inbound alert

Discussion in 'ESET Smart Security' started by osip, Apr 8, 2008.

Thread Status:
Not open for further replies.
  1. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Gettin this...

    inbound.png

    deny or allow ?
     
  2. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    well,well...this was a real surprise!
    whois.png

    I thought it could be legit...port 1027...
     
  3. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Wow,I have got further information for you.

    The ISP of this IP is china-netcom, and the user is in Heilongjiang province which located in northeast of China.

    Well,Is that appears after you opened an applications?
     
  4. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Thx for bothering...No, it sems to appear randomly...noticed it earlier, denied it thinking it has to do with win update or time synchro...Also, I´m running BD IS on another FDISR snapshot and there no alerts of this type...With ESS I have seen it several times...If an app is behind this I have to figure it out, in an instant can´t say...( should´ nt I also have an outbound alert from the fw flagging the app if this is the case ?)
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send a log from ESET SysInspector to support[at]eset.com with this thread's url enclosed. We'll analyse it and let you know if we find something suspicious.
     
  6. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Tnx Marcos ! Done...(forgot the thread url though, but mentioned wilder´s and you...)
     
  7. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114

    U r welcome,mate.

    According to your situation, it is wise to denied it.

    It looks like a hacker attack or something malicious.
     
  8. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    I suspect a hacker attack to scvchost...Will see after sysinspector.log analyze.
     
  9. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Got answer from ESET support with : not able to find anything suspicious in your log...

    The ip adress seems malicious but was stopped in interactive mode. I take for granted that it would have been denied automatically in aut.mode...or ?
     
  10. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    After the alert and analyze with 0 result and still suspecting something nasty to svchost I installed Trojan remover and made a scan, came up with this:
    trjscan1.png
    trjlog.png


    If this was the reason for the alert I have to underline that ESS fw was the only one which made me aware of this...(I´m also trying BD IS 2008 on another FDISR snapshot, same picture but no alert)
     
  11. mayt

    mayt Eset Staff Account

    Joined:
    Mar 12, 2007
    Posts:
    84
    Location:
    Bratislava
    It would.
     
Thread Status:
Not open for further replies.