r/techsupport Oct 21 '22

Random IP trying to connect/breach me exactly every 10 minutes. Open | Networking

Hello, I have this kind of a problem. As a dumbass, I downloaded some shady files, which contained some viruses and others. I have Avast premium security, so it stopped right away. But there was still a problem. An random IP, which is: 34.80.59.191 located in Taiwan, is exactly every 10 minutes trying to connect/breach me with a virus for days, as Avast says. I tried to do a virus scans etc., waiting days, but nothing. Is there any way to block the IP or to somehow resolve this? Thank you very much in advance.

187 Upvotes

48 comments sorted by

u/AutoModerator Oct 21 '22

If you suspect you may have malware on your computer, or are trying to remove malware from your computer, please see our malware guide

Please ignore this message if the advice is not relevant.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

175

u/pandiculator Oct 21 '22

I would expect an unsolicited inbound connection to be blocked by your router. It is much more likely that your machine is trying to make an outbound connection to that address which means your machine is still infected.

Read the malware guide linked in the AutoModerator reply.

42

u/Down200 Oct 21 '22

Yeah I was gonna say, if you have no services accessible to the internet it doesn’t make sense that there would be a persistent inbound connection.

17

u/Tech_surgeon Oct 21 '22

this stinks of having a remote access tool rootkit active on the system that is tied to a botnet. the botnet controller is usually decentralized using other victims machines to relay commands.

54

u/Tasty_Beats Oct 21 '22 edited Oct 21 '22

This means your computer is doing something to communicate with that IP. Because it’s every 10 minutes, I bet there’s a scheduled event (windows task scheduler) to kick off a malware dropper batch file.

Open task scheduler, click task scheduler library and search through the list, look for anything funky, created recently, or ran recently. For each task you investigate, click on the Actions tab to see what’s running.

Edit: Also, if you do find the sucker, take note of the file path where the dropper is located. You’ll want to delete that scheduled task and delete the files associated with it. If you need some verification feel free to reach out.

62

u/Ahielia Oct 21 '22

You can try unplugging the router and/or modem for 10-30 minutes and see if that forces a refresh of your public IP, alternatively call your ISP and have them force a refresh. You can also ask them if they have a function to block a specific IP, if they are indeed trying to breach your network with malicious intent.

16

u/Tasty_Beats Oct 21 '22

This is assuming the traffic originates from WAN-LAN, which is highly doubtful. It’s more likely the connection to this IP originates from OP’s computer. So obtaining a different DHCP address on your router wouldn’t do anything.

-30

u/Horos_pup Oct 21 '22

There's a command to refresh the ip but I forgot what it is. Takes roughly 10 seconds.

29

u/hendovolta Oct 21 '22

Sounds like you are referring to ipconfig /release and ipconfig /renew. If so they won’t be of use here as they will only affect your private IP address as opposed to your public IP. As mentioned, rebooting your router may get you a different public IP.

-28

u/Horos_pup Oct 21 '22

Yes that's the one. 🙂

11

u/CakeDanceNotWalk Oct 21 '22

If you have a router, you should be behind nat, public Web should not be able find you. Most likely you are connected directly to your isp modem. It is quite common to see ppl probing to see if you respond to a specific exploit. I would recommend you get a firewall software, or a decent router to avoid these types of threats.

1

u/Atlantic0ne Oct 22 '22

Is there any such thing as a plug and play firewall for a person who is both very busy and very new to this?

2

u/cybersecurityjobseek Oct 22 '22

What is your budget? The sky is the limit my dude. There are firewalls and services out there for anything you could imagine basically.

https://www.gartner.com/reviews/market/network-firewalls

2

u/Atlantic0ne Oct 22 '22

Interesting. And these are plug and play? Easy for a rookie and helps security?

2

u/cybersecurityjobseek Oct 23 '22

You have to pay to play here IMO. If you have the money to pay someone for a subscription ongoing service you will probably be able to get whatever results you're after. That link is just an example of some random hardware out there.

1

u/Atlantic0ne Oct 23 '22

Thanks for still replying! So you’re saying there’s a trustworthy, reliable service I could pay monthly to handle firewall type security?

