Nixty 1 Posted June 15, 2019 Posted June 15, 2019 (edited) Hello everyone, soo this is pretty recent. For the last couple of days I have been exhausted by the amount of ip's I see that either attempt to port scan me [2-3 ip's have attempted to port scan me in the past, most recent one was a few days ago but have been blocked by eset's firewall] and some ip's that have something to do with Svchost. I don't even know what to do anymore and I have ran out of ideas. My original idea was to ignore everything and let the time talk by itself, but it has come to the point where I constantly keep on checking the connections that were attempted via my internet. I have done everything, from scanning my network to even scanning my pc several times to see if I have any sort of malware inside my pc. Nothing was found. I've searched most of the ip's that pop up as svchost or whatever on abuseipdb and most of them were flagged as malicious. I'm gonna post some screenshots here of such ip's: I don't even know what to do anymore. Thanks in advance for your help. Edited June 15, 2019 by Nixty antti lystimäki 1
Nixty 1 Posted June 15, 2019 Author Posted June 15, 2019 This has happened about a few minutes ago, I'm seriously sick of stuff like this. If anyone has any idea on how to help me out or atleast tell me if i'm safe or not then i'd really appreciate that. This is starting to get annoying to a whole new level.
Administrators Marcos 5,469 Posted June 16, 2019 Administrators Posted June 16, 2019 Are you not behind a router with NAT and your IP address is public?
Nixty 1 Posted June 16, 2019 Author Posted June 16, 2019 (edited) One thing I can confirm is that my IP Address isn't public, it's private. In-fact all of the IP's that are used on most of my devices [phones, tablets and everything] are private. I'm not sure about the router though, how can I check that? Also, if it could help you solve my problem, I currently have 2 devices working as a router [not sure how it works but it works, one's a router from TP-Link and the other one is a device from ZTE, if one isn't powered then our internet won't work] because we do not have a wireless router. The main reason why we have 2 devices is because our cables got screwed up and just about 2-3 weeks ago we've had our ISP come and repair them. Edit: If this will also help you then I can tell you this; when searching "what is my ip" on the internet and tracking the location, it doesn't precisely give my pin-point location, it just shows that I'm living in that city, but not precisely the exact location where I live. I'm sorry if what I've said up there doesn't make any sense but I'm new to stuff like this and I'm not quite experienced and that's why I'm asking for help. Edited June 16, 2019 by Nixty
Most Valued Members Nightowl 206 Posted June 16, 2019 Most Valued Members Posted June 16, 2019 (edited) 1 hour ago, Nixty said: One thing I can confirm is that my IP Address isn't public, it's private. In-fact all of the IP's that are used on most of my devices [phones, tablets and everything] are private. I'm not sure about the router though, how can I check that? Also, if it could help you solve my problem, I currently have 2 devices working as a router [not sure how it works but it works, one's a router from TP-Link and the other one is a device from ZTE, if one isn't powered then our internet won't work] because we do not have a wireless router. The main reason why we have 2 devices is because our cables got screwed up and just about 2-3 weeks ago we've had our ISP come and repair them. Edit: If this will also help you then I can tell you this; when searching "what is my ip" on the internet and tracking the location, it doesn't precisely give my pin-point location, it just shows that I'm living in that city, but not precisely the exact location where I live. I'm sorry if what I've said up there doesn't make any sense but I'm new to stuff like this and I'm not quite experienced and that's why I'm asking for help. I believe you have a modem from your ISP and then after that comes your router that will give your internet from the modem itself , I might be mistaken also But your router should have a firewall that will deny all incoming connections and allow all outbound unless you state something else for it , like to allow specific port to a specific device in the network. But from what ESET is reporting it does seem that your router firewall isn't functioning properly If you could post your router model , I will try to find the manuals for it so you could know what to do. And about the location , no it's not the firewall job to protect your identity or change it like a VPN does , A firewall does another job , and a working firewall won't block/change that your area is there when you search for your IP Address , It's the ISP's address location you see. and also it can show your precise location if you have location enabled in your system/browser. Edited June 16, 2019 by Rami
itman 1,811 Posted June 16, 2019 Posted June 16, 2019 Appears to me either something is wrong with your router settings, or possibly your ISP's connection to it. The majority of blocked inbound traffic is due to DHCP. The first thing your PC does when it boots is to use DHCP protocol to assign an external connection address issued by your ISP servers. It does this by using the built in DHCP server in the router. When this connection can't be established, Windows will assign an internal APIPA IPv4 address in the 169.254.0.1 through 169.254.255.254 range as shown by your screen shots: https://www.webopedia.com/TERM/A/APIPA.html . Windows will keep trying to establish a valid DHCP address in periodic intervals. Hence the high block count shown. Normally, this situation will resolve itself which appears not to be happening in your case. The problem with the Eset firewall is it doesn't treat APIPA addresses as valid IP addresses for inbound traffic. Without further explanation on the other blocked activity shown in your screen shots, do a hard reset on your router. The easiest way to do so is unplug it from the power source, wait a minute, then plug it back in and wait for it to complete reinitialization. If this doesn't solve the DHCP connection issue, there is either a problem with your router or your ISP. I would start by contacting your ISP about the issue.
