ghost123
8
Hi,
We have an issue whereby some files have been deleted by a local user account with (according to the watch logs) Source: 254.128.0.0 [254.128.0.0]
I expected to see an internal or external IP address if it was a real user
Have searched for the Ip and seen reference to
UDP 254.128.0.0:50046 : 2192 svchost.exe
Am I looking at a virus/trojan?
Thanks
Pete
When you see a source of 254.128.0.0 this most likely came from a bad hostname lookup of an ipv6 address starting with fe80::... that was then converted into an ipv4 address.
254.128.0.0 is the 8-bit representation of fe80.
Hi Pete --
It's really hard to say. It could be. I'd look really hard at that process ID. See if you can find the full path to the svchost.exe that is being referenced. In Task Manager you can go to the Services tab and see what service that process maps to if it's legit.
Hi
Thanks for the reply.
Just guessing at svchost.
The log only shows
29 Jul 2013 11:56:15 PM, "Computer: servername", "Monitor Title: Watch C: watch", "Description: The following activities have occurred: Op: Deleted File: C: watch filename.doc User: domainname username Source: 254.128.0.0 [254.128.0.0] App: System or Network "
User says she was tucked up in bed so I have forced a password reset and virus scan on all accounts/pc's.
Thanks
