Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
The domainname goes to some service center.
OrgName: Embarq Corporation
OrgID: EMBAR
Address: 500 N New York Ave
City: Winter Park
StateProv: FL
PostalCode: 32789
Country: US
NetRange: 65.40.0.0 - 65.41.255.255
CIDR: 65.40.0.0/15
NetName: EMBARQ-GLOBAL
NetHandle: NET-65-40-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS9.EMBARQSERVICES.NET
NameServer: NS10.EMBARQSERVICES.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-04-08
Updated: 2007-02-22
OrgTechHandle: ESC36-ARIN
OrgTechName: Embarq Services - CDS
OrgTechPhone: +1-407-741-0500
OrgTechEmail:
Stu- why would my computer be having ms-wbt-server on it?
Since your username is “NY1986”, and Embarq is based in New York, I’m guessing that they are your internet provider. Did you have to install any software with this company?
Tony, not necessarily so. He could be from NY 
My provider is AT and T but sometimes I see others like Verizon and all. So maybe that is his case too? Just throwing that out there. I’m sure you can help him. You all seem really good at things here. Part of the reason I signed up. Sorry to bog this down.
Hey all, forgive me if I’m not following the rules. Newbie. When there are posts like this and I have a question about something in the post, should I ask it here or start a new one?
This looks like somebody poking around to find an unsecure remote desktop host. Since zero bytes were sent or received, it should be pretty harmless. Do you see any other entries in your logs for the same time indicating that this might have been blocked?
sorry I don't have those logs printed out and they ahve now been erased.
But I see this type of entry periodically, all with 0 bytes sent 0 bytes received. I notice that in the activity log, I see several entries daily that read something like
Unused port blocking has blocked inbound TCP connection from remote address XXXXXXX to local XXXXX
I don't know if thats related. Though
Unused port blocking has blocked inbound TCP connection from remote address XXXXXXX to local XXXXX
does show up a lot without there being any ms-wbt-server thing.
I think I was concerned that ms-wbt-server was on my computer. But it sounds like its not? If someone tried to set up shop on my comp, they would need to install some type of program, wouldn't they?
I hear about people getting these sorts of probes all of the time. For this, it sounds like the “attacker” successfully connected but didn’t do anything… they were just looking for machines. This port may have been enabled by allowing remote assistance to your computer in the past. Usually the service does authentication so you probably aren’t at risk should they try to use it.
Thansk Reese. Would this still be the case if my remote access is NOT enabled? I know it has been in the not enabled status since Christmas time. I did have Mocrosoft remote help back in November 2007. So two questions:
1. let me see if I understand- If I may use this analogy-
say I let a friend in through door A way back in Nov 2007. Then I board up door A and never use it again (disabling remote access help). But some knuklehead had seen my friend come through door A before. So the knucklehead jiggles door A. They found door A and know that it goes to my computer, but can't do anying with door A(get/send data). In a simplistic way, is this part of what you are saying?
2.So If remote access is disabled, can remote access still be done be the bad guys??
Reese, when you say
For this, it sounds like the "attacker" successfully connected but didn't do anything... they were just looking for machines
So it sounds like this is not a danger? Sort of like a bad guy knows your address, they come to your house and come to the door. So they know you live there and they came there, but didn't/couldn't do anything. Simplistic I know, but kind of what you mean?
Could that be why it happens every once in a while, but nothing steady?
This is why I asked if you say any other entries in your logs around the same time.
There are occasions where a successful connection will be logged and the product immediately kills the connection right afterward, but you should see that event elsewhere in your logs. If you don't see that, then it sounds like they connected without issue. To expand your analogy a bit, it might be better to envision a two door entry system. The first is the remote desktop network connection itself and the second is the security that is built-in to remote desktop. If the attacker manages to get through the first door and connect to your remote desktop service, they still have to authenticate themselves as valid users of your system,. If you have set up passwords on your accounts, you are probably safe. Given that no bytes were tranferred, it sounds like the connection probably got killed and will show up in the logs but if it didn't, the attacker was only testing to see if they could get past the first door and never tried to get past the second.
Reese- it has been a few days since that incident, so my logs have long since been updated and old information lost.
You indicated-There are occasions where a successful connection will be logged and the product immediately kills the connection right afterward, but you should see that event elsewhere in your logs. If you don't see that, then it sounds like they connected without issue.
What type of event would I see after that? I do see that unused port blocking blocks TCP port connections. Is that what you mean?
If it connected without issue, the fact that no bytes were sent or received pretty well would mean nothing happened right?
If you are seeing unused port blocking around the same time, you should look at the remote address. If they are the same, than it definately was somebody poking around for an open machine.