Inbound traffic from a specific domain appears to be unblockable

I was recently looking at my usage at my ISPs website and it's showing insane upload amounts, like 20GB.

I installed Net Limiter 5.3.8.0 to monitor the traffic.

I use a VPN, always.

I am only interested in traffic uploaded via the Internet, not local LAN traffic.

I see a strange entry on Net Limiter, inbound traffic at a constant 6B/s from naj.sk, which appears to be a swiss women's fashion site that I've never visited.

I updated the ACL on my router to block naj.sk's IP address 185.64.219.37.

I added a Windows firewall rule to block the IP address

naj.sk was already in my hosts file (hence the addresses of 127.0.0.1).

I added an inbound and outbound block rule in Net Limiter.

But the traffic persists.

Why is it not being blocked?

Why would this site be trying to connect to my PC?

How can I stop it?

Edited by TanyaC, 06 March 2024 - 05:48 AM.

If you add shoptet-lb-prot.vshosting.cz to the hosts file does it change anything?

https://whatismyipaddress.com/ip/185.64.219.37

You may want to start a thread in the malware removal forum.

Place 185.64.219.37 into the host file as 127.0.0.1 block instead of only using the domain.

As for domains hosted on a single IP, that could  be hundreds, not just one such as seen in a lookup.

https://myip.ms/view/ip_addresses/3108035360/185.64.219.32_185.64.219.255

Also the Net Limiter is blocking TCP, but what is the Protocol that is used?

Same as the router - is it blocking both TCP and UDP and any mail Protocol?

Add the entire block into the Windows Firewall as 185.64.216.0/22 for Any Protocol and for both ingress and egress.

If the unwanted traffic is established over the VPN, then the connection could even bypass the firewall or the host file as it is tunneled. 

Oh wait IT is blocked.

Process Explorer may help locate this.

Logging a netstat output could help track it down.

Ran the antivirus and something like MBAM scans?

Edited by 0lds0d, 06 March 2024 - 11:36 AM.

Edited by cryptodan, 06 March 2024 - 11:29 AM.

I updated the ACL on my router to block naj.sk's IP address 185.64.219.37.

Care to tell us your router model and its firewall rule to block it? If the configuration is right, that traffic should be totally absent in your LAN and PC.

That being said, it won't stop that babbling transmitter to try to reach your router, hence bumping up your Internet bandwidth, and if limited/month, can become costly to you. I would suggest that you complain to your ISP about them being abusive.

Thanks all for the feedback. Haven't got though all the suggestions yet.

Adding shoptet-lb-prot.vshosting.cz or the IP address to the hosts file did not stop the traffic.

The router is an ASUS RT-AC88u running the latest Merlin firmware. I have ingress and egress blocks in the network services firewall filter for both TCP and UDP.

Added 185.64.216.0/22 to the firewall for both in and out.

Lol, I managed to crash Netlimiter. I added a rule to block the connection in netlimiter and it crashed the program. When I restarted it I am no seeing traffic from a different domain.

It's now lh-hl.snssdk.com.w.kunluncan.com

I think I should follow the malware path.

Will get back to you soon

I think I should follow the malware path.

EDIT:

However, running a custom router firmware may not help you.  Perhaps bad actors are exploiting a Merlin vulnerability (zero day type) to get into your system.

Edited by Dominique1, 06 March 2024 - 08:34 PM.

I ran minitoolbox. Nothing in there that I can see. Other than things I expect to see, such as devices without drivers (eg I will never install IME. I don't run thunderbolt, so I don't install the drivers). The only even log errors were from netlimiter.There were no unexpected programs installed.

My hosts file is 26,000 lines long. minitoolbox only lists the first 20 lines.

Netlimiter is thrashing my CPU.

Yes, I ran MBam, it found nothing. I tried to run Kaspersky offline but it just gives me a black screen.

As MBAM is an absolute mess I'm restoring my system from a back up image.

My entire windows installation is scripted, so I am going to reinstall Windows from scratch and then install all programs one at a time until the problem presents. That will tell me which program is the culprit.

With the exception of MS Office and my Macrium home license, pretty much everything I run is FOSS

Will report back when I'm done.

Not really fond up publishing this much personal information, but anyway, see below...

awwww... damn I ran it again. It overwrote the results from the previous run.

