and install Malwarebytes AM software and see what gives.

[WeatherHost]

Full scans with MSE, Malwarebytes and Avira are all negative.

Avira blocked access to GR3 though until I figured out how to exclude it.

[Randall Kayfes]

I am not going to debate this any further than to say I do this everyday at minimum of a dozen times a day and MSE is the lowest rated AV software out there among computer techs like myself.

[saratogaWX]

I don't think the listed logs are indicative of a virus on your pc .. on the contrary, they are 'door knocker' attempts (that are likely blocked by your firewall).  The DPT (destination port) of 445 is a Windows SMB connection attempt (fileshare attempt)
Lots of scanners around the internet looking for un-firewalled Windows systems (http://www.dshield.org/port.html?port=445 )
Likewise for port 3306 ( http://www.dshield.org/port.html?port=3306 ) which is a mySQL connection port.
and the high port of  27977 (http://www.dshield.org/port.html?port=27977  ) which is likely a TDSS open proxy port.

I'd be interested in the source of the log (firewall IDS?) and even more interested in understanding how your ISP came to the conclusion that your system was at fault .. these are external connection attempts to your IP address, not a sign of virus 'infection'.  It's no wonder your scan of the local system turned up nothing.

You can check to see if anyone has reported malicious outbound traffic from your IP address at www.dshield.org .. I'm guessing that there is none

Best regards,
Ken

[WeatherHost]

I'd be interested in the source of the log (firewall IDS?)

and even more interested in understanding how your ISP came to the conclusion that your system was at fault .. these are external connection attempts to your IP address, not a sign of virus 'infection'.

They are the Modem/Router System Logs from within the Admin console.  Modem is a Sagem 1704

Dunno.  I guess they were fishing for answers.

Browsing will just stop for no reason.  Going along fine, click a page to reload (usually a VBB forum) and nothing happens.  No browser will load a page, GR3 won't fetch, nothing.  But I can ping from a Command Prompt.

Reboot the modem and all is well for a while.

[Bushman]

You have to start your systems in SAFE mode for you AV/AM  stuff to work.

[saratogaWX]

I'd be interested in the source of the log (firewall IDS?)

and even more interested in understanding how your ISP came to the conclusion that your system was at fault .. these are external connection attempts to your IP address, not a sign of virus 'infection'.

They are the Modem/Router System Logs from within the Admin console.  Modem is a Sagem 1704

Dunno.  I guess they were fishing for answers.

Browsing will just stop for no reason.  Going along fine, click a page to reload (usually a VBB forum) and nothing happens.  No browser will load a page, GR3 won't fetch, nothing.  But I can ping from a Command Prompt.

Reboot the modem and all is well for a while.

I did a lookup on your Sagem 1704 and found it's a combination modem/firewall router/LAN NAT service provider.

The symptoms of 'Browsing stops, nothing fetches' when fixed by a modem reboot indicates the issue is with the Sagem 1704 losing connectivity to the internet (or internally freezing up) so packets no longer pass.  I'd suggest you contact tech support for the Sagem 1704 and tell them the system is locking up -- they may suggest a firmware update to their current release.

[WeatherHost]

ISP pushed updated firmware to the modem the other day with no change.

Odd thing is, this really only seems to happen on a couple of VBulletin Forums.  I'm wondering if there is some kind of scripting issue that confuses the modem somehow.