And it wouldn’t interfere with IoT devices and functionality?

19

u/Flaky-Emu-5569 Oct 21 '22

if the "shady files" are a trojan or some other virus that can "call home" changing your ip is of no use to you. you have to have someone more advanced remove and verify the removal of the files, or wipe your system. there is also no way that your isp can "block" that ip from contacting you, because your isp has no idea it's a dynamic or static ip that is trying to contact you. if it's a dynamic, they can just cycle their ip the same way people are suggesting you do.

3

u/truthfullyVivid Oct 21 '22

The end user (and tech support supposedly-- as long as it's their device) should still be able to block that IP through the ISP-issued router's firewall though-- although you're correct that it's not difficult for the attacker to use a new IP.

0

u/obaananana Oct 21 '22

Wont they get bored at some point. Or is it just some passiv programm? Also get a burner laptop for shady download that you can just wipe

16

u/dr_freeloader Oct 21 '22

Well if it's happening exactly every 10 minutes it is unlikely to be someone sitting at their computer waiting to hit enter when their 10 minute timer beeps

1

u/obaananana Oct 21 '22 edited Oct 21 '22

True.so its automated i would copy all importent stuff abd wipe the pc

7

u/TahoeLT Oct 21 '22

Maybe they're on a small tropical island with some weird buildings and caves and polar bears, and they have to hit enter every ten minutes or...something will happen?

3

u/Ok-Dragonfruit8036 Oct 21 '22

I'm sorry, you Lost me

2

u/obaananana Oct 21 '22

As long as they phish im ok with it

14

u/RMProjectsUK Oct 21 '22
  1. Malwarebytes / Super-AntiSpyWare - tools for checking for more problems.
  2. Block IP on router firewall if you have the option or use Avast firewall.
  3. Check router that no port forwarding or similar has appeared from malware.

1

u/AutoModerator Oct 21 '22

If you are having issues with port forwarding checkout this wiki article.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

1

u/suteac Oct 21 '22

I dont know why you got downvoted, this is the correct answer

I updooted you to go back to 1

4

u/cluckay Oct 21 '22

Probably because it's not the literal nuclear option. I pray a member of this sub never becomes president cause they'll kick the football at the slightest inconvenience.

1

u/RMProjectsUK Oct 25 '22

O yea forgot 4. Nuke the entire site from orbit. It’s the only way to be sure.

5

u/GavUK Oct 21 '22

That IP is on Google's network, so as detailed at https://centralops.net/co/DomainDossier.aspx?addr=34.80.59.191&dom_dns=true&dom_whois=true&net_whois=true you can log an abuse complaint:

Comment: *** The IP addresses under this Org-ID are in use by Google Cloud customers ***

<snip>

Comment: Direct all spam and abuse complaints to

Comment: https://support.google.com/code/go/gce_abuse_report

Comment:

Comment: For fastest response, use the relevant forms above.

Comment:

Comment: Complaints can also be sent to the GC Abuse desk

Comment: ([email protected])

Comment: but may have longer turnaround times.

As others have advised though, are you sure that it is an inbound connection and not an outbound one?

5

u/MrAwesomeTG Oct 21 '22

If you're not behind a router and your Avast software tells you that, then you have a virus.

13

u/NorwegianGirl_Sofie Oct 21 '22

I would recommend looking into/ or asking your ISP about IP blocking, and if they can block/blacklist the IP for you.

Alternatively as the other commentor said, ask them to change your public IP.

EDIT:

https://www.bleepingcomputer.com/forums/t/777918/infected-with-trojan-antivirus-keeps-blocking-ip-348059191/

Here is someone having the exact same issue with the exact same "attacker", look at some of the answers there. They might help.

3

u/suteac Oct 21 '22 edited Oct 21 '22

Some routers can let you configure ACL’s.

You can make an ACL to specifically block all traffic to and from that IP address and ask your ISP for a new public IP

It makes me curious that Avast is popping off like that though, because unless you have any ports open, an inbound connection to your network shouldn’t go through and the average person shouldn’t need an ACL, which makes me think that your computer might be infected and trying to establish an inbound connection with the IP trying to access you.