MiniToolBox by Farbar  Version: 13-05-2022
Ran by Tanya (administrator) on 07-03-2024 at 13:57:35
Running from "E:\"
Microsoft Windows 10 Enterprise LTSC  (X64)
Model: MS-7D86 Manufacturer: Micro-Star International Co., Ltd.
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================
127.0.0.1 www.bing.com
127.0.0.1 bing.com127.0.0.1 skimads.com
127.0.0.1 liveramp.com
127.0.0.1 forums.whirlpool.net.au
127.0.0.1 triller.co
127.0.0.1 tinder.com
127.0.0.1 bereal.com
127.0.0.1 bereal.fans
127.0.0.1 line.me
127.0.0.1 help.line.me
127.0.0.1 omtrdc.net 0.0.0.0 pipe.aria.microsoft.com
0.0.0.0 assets.msn.com
0.0.0.0 web.vortex.data.microsoft.com
0.0.0.0 browser.events.data.msn.com
0.0.0.0 www.msn.com
0.0.0.0 sb.scorecardresearch.com127.0.0.1 netflix.com
127.0.0.1 www.netflix.com
127.0.0.1 nflxvideo.net
127.0.0.1 nflximg.net
127.0.0.1 nflxext.com127.0.0.1 www.lemon8-app.com
127.0.0.1 www.lemon8.cyou127.0.0.1 www.google.com/chrome
127.0.0.1 support.google.com/chrome
127.0.0.1 techviral.net/google-chrome-offline-installers
127.0.0.1 www.askvg.com/official-link-to-download-google-chrome-standalone-offline-installer
127.0.0.1 chrome.google.com0.0.0.0 plus.l.google.com
0.0.0.0 plus.sandbox.google.com
0.0.0.0 plusone.google.com
127.0.0.1 plus.google.com
127.0.0.1 play.google.com
127.0.0.1 store.google.com

There are 25239 entries.


========================= Event log errors: ===============================

Application errors:
==================
Error: (03/03/2024 11:23:48 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (03/03/2024 11:23:48 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]