Nixty 1 Posted June 16, 2019 Author Posted June 16, 2019 (edited) Alright, thank you guys for taking your time to help me out. Also, I've got a really quick question, am I safe? I mean my main concern was that someone [or multiple people] were trying to hack or even rat my pc, my conclusion to that was because of all of the Port Scans i've received and the multiple unknown ip's being blocked by eset, and when I searched up those ip's on abuseipdb they were flagged. Edited June 16, 2019 by Nixty
Most Valued Members Nightowl 206 Posted June 16, 2019 Most Valued Members Posted June 16, 2019 (edited) 30 minutes ago, Nixty said: Alright, thank you guys for taking your time to help me out. Also, I've got a really quick question, am I safe? I mean my main concern was that someone [or multiple people] were trying to hack or even rat my pc, my conclusion to that was because of all of the Port Scans i've received and the multiple unknown ip's being blocked by eset, and when I searched up those ip's on abuseipdb they were flagged. Well the port scanning means that someone is trying to scan your IP for open ports , which is why you should have your firewall blocking all incoming ports. You can try this website , or by googling GRC Shields Up : https://www.grc.com/x/ne.dll?bh0bkyd2 Don't worry it's safe , I use it sometimes to scan networks to see if firewall is working fine or not , but beware there are still lot of ports , this website scans the first thousands ports, it will give you a general view if your router is protecting you or not. Edited June 16, 2019 by Rami
itman 1,811 Posted June 16, 2019 Posted June 16, 2019 6 minutes ago, Rami said: You can try this website , or by googling GRC Shields Up : https://www.grc.com/x/ne.dll?bh0bkyd2 This test is only valid if the router does not have a firewall. It it does, all that it determines is open and stealth port status of the router's firewall.
Nixty 1 Posted June 16, 2019 Author Posted June 16, 2019 Alright, and what about the unknown ip's? Are they safe or should I be worried about them?
itman 1,811 Posted June 16, 2019 Posted June 16, 2019 (edited) Getting back to the OP's network setup, appears the ZTE reference is to ZTE Mobile Hotspot noted here: https://www.consumercellular.com/blog/affordable-portable-wi-fi-wherever-you-go-with-the-zte-mobile-hotspot/ . He then appears to connect to the TP-Link device. The question is what is the TP-Link device? I suspect that it's a USB adapter connected to his PC to capture the ZTE wireless communication. In other words, there is no router per se involved here. Edited June 16, 2019 by itman
Nixty 1 Posted June 16, 2019 Author Posted June 16, 2019 Btw I've just done both tests for ports and the only failed thing that I get is the ping reply, but the first 1056 ports are set to stealth and at the common ports they're also set to stealth.
