Help required with suspicous internet activity
 

I have logged the following outbound traffic from my gateway machine from
one of the internal XP machines

It appears to be a sequence of ten connection attempts to a specific IP
address.

First there is 2 ping attempts, then a windows share attempt over tcp then
another 2 ping attempts followed by five windows share attempts over tcp and
netbios.

During the last try I did a netstat and found that there was a closed
connection to the destination address on port 80 (I had no browser open).
It was going through the svchost super daemon so I could not figure out
which executable was responsible. How does one associate a connection
through svchost to a particular executable?

I have run the usual anti spyware [spybot & adaware] and anti-virus programs
[bitdefender] with the latest definitions and come up empty.

If anyone recognises this sequence as being from a particular
program/malware please let me know. If you have any suggestions what my
next steps should be please let me know.

Michael
Sep 21 20:29:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45248 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=2816

Sep 21 20:29:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45250 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=3072

Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45272 DF PROTO=TCP
SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45273 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=3328

Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45294 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=3584

Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45295 DF PROTO=TCP
SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:29:46 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45297 DF PROTO=TCP
SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:29:49 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45299 DF PROTO=TCP
SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:29:50 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45300 DF PROTO=TCP
SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:29:55 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45302 DF PROTO=TCP
SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:50:29 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46847 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=3840

Sep 21 20:50:32 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46848 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=4096

Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46849 DF PROTO=TCP
SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46850 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=4352

Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46851 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=4608

Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46852 DF PROTO=TCP
SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:50:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46853 DF PROTO=TCP
SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:50:42 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46854 DF PROTO=TCP
SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:50:43 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46858 DF PROTO=TCP
SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 21 20:50:48 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46900 DF PROTO=TCP
SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 24 18:54:08 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34874 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=768

Sep 24 18:54:10 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34908 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=1024

Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34948 DF PROTO=TCP
SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34949 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=1280

Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34950 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=1536

Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34951 DF PROTO=TCP
SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 24 18:54:17 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34952 DF PROTO=TCP
SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 24 18:54:20 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34971 DF PROTO=TCP
SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 24 18:54:21 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34972 DF PROTO=TCP
SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Sep 24 18:54:26 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34973 DF PROTO=TCP
SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

Re: Help required with suspicous internet activity
 

Michael wrote:

> I have logged the following outbound traffic from my gateway machine from
> one of the internal XP machines
>
> It appears to be a sequence of ten connection attempts to a specific IP
> address.
>
> First there is 2 ping attempts, then a windows share attempt over tcp then
> another 2 ping attempts followed by five windows share attempts over tcp and
> netbios.
>
> During the last try I did a netstat and found that there was a closed
> connection to the destination address on port 80 (I had no browser open).
> It was going through the svchost super daemon so I could not figure out
> which executable was responsible. How does one associate a connection
> through svchost to a particular executable?
>
> I have run the usual anti spyware [spybot & adaware] and anti-virus programs
> [bitdefender] with the latest definitions and come up empty.
>
> If anyone recognises this sequence as being from a particular
> program/malware please let me know. If you have any suggestions what my
> next steps should be please let me know.
>
> Michael
> Sep 21 20:29:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45248 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=2816
>
> Sep 21 20:29:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45250 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3072
>
> Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45272 DF PROTO=TCP
> SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45273 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3328
>
> Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45294 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3584
>
> Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45295 DF PROTO=TCP
> SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:46 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45297 DF PROTO=TCP
> SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:49 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45299 DF PROTO=TCP
> SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:50 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45300 DF PROTO=TCP
> SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:55 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45302 DF PROTO=TCP
> SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:29 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46847 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3840
>
> Sep 21 20:50:32 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46848 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=4096
>
> Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46849 DF PROTO=TCP
> SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46850 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=4352
>
> Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46851 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=4608
>
> Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46852 DF PROTO=TCP
> SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46853 DF PROTO=TCP
> SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:42 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46854 DF PROTO=TCP
> SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:43 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46858 DF PROTO=TCP
> SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:48 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46900 DF PROTO=TCP
> SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:08 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34874 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=768
>
> Sep 24 18:54:10 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34908 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=1024
>
> Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34948 DF PROTO=TCP
> SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34949 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=1280
>
> Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34950 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=1536
>
> Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34951 DF PROTO=TCP
> SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:17 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34952 DF PROTO=TCP
> SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:20 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34971 DF PROTO=TCP
> SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:21 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34972 DF PROTO=TCP
> SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:26 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34973 DF PROTO=TCP
> SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
>
>
>
>
>
A whois with http://www.apnic.net/ showed that this IP address (
202.168.8.80)is in Australia .... OK so it's not much use but hey :-)

