Not my router trying to connect incoming

Hi there. I need help being assured that this is not anything to worry about even though its not my router name. It says its a "sagemcom broadband sas" that tries connecting to my pc from 192.168.0.1, this is nowhere near what my router is. My router is not from that company we don´t even have that company here where i live. I am more than 100% sure about the name of my router and where i bought it because it came with my subscription to the internet i use, they send you the router free. Before my pc did not report the name of what ever is spoofing (or what you call it) the 192.168.0.1 ip address and pretending to be legit and from my own router. But now Eset tells us it´s Sagemcom. Even if i have always denied this incoming connection i have no problem with connecting and using the internet at all. What ever using the ip 192 is trying to come in via Svchost. It's obvious its someone using/hiding behind the legit router ip 192.168.0.1 like a backdoor into my PC. Am i right or am i wrong? Don´t forget the name Sagemcom broadband is NOT my router though it tries to connect to me and with a port 9431.

Thank you guys! My PC Windows 10 x64 2004 latest version update

Edit: Forgot to show you the picture.

1 picture shows when eset was not able to name the router and 1 shows a recent block showing the name that alarmed me to make this topic because of it not being my router name/company/internet provider.

Try doing this:

Open a command prompt.
Run the command "ipconfig".
Look for the IP address of listed for the "Default Gateway". It appears that your will be 192.168.0.1.

Ping that address with a "-a". For example: ping -a 192.168.0.1.

On the first line returned by this command, what name is it showing?

Edit: Adding the following as additional test:

Another thing to try:


Once you have the default gateway address, run this series of commands (I'm assuming that the gateway address is 192.168.0.1. If you get something else, substitute that address).


nslookup
192.168.0.1
exit


What name does it return for "Server"?

BlackVen0m said:

Eset tells us it´s Sagemcom ... that alarmed me to make this topic because of it not being my router name/company/internet provider.

Eset is showing the manufacturer's name for your router. Here in the UK the ISP's BT, Plusnet, Sky and TalkTalk have at various times supplied routers rebranded with their own name, but made for them by Sagemcom.

There are currently three BT Home Hub routers visible in my neighbourhood, according to my WiFi scanner....



What is the name of your router and ISP?

Thank you guys i contacted isp and they told me its as you say it is. So besides that, how about the port it uses?

BlackVen0m said:

...So besides that, how about the port it uses?

Port 67 appears to be used for DHCP, the method you router uses to dynamically assign IP addresses to any device that connect to it.....



List of TCP and UDP port numbers - Wikipedia

I cannot find any well known use for port 9431.

Bree said:

Port 67 appears to be used for DHCP, the method you router uses to dynamically assign IP addresses to any device that connect to it.....



List of TCP and UDP port numbers - Wikipedia

I cannot find any well known use for port 9431.

Yeah thanks for the reply. Yeah my concern was regarding the port 9431. Anyone else knows why it uses port 9431? Thinking maybe somethings up after all if port 9431 is something to notice.

Hi guys. I figured i´ll ask you some more instead of making a new topic. Is it ok for me to block udp incoming on prt 67 from remote ip 0.0.0.0 ? My internet works even if it´s blocked, so my question is if its safe to let it pass or should i just block it as i do now for security? Is there anyway for any malicious activity be using that port udp incoming from 0.0.0.0 to their advantage?


And here when i play Counter-Strike GO i get outgoing block on TCP on Port 5000. I have disabled UpNp service in windows already so i don´t get it why it tries anyway. And only ports csgo uses is TCP: 27015-27030,27036-27037 UDP: 4380,27000-27031,27036. So why is it trying port 5000 TCP outgoing to remote ip 127.0.0.1?



Thank you guys. This will help me understand it better so i can relax if its nothing to worry about.

- - - Updated - - -

When i play CSGO svchost bombard me with incoming tries UDP with the same port as i have opened for csg.exe (sometimes higher number on the port that i don´t even use in csgo like 27043 when i only accept the range that csgo has from 27000-27031) . The port i open for csgo.exe file only is outgoing (not incoming its not required) UDP 27000-27031 and i can play the game online no problems, but this svchost also tries using the same range 27000-27031 but incoming and not only that,

but it also tries higher port number than what i use on csgo.exe and that can be 27051 or 27067 and so on, and those port number's don´t even exist for csgo as i shown its 27000-27031 and 27036 for remote something which i don't use so i only enable the range 27000-27031 for security and only outgoing TCP and UDP on 27000-27031. So what is svchost doing here? It really looks like malicious activity! But only you guys can answer that. Also the remote ip that i blackened out is my vpn ip that it uses if that matters?

Hi guys. I have something else that worries me and i have good reason to because of what i found out. This ip is using svchost and malwarebytes to connect outgoing TCP. Found a site warning about same ip and another site called Abuse Ip where hundreds of people say it´s man in the middle attack and other type of attack portscan and so on going on with that ip adress. How come it uses malwarebytes to connect? i find it weird that malwarebytes is using that ip as legit because of all the warnings and it being associated to "Emotet Malware Delivery Botnet" according to the website i found the warning on and not to mention abuse ip warning about it.

here is pictures:

- - - Updated - - -

Here is the website that tells us about it being connected to "Emoted botnet" Emotet Malware Delivery Botnet – Threat Analysis

Here is all the warnings from people from Abuse Ip website: 93.184.220.29 | EdgeCast NetBlk | AbuseIPDB

It´s really worrisome that the website says it uses some technique to evade detection and that would go hand in hand with my "problems not being to get rid of my malware if any" so if it´s evading then its not a wonder why i might have problems still even after all OS reinstall and wipes.

"The Emotet Malware Delivery Botnet is utilizing a combination of obfuscated VBA scripts, macros, and powershell instructions to evade antivirus defenses while relying on social engineering in order to successfully exploit target systems as user intervention is mandatory in the samples observed"

- - - Updated - - -

I´m back guys. I have picture from TDSKILLER that found 2 things. 1 of the files is related to TDSKILLER it self so its a false positive what i gathered (or maybe its not) but it just comes back when deleting and i saw that the sys file is related to TDS, but the other one is something to worry about because i don't find any info about it! And its the file called CredentialEnrollmentManager.exe it´s also a Hidden service. If i choose delete or quarantine it wont work it just keeps being detected over and over. What can this be? Is it a forged/hacked CredentialEnrollmentManager.exe apart from the legit one? Why is TDS finding it as something that's suspicious? Forgot to add that TDS only finds these files when i enable ROOTKIT scan. So it´s somehow related to it.



I have not gotten answers for some time i hope you guys take me serious, the things i bring up is backed up with people on Abuse ip or that other site as being something bad so i´m not just here spewing out random things. So i appreciate if you can help. Thank you so much in advance.

- - - Updated - - -

Hi again. I have some update.

Here you see me being attacked with that port incoming udp 2521 times.


Please can anyone help? At least tell me something?