Jump to content
elzach

Malicious connection detected

Recommended Posts

Yesterday while I was searching on bing.com (I'm in China, that's why), I got the attached detections.

A few seconds later I also noticed this new "internet gateway" (see attached), which wasn't there before. When it was installed, I'm not sure.

I disconnected right away, shut off computer and ran MBAM and SAS in safe mode, and Immunet. Nothing was reported. It turns out that "internet gateway" only runs when I'm connected on my ISP's modem/router. Also, I cannot delete it or disable it.

Since then I've been connected to my phone's data connection (of which luckily I have a few GBs).

Any suggestions?

 

Internet gateway connection.JPG

Malicious connection.JPG

Malicious connection2.JPG

Share this post


Link to post
Share on other sites

The Network Connections & other screenshots are very helpful but it would have been sufficient if you could have scaled down the screenshots to just Immunet's little Detection pop-up windows. Something to keep in mind in the future perhaps.

The Internet Gateway Network Connection is most commonly used by a wireless network device such as your modem/router. That's why you only see that icon when you're actually using your modem/router. That's normal behavior.

The reason you got the malicious connection warning is because our database recognized the IP address re-direct to another site from Bing as one that has a history of attempting to install, without the user's knowledge or consent, arbitrary code or offer malicious downloads.

I would very highly recommend you don't try to visit that neilrosenthal site again! I've always been "very suspicious" of sites that re-direct you to another site without first asking if that's what you want. Most legitimate sites won't try to re-direct you like that.

Since you were using Firefox during these episodes might I suggest you start using the add-on "NoScript" if your not already! "I wouldn't think of using FF without it!"

The NoScript add-on can really cut down on possibly malicious re-directs since almost all unknown/possibly suspicious scripts have to be manually allowed. It's a bit of a pain to learn how to use efficiently at first but it's "well worth the effort!!"

Regards, Ritchie...

Share this post


Link to post
Share on other sites

Richie is correct - the internet connection icon is a standard windows thing.

 

the Bing image search  told your browser to show an image from neilrosenthl.com and your browser went to grab it from 104.27.175.64.  According to https://dnslytics.com/ip/104.27.175.64  that ip is hosting 290 domains/websites.  likely one of them at one point was hosting something malicious.  Though currently neilrosental.com appears to be safe.   Looks like a false positive to me.  Sorry,  our bad on that one. 

 

I do have one concern here though.    It's common to first notice the internet connection icon after having a random  router/modem reboot.  I The internet  stops working, so you go to your network connections to check your ip/network status  and while your poking around the internet connection icon appears out of nowhere when the router/modem comes back online. 

There are lots of good reasons for a router to reboot itself, but it should be noted that not all vpn connections can survive a router reboot. Some can, some will notify you the vpn closed unexpectedly, and some will just fail silently and your internet activity will automatically re-route over non encrypted public internet. 

 

Thanks,
RobT

 

 

 

 

 

 

 

  • Like 1

Share this post


Link to post
Share on other sites

844246669_Internetgatewayconnection2(2).JPG.6363fecc54fb3fcfb24af377f06e7910.JPGThank you both so much.

(btw, I intentionally left the entire screenshots, so you can see that I was doing something innocuous like searching on Bing. Plus notice that I had not actually visited that site, it was still in preview mode. Doesn't Bing check what kind of sites go through?).

But unfortunately it looks like there is much more to this than meets the eye:

a) Just now, when I connected to that modem/router (after 2-3 days), and while having open only Yahoo Mail and this site, sfc.exe went crazy, got stuck at 50% of CPU, PLUS the tray icon froze (see attached). Left-clicking or right-clicking on it did nothing. Disconnecting and connecting to another wifi network did nothing (at least within 1-2 minutes), sfc was still frozen. I had to restart computer.

b) Since I'm curious (as you can see) about my network connections, while I was connected to that "Internet Gateway", I clicked on Properties. And in Settings I see the attached. VPN Gate is a vpn that I use sometimes, but I never gave permission for this. I had deleted these settings before, but they come back every time that "Internet Gateway" connection comes up.

As far as VPNs Rob, I understand what you're saying and the risks. But here in China we are lucky to find any vpn that actually works, whether it drops the connections or not.

Edited by elzach
forgot the attachments

Share this post


Link to post
Share on other sites

I would like to complement you on your grasp of the English language elzach! It's very good.

Have you checked With "Windows Device Manager" to see if there are any VPN listings that shouldn't be there?

