Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   NZ Computing (http://www.velocityreviews.com/forums/f47-nz-computing.html)
-   -   Who is Sophos.com (http://www.velocityreviews.com/forums/t577433-who-is-sophos-com.html)

Tulsy Tsan 12-26-2005 03:04 AM

Who is Sophos.com
 
Something is connecting to www.sophos.com and dowloading something. Firewall
rule picked it up first as Symantecs ccApp.exe then later Mozilla.
www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
legit?


C:\>netstat

Active Connections

Proto Local Address Foreign Address State
TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED




Richard 12-26-2005 03:44 AM

Re: Who is Sophos.com
 
Tulsy Tsan wrote:
> Something is connecting to www.sophos.com and dowloading something. Firewall
> rule picked it up first as Symantecs ccApp.exe then later Mozilla.
> www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
> legit?
>
>
> C:\>netstat
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
> TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
> TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
> TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
> TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
> TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
> TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED



The last two have the inversr or the first twos ports so I would say that you
are connecting to yourself and for some reason you are reverse dnsing to
www.sophos.com. This would be something very dodgey in my mind, were there more
connections then what you pasted?

Pacific Dragon 12-26-2005 04:01 AM

Re: Who is Sophos.com
 
On Mon, 26 Dec 2005 16:44:48 +1300, Richard wrote:

> Tulsy Tsan wrote:
>> Something is connecting to www.sophos.com and dowloading something. Firewall
>> rule picked it up first as Symantecs ccApp.exe then later Mozilla.
>> www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
>> legit?


I could connect and browse around www.sophos.com okay. Seems like they
are in the business of producing and selling security suites.

You didn't download and install any evaluation software from their site or
the Sony root kit unmasking tool by any chance?

Bruce Knox 12-26-2005 05:08 AM

Re: Who is Sophos.com
 
On Mon, 26 Dec 2005 16:04:51 +1300, "Tulsy Tsan"
<toilet_seat@yahoo.com> wrote:

>Something is connecting to www.sophos.com and dowloading something. Firewall
>rule picked it up first as Symantecs ccApp.exe then later Mozilla.
>www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
>legit?
>
>
>C:\>netstat
>
>Active Connections
>
> Proto Local Address Foreign Address State
> TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
> TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
> TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
> TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
> TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
> TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
> TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
>
>

Sophos are a major antivirus company specialising in sales too large
corporations, I dont know if they do individual AV. Dont know why you
would be connecting unless you have installed one of their products or
maybe used one of their virus removal tools.

Bruce http://www.baggins.co.nz
http://physio.otago.ac.nz

Tulsy Tsan 12-26-2005 07:44 AM

Re: Who is Sophos.com
 
Dody indeed. When I ping www.sophos.com I get me!

Pinging www.sophos.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

But why the download traffic. Is it perhaps a trojan hiding behind a legit
website?


"Richard" <rich@ihug.co.nz> wrote in message
news:43af68c0@news.orcon.net.nz...
> Tulsy Tsan wrote:
> > Something is connecting to www.sophos.com and dowloading something.

Firewall
> > rule picked it up first as Symantecs ccApp.exe then later Mozilla.
> > www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
> > legit?
> >
> >
> > C:\>netstat
> >
> > Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
> > TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
> > TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
> > TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
> > TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED

>
>
> The last two have the inversr or the first twos ports so I would say that

you
> are connecting to yourself and for some reason you are reverse dnsing to
> www.sophos.com. This would be something very dodgey in my mind, were there

more
> connections then what you pasted?




Richard 12-26-2005 08:24 AM

Re: Who is Sophos.com
 
Tulsy Tsan wrote:
> Dody indeed. When I ping www.sophos.com I get me!
>
> Pinging www.sophos.com [127.0.0.1] with 32 bytes of data:
>
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
>
> Ping statistics for 127.0.0.1:
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
> But why the download traffic. Is it perhaps a trojan hiding behind a legit
> website?


If I was an author of a backdoor I would consider a hosts file entry like that
to make it impossible to update virus definitions on the compromised computer.

Its normal to have connections from yourself to yourself, its how a lot of
programs communicate with each other.

Whats more worrying is why your machine now believes that it is sophos.com when
its not.

Tulsy Tsan 12-26-2005 08:36 AM

Re: Who is Sophos.com
 
Goddamn. Something had rewrittten my hosts file and set all the AV sites to
127.0.0.1
eg sophos
symantec
avg etc

Hence I could not browse them.
What should my hosts look like now that I've deleted it.


"Tulsy Tsan" <toilet_seat@yahoo.com> wrote in message
news:43af5dd8@clear.net.nz...
> Something is connecting to www.sophos.com and dowloading something.

Firewall
> rule picked it up first as Symantecs ccApp.exe then later Mozilla.
> www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
> legit?
>
>
> C:\>netstat
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
> TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
> TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
> TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
> TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
> TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
> TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
> TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
>
>
>




Rob J 12-26-2005 09:05 AM

Re: Who is Sophos.com
 
In article <43afabb3@clear.net.nz>, toilet_seat@yahoo.com says...
> Goddamn. Something had rewrittten my hosts file and set all the AV sites to
> 127.0.0.1
> eg sophos
> symantec
> avg etc
>
> Hence I could not browse them.
> What should my hosts look like now that I've deleted it.


You should download updates to any antivirus package or install one as
it is highly likely a virus has infected your PC.

Normally there is nothing in the hosts file unless you are running a
server on your PC or some add blockers use the hosts file to block
downloads from advertising sites.

>
>
> "Tulsy Tsan" <toilet_seat@yahoo.com> wrote in message
> news:43af5dd8@clear.net.nz...
> > Something is connecting to www.sophos.com and dowloading something.

> Firewall
> > rule picked it up first as Symantecs ccApp.exe then later Mozilla.
> > www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
> > legit?
> >
> >
> > C:\>netstat
> >
> > Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
> > TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
> > TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
> > TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
> > TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
> > TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
> >
> >
> >

>
>
>


Enkidu 12-26-2005 11:50 PM

Re: Who is Sophos.com
 
Rob J wrote:
> In article <43afabb3@clear.net.nz>, toilet_seat@yahoo.com says...
>
>>Goddamn. Something had rewrittten my hosts file and set all the AV sites to
>>127.0.0.1
>>eg sophos
>>symantec
>>avg etc
>>
>>Hence I could not browse them.
>>What should my hosts look like now that I've deleted it.

>
>
> You should download updates to any antivirus package or install one as
> it is highly likely a virus has infected your PC.
>
> Normally there is nothing in the hosts file unless you are running a
> server on your PC or some add blockers use the hosts file to block
> downloads from advertising sites.
>

Usually there is a 'localhost' entry relating to 127.0.0.1

Cheers,

Cliff

Mark Robinson 12-27-2005 07:19 AM

Re: Who is Sophos.com
 
Tulsy Tsan wrote:
> Goddamn. Something had rewrittten my hosts file and set all the AV sites to
> 127.0.0.1
> eg sophos
> symantec
> avg etc
>
> Hence I could not browse them.
> What should my hosts look like now that I've deleted it.


Your hosts file is the least of your problems.

You need to track down and remove all the viruses from your computer.

It's usually easier to reinstall the operating system from scratch, especially
if you are unfamiliar with virus removal.


All times are GMT. The time now is 05:14 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.