System errors:
=============

=========================== Installed Programs ============================

7-Zip 23.01 (x64) (HKLM\...\7-Zip) (Version: 23.01 - Igor Pavlov)
ASUS XG-C100C 10G Adapter Driver version 5.0.3.5 (HKLM-x32\...\{F73D1A61-01DF-4D32-9581-5663C6FB3232}_is1) (Version: 5.0.3.5 - ASUSTek Company, Inc.)
BDtoAVCHD 3.1.2 (HKLM-x32\...\{A9D1A625-19AE-44D0-8BB8-5EEE6B204A85}) (Version: 3.1.2 - Joel Gali)
Calculator (HKLM\...\{FC211C17-798B-4E74-BE2D-D179B0FC316A}_is1) (Version: 10.0.14393.0 - )
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.1.1 - Canon Inc.)
Canon IJ Printer Assistant Tool (HKLM-x32\...\Canon IJ Printer Assistant Tool) (Version: 1.30.1.52 - Canon Inc.)
Canon MP Navigator EX 3.1 (HKLM-x32\...\MP Navigator EX 3.1) (Version:  - )
Canon MX870 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series) (Version:  - Canon Inc.)
Canon TS8300 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_TS8300_series) (Version: 1.02 - Canon Inc.)
CPUID CPU-Z 2.09 (HKLM\...\CPUID CPU-Z_is1) (Version: 2.09 - CPUID, Inc.)
DVDFab 12 (x64) (26/01/2022) (HKLM-x32\...\DVDFab 12 (x64)) (Version: 12.0.6.0 - DVDFab Software Inc.)
FileBot (HKLM\...\{687EEB60-0A61-4800-804F-C83CBC195114}) (Version: 5.1.3 - Point Planck Limited)
Guitar Hero III (HKLM-x32\...\{0CE1A6C0-F3F7-49E6-8F9D-2431F9827441}) (Version: 1.3 - Aspyr)
HandBrake 1.7.3 (HKLM-x32\...\HandBrake) (Version: 1.7.3 - )
Icaros (HKLM\...\Icaros_is1) (Version: 3.3.2.0 - Tabibito Technology)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel(R) Chipset Device Software (HKLM-x32\...\{e6ecf35a-b1bb-4e59-9d90-4c98fde2ffa8}) (Version: 10.1.19199.8340 - Intel(R) Corporation)
Java 8 Update 401 (64-bit) (HKLM\...\{71024AE4-039E-4CA4-87B4-2F64180401F0}) (Version: 8.0.4010.10 - Oracle Corporation)
Macrium Reflect Home Edition (HKLM\...\{409F3D44-EDA2-4BFE-86BD-2BC70DD9C198}) (Version: 6.3.1865 - Paramount Software (UK) Ltd.) Hidden
Macrium Reflect Home Edition (HKLM\...\MacriumReflect) (Version: 6.3 - Paramount Software (UK) Ltd.)
MakeMKV v1.17.5 (HKLM-x32\...\MakeMKV) (Version: v1.17.5 - GuinpinSoft inc)
MediaInfo 24.01 (HKLM\...\MediaInfo) (Version: 24.01 - MediaArea.net)
Microsoft DirectX End-User Runtime (HKLM\...\DirectX End-User Runtime) (Version: 9.29.1974 - Microsoft Corporation)
Microsoft DirectX Managed Assemblies (HKLM\...\DirectX Managed Assemblies) (Version: 1.1 - Microsoft Corporation)
Microsoft Office LTSC Standard 2021 - en-us (HKLM\...\Standard2021Volume - en-us) (Version: 16.0.14332.20481 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61186 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.7523 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.7523 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61135 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61135 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61135 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61135 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664 (HKLM\...\{010792BA-551A-3AC0-A7EF-0FAB4156C382}) (Version: 12.0.40664 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 (HKLM\...\{53CF6934-A98D-3D84-9146-FC4EDF3D5641}) (Version: 12.0.40664 - Microsoft Corporation)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33126 (HKLM\...\{F80D0C4E-7BA7-4B7B-9B81-CECFB5601EE8}) (Version: 14.38.33126 - Microsoft Corporation)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33126 (HKLM\...\{14DDB43F-B11B-47D7-B118-F8EC25D52606}) (Version: 14.38.33126 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\{C931A1C6-A7BF-3737-874A-818881A37E1B}) (Version: 10.0.60915 - Microsoft Corporation)
MKVToolNix 82.0.0 (64-bit) (HKLM-x32\...\MKVToolNix) (Version: 82.0.0 - Moritz Bunkus)
Mozilla Firefox ESR (x64 en-US) (HKLM\...\Mozilla Firefox 102.15.1 ESR (x64 en-US)) (Version: 102.15.1 - Mozilla)
Mozilla Thunderbird 52.9.1 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 52.9.1 (x86 en-US)) (Version: 52.9.1 - Mozilla)
MSI Afterburner 4.6.5 (HKLM-x32\...\Afterburner) (Version: 4.6.5 - MSI Co., LTD)
MySQL Workbench 8.0 CE (HKLM\...\{06687940-C076-4E1C-BDF9-0707DCB3ED28}) (Version: 8.0.25 - Oracle Corporation)
Need For Speed Underground (HKLM-x32\...\{A99968BE-C155-474C-0089-33239DEE1CE2}) (Version:  - )
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 8.6.4 - Notepad++ Team)
NVIDIA Graphics Driver 551.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 551.23 - NVIDIA Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.14332.20481 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.14332.20481 - Microsoft Corporation) Hidden
Open-Shell (HKLM\...\{FA86549E-94DD-4475-8EDC-504B6882E1F7}) (Version: 4.4.191 - The Open-Shell Team)
OpenVPN 2.6.9-I001 amd64 (HKLM\...\{F8F0FB6A-DC3A-45C3-9A5E-88BCCDA5DF71}) (Version: 2.6.901 - OpenVPN, Inc.)
PotPlayer-64 bit (HKLM\...\PotPlayer64) (Version: 231113 - Kakao Corp.)
Realtek USB Audio (HKLM-x32\...\{0A46A65D-89AC-464C-8026-3CD44960BD04}) (Version: 6.3.9600.2353 - Realtek Semiconductor Corp.)
SimCity 3000 compatibility fixes (HKLM\...\{a11069d5-5b77-4c3e-9640-5b8415af52e1}.sdb) (Version:  - )
SmartControlCenter (HKLM-x32\...\{63CE935C-03E3-4EB4-B194-792CB2F91C87}) (Version: 1.1.3.4 - Netgear)
Subtitle Edit (HKLM\...\SubtitleEdit_is1) (Version: 4.0.3.0 - Nikse)
Subtitle Workshop (HKLM-x32\...\{03754E1D-48F1-4935-898E-34753081BAF9}_is1) (Version: 6.2.9 - Kameleon Software)
SureThing Disc Labeler Gold (HKLM-x32\...\SureThing Disc Labeler Gold_is1) (Version: 7.0.77.0 - MicroVision Development, Inc.)
The Settlers II - 10th Anniversary (HKLM-x32\...\S2TNG) (Version:  - )
WinCDEmu (HKLM-x32\...\WinCDEmu) (Version: 3.6 - Bazis)
Windows 7 Games for Windows 10 and 8 (HKLM\...\Win7Games) (Version: 2.0 - http://winaero.com)
WinRAR 6.24 (64-bit) (HKLM\...\WinRAR archiver) (Version: 6.24.0 - win.rar GmbH)

Packages:
=========
MPEG-2 Video Extension -> C:\Program Files\WindowsApps\Microsoft.MPEG2VideoExtension_1.0.50901.0_x64__8wekyb3d8bbwe [2024-03-03] (Microsoft Corporation)
NVIDIA Control Panel -> C:\Program Files\WindowsApps\NVIDIACorp.NVIDIAControlPanel_8.1.964.0_x64__56jybvy8sckqj [2024-03-03] (NVIDIA Corp.)
Realtek Audio Control -> C:\Program Files\WindowsApps\RealtekSemiconductorCorp.RealtekAudioControl_1.50.323.0_x64__dt26b99r8h8gj [2024-03-03] (Realtek Semiconductor Corp)