Re: Help required with suspicous internet activity
 

Sounds a bit like Kaung2 .. a keylogger. The Aussies
are pushing them. Generally, I've found that if a user
has a Yahoo Email account, this sort of thing starts
happening. Not that Yahoo is a bunch of Scumware
Pushers, but every time I see this sort of thing start up
..... Yahoo is strangely associated with it. The program
that I'm using to spot this garbage is F-secure firewall.
It will tell you which exe on your machine is yakking,
and it will tell you who is replying or probing. Once this
mess gets going, your machine can become very very
popular with the Aussies, Russians, Canadians, etc
I also see them pushing Sasser, and some kind of ftp-
server for mp3s. That is why the constant probes
once you are "known" by the crooked kiddies looking
for free music. Seriously .. F-secure firewall is getting
the job done, and it doesn't feed us any bullshit and
jargon like the MS (so-called) firewall. It actually works
and will help you in your job.

johns

Re: Help required with suspicous internet activity
 

"johns" <johns123@moscow.com> wrote in message
news:cj4h5d$2bea$1@news.fsr.net...
> Sounds a bit like Kaung2 .. a keylogger. The Aussies
> are pushing them. Generally, I've found that if a user
> has a Yahoo Email account, this sort of thing starts
> happening. Not that Yahoo is a bunch of Scumware
> Pushers, but every time I see this sort of thing start up

Thanks johns,

I am one of those Aussies but am not pushing these things. I am trying to
get rid of but think I have at least contained it by blocking the IP that it
was trying to connect to. You will notice the IP is always the same.

It appears you are pretty keen on f-secure at the campus you are at.

Anyway Kaung2 (and other keyloggers) often use email to send data to their
masters. The machine in question has no email client set up and tcp port 25
is blocked at the router. The router has not logged any port 25 traffic
from that machine. (Also the ISP blocks port 25 now so you should see less
viruses from Aussie Land in the last few months). I have checked the size,
date & version info for explorer.exe and it appears to be OK - or at least
the same as other machines that do not exhibit the same behavour. The date
stamp corresponds to the date I installed SP2.

I wish I used netstat with the -ab option when it was hapening to find out
which program was the one causing the connection attempts.

Because it happens so infrequently (only 3 connection attemts in 5 days) its
pretty hard to trace. This does appear like keylogger behavour.

I tried the symatec online scanner and also found nothing.

It appears that the connection attempts are getting further appart. 2 on
the first day I detected it then on two days later. None since.

There are no suspicous processes running in the process list (but I am told
they can be hidden in a rootkit).

michael

> johns

Re: Help required with suspicous internet activity
 

"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:1096125905.63501.0@despina.uk.clara.net...
> Michael wrote:

>>
> A whois with http://www.apnic.net/ showed that this IP address (
> 202.168.8.80)is in Australia .... OK so it's not much use but hey :-)

Thanks andy,

I forgot to mention that i did get that far and did a whois on the IP. It
gave a rather large chunk of addresses.

Re: Help required with suspicous internet activity
 

Michael wrote:
> I have logged the following outbound traffic from my gateway machine from
> one of the internal XP machines
>
> It appears to be a sequence of ten connection attempts to a specific IP
> address.
>
> First there is 2 ping attempts, then a windows share attempt over tcp then
> another 2 ping attempts followed by five windows share attempts over tcp and
> netbios.
>
> During the last try I did a netstat and found that there was a closed
> connection to the destination address on port 80 (I had no browser open).
> It was going through the svchost super daemon so I could not figure out
> which executable was responsible. How does one associate a connection
> through svchost to a particular executable?
>
> I have run the usual anti spyware [spybot & adaware] and anti-virus programs
> [bitdefender] with the latest definitions and come up empty.
>
> If anyone recognises this sequence as being from a particular
> program/malware please let me know. If you have any suggestions what my
> next steps should be please let me know.
>
> Michael
> Sep 21 20:29:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45248 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=2816
>
> Sep 21 20:29:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45250 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3072
>
> Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45272 DF PROTO=TCP
> SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45273 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3328
>
> Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45294 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3584
>
> Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45295 DF PROTO=TCP
> SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:46 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45297 DF PROTO=TCP
> SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:49 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45299 DF PROTO=TCP
> SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:50 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45300 DF PROTO=TCP
> SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:29:55 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45302 DF PROTO=TCP
> SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:29 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46847 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=3840
>
> Sep 21 20:50:32 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46848 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=4096
>
> Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46849 DF PROTO=TCP
> SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46850 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=4352
>
> Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46851 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=4608
>
> Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46852 DF PROTO=TCP
> SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46853 DF PROTO=TCP
> SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:42 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46854 DF PROTO=TCP
> SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:43 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46858 DF PROTO=TCP
> SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 21 20:50:48 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46900 DF PROTO=TCP
> SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:08 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34874 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=768
>
> Sep 24 18:54:10 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34908 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=1024
>
> Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34948 DF PROTO=TCP
> SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34949 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=1280
>
> Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34950 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=1536
>
> Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34951 DF PROTO=TCP
> SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:17 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34952 DF PROTO=TCP
> SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:20 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34971 DF PROTO=TCP
> SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:21 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34972 DF PROTO=TCP
> SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
>
> Sep 24 18:54:26 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
> DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34973 DF PROTO=TCP
> SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
>
>
>
>
>
I don't know how much help this is going to be, but based on the above
capture it does appear to be suspicious. What catches my eye is the
initial TTL of the ICMP packets. XP uses an initial TTL of 128
normally, so those ICMPs with a TTL of 31 (probably initial TTL was 32)
would appear to be crafted using a program other than the normal Windows
ping.exe. Note that the connection attempts to ports 139 and 445 have a
more expected value of 127 for the TTL.

