Hi,

We have an issue whereby some files have been deleted by a local user account with (according to the watch logs) Source: 254.128.0.0 [254.128.0.0]

I expected to see an internal or external IP address if it was a real user

Have searched for the Ip and seen reference to

UDP 254.128.0.0:50046 : 2192 svchost.exe

Am I looking at a virus/trojan?

Thanks

Pete

asked 30 Jul '13, 05:41

ghost123's gravatar image

ghost123
1113
accept rate: 0%


When you see a source of 254.128.0.0 this most likely came from a bad hostname lookup of an ipv6 address starting with fe80::... that was then converted into an ipv4 address.

254.128.0.0 is the 8-bit representation of fe80.

link

answered 15 Oct '14, 16:32

Packet's gravatar image

Packet
211
accept rate: 0%

Hi Pete --

It's really hard to say. It could be. I'd look really hard at that process ID. See if you can find the full path to the svchost.exe that is being referenced. In Task Manager you can go to the Services tab and see what service that process maps to if it's legit.

link

answered 30 Jul '13, 10:30

admin's gravatar image

admin ♦♦
112
accept rate: 0%

Hi

Thanks for the reply.

Just guessing at svchost.

The log only shows

29 Jul 2013 11:56:15 PM, "Computer: servername", "Monitor Title: Watch C: watch", "Description: The following activities have occurred: Op: Deleted File: C: watch filename.doc User: domainname username Source: 254.128.0.0 [254.128.0.0] App: System or Network "

User says she was tucked up in bed so I have forced a password reset and virus scan on all accounts/pc's.

Thanks

link

answered 30 Jul '13, 10:38

ghost123's gravatar image

ghost123
1113
accept rate: 0%

edited 30 Jul '13, 10:39

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×1
×1

Asked: 30 Jul '13, 05:41

Seen: 8,947 times

Last updated: 15 Oct '14, 16:32

Related questions