inbound alert

Discussion in 'ESET Smart Security' started by osip, Apr 8, 2008.

Thread Status:
Not open for further replies.
  1. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Gettin this...

    inbound.png

    deny or allow ?
     
  2. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    well,well...this was a real surprise!
    whois.png

    I thought it could be legit...port 1027...
     
  3. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Wow,I have got further information for you.

    The ISP of this IP is china-netcom, and the user is in Heilongjiang province which located in northeast of China.

    Well,Is that appears after you opened an applications?
     
  4. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Thx for bothering...No, it sems to appear randomly...noticed it earlier, denied it thinking it has to do with win update or time synchro...Also, I´m running BD IS on another FDISR snapshot and there no alerts of this type...With ESS I have seen it several times...If an app is behind this I have to figure it out, in an instant can´t say...( should´ nt I also have an outbound alert from the fw flagging the app if this is the case ?)
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,408
    Please send a log from ESET SysInspector to support[at]eset.com with this thread's url enclosed. We'll analyse it and let you know if we find something suspicious.
     
  6. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Tnx Marcos ! Done...(forgot the thread url though, but mentioned wilder´s and you...)
     
  7. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114

    U r welcome,mate.

    According to your situation, it is wise to denied it.

    It looks like a hacker attack or something malicious.
     
  8. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    I suspect a hacker attack to scvchost...Will see after sysinspector.log analyze.
     
  9. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Got answer from ESET support with : not able to find anything suspicious in your log...

    The ip adress seems malicious but was stopped in interactive mode. I take for granted that it would have been denied automatically in aut.mode...or ?
     
  10. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    After the alert and analyze with 0 result and still suspecting something nasty to svchost I installed Trojan remover and made a scan, came up with this:
    trjscan1.png
    trjlog.png


    If this was the reason for the alert I have to underline that ESS fw was the only one which made me aware of this...(I´m also trying BD IS 2008 on another FDISR snapshot, same picture but no alert)
     
  11. mayt

    mayt Eset Staff Account

    Joined:
    Mar 12, 2007
    Posts:
    84
    Location:
    Bratislava
    It would.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.