A quick google though didn't turn up anything obvious about malware that
modifies the initial TTL of a echo request. But, this link certainly
looks like similar behavior.

http://archives.neohapsis.com/archiv...3-04/1246.html

Like I said, I don't know if that helps or not, but...

Mark

Re: Help required with suspicous internet activity
 

Michael wrote:

> "andy smart" <anonymus@discussions.microsoft.com> wrote in message
> news:1096125905.63501.0@despina.uk.clara.net...
>
>>Michael wrote:
>
>
>>A whois with http://www.apnic.net/ showed that this IP address (
>>202.168.8.80)is in Australia .... OK so it's not much use but hey :-)
>
>
> Thanks andy,
>
> I forgot to mention that i did get that far and did a whois on the IP. It
> gave a rather large chunk of addresses.
>
>
They're all with one ISP though weren't they? You might try dropping a
copy of this info to them :-)

Re: Help required with suspicous internet activity
 

"Mark" <kilroy@removethis.beer.com> wrote in message
news:C_z5d.121211$D%.86794@attbi_s51...
> Michael wrote:
> I don't know how much help this is going to be, but based on the above
> capture it does appear to be suspicious. What catches my eye is the
> initial TTL of the ICMP packets. XP uses an initial TTL of 128 normally,
> so those ICMPs with a TTL of 31 (probably initial TTL was 32) would appear
> to be crafted using a program other than the normal Windows ping.exe.
> Note that the connection attempts to ports 139 and 445 have a more
> expected value of 127 for the TTL.
>
> A quick google though didn't turn up anything obvious about malware that
> modifies the initial TTL of a echo request. But, this link certainly
> looks like similar behavior.
>
> http://archives.neohapsis.com/archiv...3-04/1246.html
>
> Like I said, I don't know if that helps or not, but...
>
> Mark

Thanks for spotting this Mark. I ran the ping command from the command
prompt and got the result you expected in my logs. So this appears to
comfirm your statements. I spent a large proportion of the day searching
the net for information on malware that does this but found nothing of any
use as the ping reply appears to have a TTL of 32

It does appear that whatever is sending out the pings makes its own packets
instead of asking the windows ping to do it.

One of the troubles is the extremely long time (many days) between these
sequences being sent out. I don't know what triggers it.

Re: Help required with suspicous internet activity
 

"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:1096233106.26537.1@dyke.uk.clara.net...
>> Thanks andy,
>>
>> I forgot to mention that i did get that far and did a whois on the IP.
>> It gave a rather large chunk of addresses.
>>
>>
> They're all with one ISP though weren't they? You might try dropping a
> copy of this info to them :-)

Yep. I found out they are www.participateinhealth.org.au but they claim
they do not install any phone home stuff (spyware) on computers from their
web site. I contacted them today.

I had visited their web site early last week.

Re: Help required with suspicous internet activity
 

"Michael" <Michael-nospam@bigpond.net.au> wrote in message
news:6g25d.3171$5O5.3154@news-server.bigpond.net.au...
>I have logged the following outbound traffic from my gateway machine from
> one of the internal XP machines
>
> It appears to be a sequence of ten connection attempts to a specific IP
> address.

[snip]

To follow up - I managed to do a netstat using -b and got the following
"unknown components" when the connection was in a CLOSE_WAIT state

Active Connections
TCP XPMachine32:3389 XPMachine32:0 LISTENING 756
-- unknown component(s) --
[svchost.exe]
TCP XPMachine32:1668 202.168.8.80:http CLOSE_WAIT 992
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
-- unknown component(s) --
[svchost.exe]
UDP XPMachine32:ntp *:* 880
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
-- unknown component(s) --
[svchost.exe]

Using process explorer from sysinternals at the same time the services for
that instance of svchost were
LmHosts
SSDPSRV
WebClient