Do you have Immunet set up to run a scheduled scan at that time? There have been times when people have scheduled a scan and accidentally forgot about that fact. Just trying to cover all the bases here.

Share this post


Link to post
Share on other sites
On 1/22/2019 at 7:56 PM, ritchie58 said:

I would like to complement you on your grasp of the English language elzach! It's very good.

Have you checked With "Windows Device Manager" to see if there are any VPN listings that shouldn't be there?

Do you have Immunet set up to run a scheduled scan at that time? There have been times when people have scheduled a scan and accidentally forgot about that fact. Just trying to cover all the bases here.

Thanks Ritchie and sorry for the delay in replying.

Since last week I have been connected to an external router that has been connected to that modem/router. It shows me an "internet gateway", but "disabled". I may have disabled it myself. Under Properties and Settings, it shows that it's using something called "HCDN". There is very little info out there on what that is, other than "Content Delivery Network" used with P2P operation. This is becoming even more strange. However, again, this gateway is disabled and doesn't affect my internet connection at all.

At first I was actually afraid that the modem/router might have been infected. I ran AV and MBAM on my phone, which was connected to the router wifi at the time, they found nothing. Of course Android is a different "animal".

Yes I checked with Device Manager, nothing out of the ordinary.

I don't have a scheduled scan running. I usually do a flash scan after I boot up.

 

 

 

Share this post


Link to post
Share on other sites

Wow, you're using two routers!? I could see where that could possibly cause data bottlenecks (or worse) unless they are/or can be made completely compatible with each other.

I've been around computers more years than I care to admit but I've never heard of this HCDN service! That is highly suspicious at the start and now especially so since I couldn't find any relevant data on the web about what it is either! VirusTotal, good or bad, doesn't even recognize this. I think it's a great idea that you disabled it.

If you see Immunet using excessive System resources again please report this behavior especially if it's associated with any running process or .exe.

Best wishes, Ritchie...

Share this post


Link to post
Share on other sites

Hi Ritchie,

It's not exactly "two routers", not is it a "bridge". The original ISP modem is a fiber optic connection modem/router, with lousy reach. I've had an external router simply connected to its LAN. It gives me the same speeds, but better coverage around the apartment.

I've been in this location for 2 months and I didn't notice these "internet gateways" before. I noticed them for the first time when I got that warning from Immunet about a malicious connection.

Btw, even a system restore didn't get rid of these gateways. So they may had been there all along.

Truth is sfc.exe has done this before on a few occasions, basically going beserk. I'll upgrade my system in April and install an updated version.

Btw, how to delete existing attachments? I'd like to post a new one here.

 

Edited by elzach

Share this post


Link to post
Share on other sites
4 hours ago, Wookiee said:

do you use a product like limewire, or any p2p software for sharing?

No I don't.

Btw, VPN Gate does have a function for providing your own computer as a vpn server, but it needs to be manually activated with 2-3 clicks on the client.

This is what I tried to attach yesterday. I deleted all these settings permissions. I have since disabled VPN Gate client manager, but "HCDN" keeps reappearing.

414127977.jpg

Share this post


Link to post
Share on other sites

The only thing I can think of, off the top of my head is that you might run a "content delivery" service, or platform? Maybe a mirror of a product you like?

where people can install updates from etc?
HCDN is a 'hybrid content distribution network"

Either that or one of your devices (routers) is what is causing the connection. IF you take one router away, and connect directly to the modem what happens?

Share this post


Link to post
Share on other sites
3 hours ago, Wookiee said:

The only thing I can think of, off the top of my head is that you might run a "content delivery" service, or platform? Maybe a mirror of a product you like?

where people can install updates from etc?
HCDN is a 'hybrid content distribution network"

Either that or one of your devices (routers) is what is causing the connection. IF you take one router away, and connect directly to the modem what happens?

Thanks so much for following up. Yes, for sure the ISP modem/router is causing this connection. When I connected to my phone's hotspot data connection, this internet gateway didn't appear at all.

I am not "distributing" anything from my network. The only things I can think of are: a) I have a movie and IPTV projector using the modem wifi, and b) IF I were providing my computer as a VPN Gate server, then HCDN might be needed?

If I connect directly to the ISP modem, I get the "internet gateway" connection as per my second post, which I can't delete or disable.

 

 

Edited by elzach

Share this post


Link to post
Share on other sites

i mean, you should be able to delete the 'internet gateway' and 're-create' it with the correct permissions, as well as disabling it.
That might be a permissions issue.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...