StrictlyDiesel

Members
  • Content count

    3
  • Joined

  • Last visited

About StrictlyDiesel

  • Rank
    New Member
  1. Just an FYI, same problem here. ESET NOD32 4.2.40.0 and MBAM 1.7.0.1100. This problem did not exist a few days ago...which is when I updated MBAM to the newer version on 2 computers. Then last night Microsoft Update ran, rebooted the computers and they both locked up. When I disabled MBAM, the both fired right up. Others computers that are running the older version of MBAM have no problems. I can create a ticket if necessary...but this is obviously not a single computer issues. FWIW, one of my affected systems is Windows 7 64 bit and the other is Windows XP.
  2. 33 views and no input? I think I may have figured this out on my own. When the "incoming" items are added to the log file WHILE I'M CONNECTED VIA RPC AND CAN SEE THE POPUP BALLOON, the admin account shows in the log. If they come in while I'm not logged in via RPC, they show as "null". If there is a different reason for the way these have shown up, I'd like to know...otherwise that seems to be the pattern.
  3. I just need a quick log file question answered. I've got the following in my protection log: 11:53:28 AdminAccount MESSAGE Protection started successfully 11:53:32 AdminAccount MESSAGE IP Protection started successfully 11:59:24 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:24 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:40 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:56 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:09:26 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:09:26 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:09:34 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:53 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:20:01 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:20:17 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:41:01 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:41:09 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:41:25 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:43 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:51 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:00:43 AdminAccount MESSAGE Protection started successfully 14:00:48 AdminAccount MESSAGE IP Protection started successfully 14:02:15 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:02:23 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:02:23 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:05:19 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:05:19 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:05:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:34:27 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:34:36 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:34:36 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:00 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:00 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:08 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:40 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:40 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:48 (null) IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 15:08:41 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 15:08:41 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 15:08:42 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) These are all INCOMING, one IP is in Ukraine and the other in Germany. I just need a quick explanation of 2 things: 1. Most of them have my admin account listed (I renamed it for the example above)...is that because there is actually some kind of attack that is attempting to use that account (which means that somehow they figured out the admin account name)...or is it because the IIS service is running under that account and the access is coming from port 80? 2. What does it mean when it has NULL instead of an account listed? Considering that these are all incoming and the server is online right now, I'm thinking that I don't have an active infection, just active attempts. We did have (4) "infected" files in our vBulletin forum earlier today (PHP/Webshell.NAG Trojan), but from what I'm reading of that particular issue, deleting the files and re-uploading from the originals cures it. We've deleted the files that were an issue, uploaded a new file set, but will not be putting the site live again until I'm confident we've taken every precaution to prevent it going forward. Our AntiVirus detected and quarantined the trojan, and subsequent AV and MBAM scans have revealed no further issues. So...am I likely correct in that these are just attempts to access...or is there something above that should cause me to look further? I couldn't find any kind of "how to read the log file" FAQ that explained the columns and answered my questions...and couldn't find anything with search. Sorry if this is already covered somewhere. THANK YOU!!!!!!!!!!!