Most Valued Members Nightowl 206 Posted June 16, 2019 Most Valued Members Posted June 16, 2019 3 minutes ago, Nixty said: Btw I've just done both tests for ports and the only failed thing that I get is the ping reply, but the first 1056 ports are set to stealth and at the common ports they're also set to stealth. And from my opinion I do recommend disabling uPnP in the router because this protocol is known to be exploited by hackers. Stealth means that your router is rejecting any kind of data sent to it , appearing not to be there for the sender , closed/blocked means that your router blocked the connection @itman, yea I know that , I wanted him to check if the firewall is blocking properly or not , even though that there are still many ports other than the first 1056
itman 1,811 Posted June 16, 2019 Posted June 16, 2019 (edited) 10 minutes ago, Nixty said: Btw I've just done both tests for ports and the only failed thing that I get is the ping reply, but the first 1056 ports are set to stealth and at the common ports they're also set to stealth. This indicates that the ZTE Hotspot is properly configured to block any unsolicited incoming open port activity. One possibility is the ZTE device has been hacked and is allowing incoming port activity to your PC from a remote attacker. Note that GRC test would not detect this type of activity. Check if a password has been established for ZTE device. On many such devices, a default password of "admin" or the like is used. Create or change the existing password to a strong one. Then you will have to reset the ZTE Hotspot to reestablish its default values. Edited June 16, 2019 by itman
Nixty 1 Posted June 16, 2019 Author Posted June 16, 2019 I do not have any sort of mobile hotspot though, the ZTE device is probably a ZTE ZXA10 F643. [saying probably because it looks just like that one because I've just searched it up, I do not know what model it is though and that's why I had to search it up.] And also, the only way I can change the password is by changing the password to the wi-fi itself, i'm not aware of any way to set up passwords for routers because as I've said i'm not experienced when it comes to stuff like this.
Nixty 1 Posted June 16, 2019 Author Posted June 16, 2019 25 minutes ago, Rami said: And from my opinion I do recommend disabling uPnP in the router because this protocol is known to be exploited by hackers. Stealth means that your router is rejecting any kind of data sent to it , appearing not to be there for the sender , closed/blocked means that your router blocked the connection @itman, yea I know that , I wanted him to check if the firewall is blocking properly or not , even though that there are still many ports other than the first 1056 Also, does stealth mean that it's properly set up or like it protects me or what?
itman 1,811 Posted June 16, 2019 Posted June 16, 2019 Here's the user manual for the ZTE device: https://www.consumercellular.com/Assets/documents/Manuals/ZTE Mobile Hotspot User Guide.pdf . As I suspected, the default password is "Admin." Also make sure WPS has been set up properly which also requires a password.
itman 1,811 Posted June 16, 2019 Posted June 16, 2019 12 minutes ago, Nixty said: the ZTE device is probably a ZTE ZXA10 F643 You're on your own with this device. Appears to be something directly shipped from China. Might be used primarily by U.K telecoms and the like.
Nixty 1 Posted June 16, 2019 Author Posted June 16, 2019 30 minutes ago, itman said: You're on your own with this device. Appears to be something directly shipped from China. Might be used primarily by U.K telecoms and the like. Alright, thank you for trying to help me with my issue though. We'll probably contact our ISP and sort things out, hopefully. I'm gonna wait a few more days [because I've just restarted the router by unplugging it from the source and I'm not noticing any unknown ip's... yet.] and see if i'll have more ip's logged.
itman 1,811 Posted June 16, 2019 Posted June 16, 2019 To back up a bit, one should never see an Eset alert about external IP address sourced port scanning if they are using a router that includes a firewall. If such an Eset alert presents, it is an indication that there is a problem with the router or its current setup configuration.
Most Valued Members Nightowl 206 Posted June 17, 2019 Most Valued Members Posted June 17, 2019 18 hours ago, itman said: Appears to me either something is wrong with your router settings, or possibly your ISP's connection to it. The majority of blocked inbound traffic is due to DHCP. The first thing your PC does when it boots is to use DHCP protocol to assign an external connection address issued by your ISP servers. It does this by using the built in DHCP server in the router. When this connection can't be established, Windows will assign an internal APIPA IPv4 address in the 169.254.0.1 through 169.254.255.254 range as shown by your screen shots: https://www.webopedia.com/TERM/A/APIPA.html . Windows will keep trying to establish a valid DHCP address in periodic intervals. Hence the high block count shown. Normally, this situation will resolve itself which appears not to be happening in your case. The problem with the Eset firewall is it doesn't treat APIPA addresses as valid IP addresses for inbound traffic. Without further explanation on the other blocked activity shown in your screen shots, do a hard reset on your router. The easiest way to do so is unplug it from the power source, wait a minute, then plug it back in and wait for it to complete reinitialization. If this doesn't solve the DHCP connection issue, there is either a problem with your router or your ISP. I would start by contacting your ISP about the issue. I've checked at home I have the same thing with the APIPA being denied a lot of times , but thanks for the explanation ITMAN but at home I have the Samsung Smart TV going crazy trying to communicate with my computer and I just hate that , I want to isolate that thing in a network alone, but also ESET is denying most of the things by Windows even though it's set as Automatic.
Recommended Posts