Continuous attack of 80.82.78.166 blocked by MBAM

Today I got a inbound malware site connection again (the first one is from a pervious post where I ask if img.58cdn.com is FP, which is proved not). This is the same dialogue malwarebytes give me.

Domain: IP: 80.82.78.166 Port: 1900 Type: [b]Inbound[/b] Process: [b]C:\Windows\System32\svchost.exe[/b]
It not an outgoing one (which may be malware ads) and I start to worry about this when I notice that the only process I am running is just Firefox (I am in youtube watching a 18 minutes video and at the 2nd minutes this popup)

Anyway, here is something I found which make me even worry about a possible infection
On 2014/9/30, 9:16:41 pm, Malicious Website Protection, IP, 185.11.145.223, 1900, Inbound, C:\Windows\System32\svchost.exe
On 2014/9/30, 9:16:41 pm, Malicious Website Protection, IP, 185.11.145.223, 1900, Inbound, C:\Windows\System32\svchost.exe
On 2014/9/30, 9:37:12 pm, Malicious Website Protection, IP, 89.248.168.46, 1900, Inbound, C:\Windows\System32\svchost.exe
On 2014/9/30, 9:37:12 pm, Malicious Website Protection, IP, 89.248.168.46, 1900, Inbound, C:\Windows\System32\svchost.exe
On 2014/9/30, 9:57:27 pm, Malicious Website Protection, IP, 185.11.145.223, 1900, Inbound, C:\Windows\System32\svchost.exe
I am not aware of this because malwarebyte does not give me a popup. Am I infected?

Good day…

https://forum.avast.com/index.php?topic=53253.0

Attach FRST, Addition and aswMBR (WIN 7 ONLY!!)

1st IP Address: http://urlquery.net/report.php?id=1412350194327

Clean, VT reports clean as well

2nd IP Address: http://urlquery.net/report.php?id=1412350451775
https://www.virustotal.com/en/url/c1637bab3bbcb5e43477f427eedc8269fe11473862bf686094c4bbc74a03171b/analysis/1412350349/

Malicious, in nature…

2 lvl 2 Severity in natures. THere appears to be nothing except test pages…

Go to VirusTotal and go to the following directory C:\Windows\System32\svchost.exe. Scan it, if it has already been scanned before, reanalyse it. POst back results in addiotion to FRST. THen I will fetch someone for you too assist you

Log attached.

svchost look clean https://www.virustotal.com/zh-tw/file/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2/analysis/1412351507/

80.82.78.166 doesn’t look good. I remember pondus said it is blacklisted by apews.org.

Can you attach FRST and Addition + THe scan results of the svchost.exe file?

I doesn’t find something to support the 1st IP Address is clean when I try to search in APEWS.org

Oooops 185.11.145.123 is currently listed in APEWS :-( Entry matching your Query: E-1336658 185.8.0.0/13 CASE: C-131 Unallocated CIDR, no traffic until allocated, or allocated to bad reputation provider or allocated but dynamic / generically named IPs, or bogons, see www.cidr-report.org, or orphaned IP / CIDR in routing table History: Entry created 2014-03-28
Can you attach FRST and Addition + THe scan results of the svchost.exe file?
See post #3.

Let us also go over this IP scan result: http://reputation.alienvault.com/reputation.generic
→ 80.82.78.166 # Malicious Host NL,52.5,5.75 → http://myip.ms/info/whois/80.82.78.166
See recent reports on IP: http://urlquery.net/report.php?id=1412354584163
Server vulnerabilties for Apache/2.2.22 (Debian)
http://www.cvedetails.com/vulnerability-list/vendor_id-23/cvssscoremin-4/cvssscoremax-4.99/Debian.html

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>

Server is functioning as OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) via port 22

iPillion has the information you are searching for: http://www.ipillion.com/ip/80.82.78.166

5 days agoport 1900, Inbound, C:\Windows\System32\svchost.exe - in Firewall Alert
"Malwarebytes Anti-Malware

Detection, 28-9-2014 1:52:54, SYSTEM, ???-PC, Protection, Malicious Website Protection, IP, 80.82.78.166, 1900, Inbound, C:\Windows\System32\svchost.exe
Random attacks from multiple Netherlands Amsterdam Ecatel Ltd
adresses"

Read: http://www.purdue.edu/securepurdue/news/2014/advisory--ssdp-vulnerability.cfm
and here: http://forums.cnet.com/7723-6122_102-409615/udp-port-1900-15-times-a-minute/

polonus

So it is Plug & Play related. But why Malwarebyte just begin block these IP a few week ago? I am not getting these malicious website connection before.

This is the one feature of MBAM that I don’t like, as it bundles more categories under the category of Malicious websites. For me that should be only known malicious, not other categories.

Like other security based applications they will be constantly updating their virus databases and in the case of MBAM their malicious sites list. This is why you can suddenly find a site, etc. being detected when it wasn’t previously.

Since it is related to malwarebytes i would suggest malwarebytes forum

This may explain it https://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/

But am I safe without MBAM blocking it ( it say my trial expire within 14 hours )?

On 2014/9/30, 9:16:41 pm, Malicious Website Protection, IP, 185.11.145.223, 1900, Inbound, C:\Windows\System32\svchost.exe On 2014/9/30, 9:16:41 pm, Malicious Website Protection, IP, 185.11.145.223, 1900, Inbound, C:\Windows\System32\svchost.exe On 2014/9/30, 9:37:12 pm, Malicious Website Protection, IP, 89.248.168.46, 1900, Inbound, C:\Windows\System32\svchost.exe On 2014/9/30, 9:37:12 pm, Malicious Website Protection, IP, 89.248.168.46, 1900, Inbound, C:\Windows\System32\svchost.exe On 2014/9/30, 9:57:27 pm, Malicious Website Protection, IP, 185.11.145.223, 1900, Inbound, C:\Windows\System32\svchost.exe I am not aware of this because malwarebyte does not give me a popup.
185.11.145.223 https://www.virustotal.com/en/ip-address/185.11.145.223/information/ 89.248.168.46 https://www.virustotal.com/en/ip-address/89.248.168.46/information/

Something isn’t correct. I see paypal and ebay. I never use ebay and I won’t even pay via paypal either.

What site are you on when you see this block?

I don’t know what site I was on at that time. I didn’t get any popup from MBAM when it block the connection. Looking at the time, I probably was on youtube at that time.
paypal-inc.de” look like it is from germany, But I have not go to any german website.

paypal-inc.de" look like it is from germany, But I have not go to any german website.
Did you read the info from malwarebytes blog that i posted above?

Of course I have read that blog, but these are connected from outside and not cause by malvertising. I know it because often there is an error popup and the small banner ad at the bottom of the youtube video is not showing. The popup from MBAM I got in the first post is about 1 minute after the ad error show.
MBAM have blocked malware ads in my computer before, but all entries related to ads being block are outgoing connection make with the browser and I can see the domain name in the popup.

The best place to get the answer would be inn malwarebytes forum.
https://forums.malwarebytes.org