========================= Devices: ================================

Name: Intel(R) Ethernet Controller I226-V
Description: Intel(R) Ethernet Controller I226-V
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Intel
Service: e2fexpress
Device ID: PCI\VEN_8086&DEV_125C&SUBSYS_7D861462&REV_04\047C16FFFF4E29EF00
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Intel(R) Ethernet Controller I226-V #2
Description: Intel(R) Ethernet Controller I226-V
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Intel
Service: e2fexpress
Device ID: PCI\VEN_8086&DEV_125C&SUBSYS_7D861462&REV_04\047C16FFFF4E29F000
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Device ID: PCI\VEN_8086&DEV_A74F&SUBSYS_7D861462&REV_01\3&11583659&0&40
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Device ID: PCI\VEN_8086&DEV_7A68&SUBSYS_7D861462&REV_11\3&11583659&0&B0
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Universal Serial Bus (USB) Controller
Description: Universal Serial Bus (USB) Controller
Class Guid:
Manufacturer:
Service:
Device ID: PCI\VEN_8086&DEV_1137&SUBSYS_44761462&REV_00\C9128491D1E9070000
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Network Controller
Description: Network Controller
Class Guid:
Manufacturer:
Service:
Device ID: PCI\VEN_8086&DEV_7A70&SUBSYS_00948086&REV_11\3&11583659&0&A3
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


========================= Memory info: ===================================

Percentage of memory in use: 4%
Total physical RAM: 65367.27 MB
Available physical RAM: 62132.98 MB
Total Virtual: 74583.27 MB
Available Virtual: 69810.71 MB

========================= Partitions: =====================================

3 Drive c: (Windows 10 ) (Fixed) (Total:96.01 GB) (Free:75.65 GB) NTFS
4 Drive d: (Games ) (Fixed) (Total:1907.71 GB) (Free:1884.89 GB) NTFS
5 Drive e: (Downloads ) (Fixed) (Total:1907.71 GB) (Free:1697.97 GB) NTFS
6 Drive f: (Authoring ) (Fixed) (Total:1811.12 GB) (Free:1726.73 GB) NTFS
7 Drive g: (Data ) (Fixed) (Total:9313.87 GB) (Free:9179.63 GB) NTFS
8 Drive h: (Development ) (Fixed) (Total:1907.71 GB) (Free:1451.47 GB) NTFS
9 Drive m: (Applications) (Network) (Total:2560.01 GB) (Free:995.3 GB) NTFS
10 Drive n: (Games) (Network) (Total:4096.01 GB) (Free:1799.14 GB) NTFS
11 Drive o: (Images    ) (Network) (Total:768.01 GB) (Free:308.78 GB) NTFS
12 Drive p: (Music) (Network) (Total:128 GB) (Free:66.23 GB) NTFS
13 Drive q: (Windows 2012 R2) (Network) (Total:96.01 GB) (Free:71.04 GB) NTFS
14 Drive r: (Users) (Network) (Total:384.01 GB) (Free:318.94 GB) NTFS
15 Drive s: (Users) (Network) (Total:384.01 GB) (Free:318.94 GB) NTFS
16 Drive t: (TV-1) (Network) (Total:14901.87 GB) (Free:6594.21 GB) NTFS
17 Drive u: (Movies-1) (Network) (Total:11175.87 GB) (Free:4487.97 GB) NTFS
18 Drive v: (Documentaries) (Network) (Total:6311.86 GB) (Free:4419.64 GB) NTFS
19 Drive w: (Photos) (Network) (Total:128.01 GB) (Free:122.94 GB) NTFS
20 Drive x: (Backup) (Network) (Total:9313.87 GB) (Free:3466.64 GB) NTFS
21 Drive y: (WinImages        ) (Network) (Total:9313.87 GB) (Free:3814.51 GB) NTFS

========================= Users: ========================================

User accounts for \\TANYA-PC

Administrator            DefaultAccount           Guest                    
Tanya                    WDAGUtilityAccount       


**** End of log ****

Edited by TanyaC, 06 March 2024 - 10:03 PM.

Nope. I put them there.

I don't believe there is anything in there that I did not intentionally add.

I'd have another 30,000 lines in there if I could, but as it stands, adding chunks of entries now results in a massive slow down of my browser

They say the hosts file size is unlimited, but I've found once it gets close the 1mb things slow to a crawl.

I'm going to be offline now for a day or so whilst I install from scratch

Edited by TanyaC, 06 March 2024 - 10:32 PM.