DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]

Viruses and worms
1

Hi Avasters!,

I recently switched ISPs. Before now ive had little or no DoS or port scans but since switching to a new host ive had over 100 attacks, From all over the place.

My ISP when confronted with these logs told me its my equipment causing the problems. These attacks have been brought the modem down since joining this ISP ive switched IPs multiple times around 30-40 times with only a couple of the ips showing a few DoS attacks.

173.236.193.163:80 x2 (Dreamhost)
199.59.163.68:80 x30 (this ones been attacking over a couple of days on different IPs)
81.94.200.139:25565 x1
69.171.235.16:443 x20
213.199.179.144:40044 x1
78.141.179.18:12350 x2

Hopefully someone will know why this is happening. I have ran an MBAM recently with no negative results.
If anyone can help me figure this out that would be wonderful!
Thanks
Oliver

2

Running some background checks on the IP in Lux seems to show that the range is being misused. (ending in .18)

3

you can have a malware check ?

follow this guide and attch the logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal experts will be notified and check your logs…

4

Find attached the MBAM log + OTL + MBR

Also can i now uninstall OTL? (i guess its just a running only EXE and only runs when you run the exe.)

In addition MBR left a file called MBR.dat (can i delete this now that the scan is over.)

5

not yet, if the removal expert see anything that need to be removed he will use OTL
hewill remove all tools when done…

6

Will they need remote access to the machine or can it be done userside?

Thanks

7

nope…he just give you some instructions
usually he create a fix based on the OTL log, when the fix is run in OTL it instruct OTL to do some comands
if you search some of the topics in this section you can see how Essexboy does it
OBS and he is a trained and certified malware remover…and teacher over at geeks to go forum

8
nope....he just give you some instructions usually he create a fix based on the OTL log, when the fix is run in OTL it instruct OTL to do some comands if you search some of the topics in this section you can see how Essexboy does it OBS and he is a trained and certified malware remover....and teacher over at geeks to go forum

Awesome, Thanks Pondus! I look forward to seeing if anything interesting shows up, Ive had alook myself and ive not seen anything abnormal so hopefully its just this ISP.

9

Essexboy is notified, if lucky he is not gone to bed yet,
if he does not show within an hour i guess you have to wait until tomorrow

10

Ah Ok (Thanks for notifying Essexboy :D), I look forward to figuring out what the otl logs say, it should be interesting!

11

Ive contacted one of the ip’s in question whom responded saying

  1. They are not causing the problems.
  2. If i paid them they would fix the issue.

I must admit it sounds pretty strange from an company which should be taking this seriously. Ive not reached back out to them.

Oliver

12

Here are some additional IPs which are attacking today.

109.201.133.65 x1
67.227.200.203 x1

both attacks on port 80
13

Are you on a static IP ? Or does it change every time you log on ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
@Alternate Data Stream - 994 bytes -> C:\Users\Oliver\AppData\Local\Temp:X02gGPI7EmhUVHobjK4u6XhMubHP

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

14

Hi Essexboy,

Yeah we are on a dynamic IP.

Here are some more recent attacks

178.217.186.109:7777 x3
111.221.77.143:40015 x2
15

There should be an OTL extras text file with the standard OTL one, could you attach that as it will show me your ports

16

certainly! (heres one from the scan last night.)

17

Hi Essexboy
since last posting we have had an additional attack
In addaition we have had an additional attack

84.93.233.34:44300 x2
18

The IP’s resolve to virtually all parts of the globe with a preponderance of them being European

I would like to reset various net items next, this one may take a few minutes to run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Files
Netsh firewall reset /c
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
netsh winsock reset catalog /c
netsh int ip reset /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

19

Hi, While running the test the following error occured.

failed to create cmd.bat.

now its stuck on killing processes (its been like it for 10 mins. not sure if thats normal.)

20

Hi essexboy,

The so-called IP attacks or repeated requests could have come from bitcoint dot org, like bitcointalk dot org etc. : http://myip.ms/info/whois/109.201.133.65/k/4080771760/website/bitcointalk.org
Does this ring some bell with the OP?

polonus