I would in this order:

  1. Run an antivirus scan
  2. Contact your isp for an IP change/ip block
  3. If they can’t block the IP look into blacklisting that IP on your router

I would also check your PC firewall to make sure the firewall is on all across the board and that no ports are open.

3

u/curbstxmped Oct 21 '22

Wipe PC, change passwords, and change public IP address. This is the only way to know you're 100% protected.

3

u/cybersecurityjobseek Oct 22 '22

Here is my rec (assuming you have backups of all your stuff) -

Nuke every last bit of it. Factory reset and then secure config for your home router. Burn down your windows install and install it fresh.

Go through your emails to see if you have any unexpected password change requests or anything weird with your bank accounts or credit reports. Call your ISP and cancel your plan and switch to a 5G Hotspot exclusively over a VPN paid for with monero. GO DARK on these hoes. Then just install your programs or whatever and you should be good.

2

u/truthfullyVivid Oct 21 '22

You more than likely have some form of trojan. The illicit file gets into your system and quietly establishes remote access for the attacker. You need to find and remove the infected files, or save what you need and wipe the system.

2

u/mrbamelam Oct 21 '22

Try hitmanPRO (free scan) and norton power eraser (may give false positives).

Also, for the more tech-savvy: try process explorer and autoruns (use options, virusTotal check) from Microsoft to see if you have any malicious programs start up or running. Andddd last but not least: TCPview to get to see which progress/program is making that connection.

2

u/AceKalibur Oct 22 '22

i will help you. i have an app known as str3ssed, which, when an ip is given, will send bots to the signal and overload it, shutting it down. if you want, i can use it on them until they give up.

jk i havent used that thing in years. i only ever used it when those little kids on xbox threatened to boot me offline, or if a friend was being booted.

2

u/taz4248 Oct 22 '22

These are all good tips. But if your firewall has an option to block traffic to an IP or country I would try that. You can also set specific policies on your desktops firewall.

4

u/alexytomi Oct 21 '22

hey, just a general tip, get rid of avast

1

u/spike4379 Oct 21 '22

You can block the IP using your host file, best to google that one and read up on it until you find a fix

4

u/Tasty_Beats Oct 21 '22

Host file is used for hostname resolution and has nothing to do with blocking IPs.

Only exception would be if a virus manipulated the host file and added a mapping for a hostname to translate to the IP in question.

1

u/atomosk Oct 21 '22

Go to whatismyip.com and note your public IPv4 address. Your ISP will change this once in a while, probably monthly. You can call them to ask for a change. You can confirm if/when your public IP changes with whatismyip.com.

After running an AV scan and enabling windows defender it's reasonable to believe the virus has been removed on your side. The Taiwanese IP is likely signaling to a virus that isn't there, and should stop after your public IP changes.

If it continues after your IP changes then you still have a virus or something beaconing from your PC.

To check if your PC is beaconing, you can run a utility like wireshark, and possibly block that outbound traffic by configuring your Windows Firewall. You could block inbound 34.80.59.191 in your firewall too, but they'd still find your modem.

If you ask your ISP to block 34.80.59.191 you might see new traffic from other public IPs. Your ISP might be able to enable Geo blocking on your modem/router. It's not uncommon to block China/Taiwan, and Russia.

1

u/Deep9one Oct 21 '22

you may have an open port they are trying to get in through.

close any open ports that are assigned to your internal IP/mac address.

reboot thy router and/or change static to dynamic ip.

-1

u/T351A Oct 21 '22

depends on what sort of traffic you're getting from the IP

1

u/[deleted] Oct 21 '22

[deleted]

1

u/AutoModerator Oct 21 '22

If you are having issues with port forwarding checkout this wiki article.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

1

u/[deleted] Oct 22 '22

[deleted]

1

u/AutoModerator Oct 22 '22

If you are having issues with port forwarding checkout this wiki article.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

1

u/R3adnW33p Oct 22 '22

Bittorrent clients will try to connect to your computer until the file is transferred.