Is this connection to remote host safe?

viktik

Level 25
Thread author
Verified
Well-known
Sep 17, 2013
1,492
ESET firewall showed this connection asking for permission.

2038526.jpg


is it safe?
i personally don't think it is safe because remote ip address is a private ip address.
 

Logethica

Level 13
Verified
Top Poster
Well-known
Jun 24, 2016
636
@viktik ...I am not sure about this,but personally I would block it to be on the safe side...

It does come from..
Internet Assigned Numbers Authority (IANA)
12025 Waterfront Drive
Suite 300
Los Angeles

Coordinates 33.9829, -118.405 (Type into Google Maps)

Computers use addresses starting with "169.254." when they do not have a manually configured address or when they are not told which address to use by a service on the network. They are commonly called the "link local" addresses.
Routers are not allowed to forward packets sent from an IPv4 "link local" address, so they are always used by a directly connected device.
These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Standards Track document.

I can't find anything that would make me 100% happy with this IP so I would block it.

Were you doing anything at the time that may lead you to believe that this is a legitimate remote connection attempt?....
 
Last edited:
H

hjlbx

It's connecting to advertise plug-n-play services ?

Port(s)

Protocol Service Details Source
5357 tcp,udp wsdapi Used by Microsoft Network Discovery, should be filtered for public networks. Disabling Network Discovery for any public network profile should close the port unless it's being used by another potentially malicious service.

To disable Network Discovery for a public profile, navigate to:
- Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings
- disable Network Discovery for any public network

Port should be correctly mapped by the Windows Firewall to only accept connections from the local network.

Malicious services using this port:
Trojan.win32.monder.gen (a.k.a Trojan.Vundo)


Port is also IANA registered for:
Web Services for Devices (WSD) - a network plug-and-play experience that is similar to installing a USB device. WSD allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702.

Whatever the hell that last section means... seems like unneeded network connect to me...
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top