unknown outgoing tcp traffic - should I be worried?

I noticed recently almost continuous activity on my Belkin router for
one of the two Pc's connected to it.

I am running Peerguardian2 and it shows tcp traffic originating from
the PC to various destinations

eg
60.246.179.201:80

each entry on the log shows an increment on the port of my PC

eg
source destination

192.168.2.3:2741 60.246.179.201:80
192.168.2.3:2742 60.246.179.201:80
192.168.2.3:2743 60.246.179.201:80
192.168.2.3:2744 60.246.179.201:80
192.168.2.3:2745 60.246.179.201:80

etc.


If I attempt to block the destination IP in Peerguardian the traffic
continues with my port number incrementing but with a different
destination IP

eg
66.246.179.201:80


Any idea what is causing this and how to cure it? and is it risky to
allow this to continue, I can use the other PC on the network ok and
don't see the same sort of activity from that one.


tia

JW

abc@abc.com

wrote:


> Any idea what is causing this and how to cure it?


As you already wrote: PeerGuardian2. It might be that it's simply telling
you fictitious facts, it might block expected replys related to your very
own requests, it might provoke repeated traffic due to missing TCP Reject
packets.

> and is it risky to allow this to continue,


Risky? Since you're running an application which is supposed to **** up your
network, it can't be a productive machine anyway.

Sebastian G.

On Fri, 09 Nov 2007 01:16:02 +0100, "Sebastian G." <>
wrote:



>> Any idea what is causing this and how to cure it?
>
>
>As you already wrote: PeerGuardian2. It might be that it's simply telling
>you fictitious facts, it might block expected replys related to your very
>own requests, it might provoke repeated traffic due to missing TCP Reject
>packets.

At the time I first noticed the continuous traffic on the router PG2
was not installed.

>> and is it risky to allow this to continue,
>
>
>Risky? Since you're running an application which is supposed to **** up your
>network, it can't be a productive machine anyway.

Well is a home machine so has never been very productive ,

Jw

abc@abc.com

On Thu, 08 Nov 2007 21:39:55 +0000, wrote:

>I noticed recently almost continuous activity on my Belkin router for
>one of the two Pc's connected to it.

>source destination
>
>192.168.2.3:2741 60.246.179.201:80

>Any idea what is causing this and how to cure it?

Can be almost anything. But it's only harmless once proven to be
harmless

First: define which PC is causing this traffic.
(My way: pull the plug, one by one. See when the traffic stops


Then, on the offending PC, find out what processes are running.
Shut them down, one by one, and decide which process is
responsible.
Here also, pulling the plug may be a fast one. If you watch CPU
demand while pulling the network plug, you may well observe that
one process increases or decreases it's CPU load.
That can be your OS, noticing that the network connection fails,
or the culprit, detecting it can no longer phone home

--
Kind regards,
Gerard Bok

Gerard Bok

On Thu, 08 Nov 2007, in the Usenet newsgroup alt.computer.security, in article
<>, wrote:

>I noticed recently almost continuous activity on my Belkin router for
>one of the two Pc's connected to it.
>
>I am running Peerguardian2 and it shows tcp traffic originating from
>the PC to various destinations

And what did you install on that PC that wants to talk to the net?

>eg
>60.246.179.201:80
>
>each entry on the log shows an increment on the port of my PC

If that address is valid, it's a business service in Sydney, Oz. The
incrementing means that a process is accessing a web site, then another
process is started up and accesses the site - lather, rinse, repeat.

>If I attempt to block the destination IP in Peerguardian the traffic
>continues with my port number incrementing but with a different
>destination IP
>
>eg
>66.246.179.201:80

Is that the actual IP address, or is that merely some set of numbers
you made up? The address is another ISP - just North of Miami Florida.
That the mal-ware would be using addresses that differ by one digit
despite being located half-way around the world is highly unusual.

>Any idea what is causing this and how to cure it?

You'd have to ask the person who installed this. It's not a piece of
standard windoze crap. Contrary to the beliefs of many, there really
isn't a Mal-ware Fairy who flitters about and when you are not looking,
waves her Magic Wand and installs stuff.

>is it risky to allow this to continue

You'll have to wait until you get your credit-card bill next month to
find out. Presumably it's not violating laws, as the police haven't
stopped by to arrest you.

>I can use the other PC on the network ok and don't see the same sort
>of activity from that one.

Different user installing different malware.

Old guy

Moe Trin

On Fri, 09 Nov 2007 13:36:05 GMT, (Gerard Bok) wrote:

Thanks for all your suggestions, I am getting nearer but could do with
a little more help....

>First: define which PC is causing this traffic.
>(My way: pull the plug, one by one. See when the traffic stops
>

the router has separate activity leds for each ethernet connection
and knowing the IP for the PC I had this already.

>Then, on the offending PC, find out what processes are running.
>Shut them down, one by one, and decide which process is
>responsible.

In the Task Manager I have four svchost.exe entries, one of them is
continually in use and killing this process stops the outgoing
traffic.

I then get an NT System Authority error and a countdown timer of 60
secs before the PC shutsdown.

(Some digging on Google and found I can disable the timer in a command
prompt with "shutdown -a")

I think my problem is to identify what program is using the errant
svchost.

From a cmd prompt if I enter "tasklist /svc" I get a list of what is
running in each svchost instance.

I'm not 100% but I think the one causing the trouble has only one
entry "rpcss" because after suspending the svchost.exe process in Task
Manager I can no longer use the "tasklist" command and get an "rpc
server not available" error.


Any suggestions as to what to look for next??

thanks

JW

abc@abc.com

On Sat, 10 Nov 2007 15:16:05 +0000, wrote:

>On Fri, 09 Nov 2007 13:36:05 GMT, (Gerard Bok) wrote:

>I think my problem is to identify what program is using the errant
>svchost.
>
>From a cmd prompt if I enter "tasklist /svc" I get a list of what is
>running in each svchost instance.
>
>I'm not 100% but I think the one causing the trouble has only one
>entry "rpcss" because after suspending the svchost.exe process in Task
>Manager I can no longer use the "tasklist" command and get an "rpc
>server not available" error.

>Any suggestions as to what to look for next??

Well, personally I would install a sniffer (e.g. Wireshark) and
find out, what is actually insite the traffic on port 80 to
60.246.179.201

These may be rather harmless http-get requests to a server that
is no longer available. (Indicating: originally bad traffic, but
now harmless because a bad server was taken of the air.)
Or you might see, that your PC is actually sending (your) data
over to 60.246.179.201. Which would be unacceptable.

Another way to go could be, examining your startup items,
disabling them one by one untill you get the one, responsible for
this traffic.
Or --if it is not an automatic process-- find out at which point
after reboot, the traffic starts.

--
Kind regards,
Gerard Bok

Gerard Bok

On Sat, 10 Nov 2007 16:04:03 GMT, (Gerard Bok) wrote:


>
>Well, personally I would install a sniffer (e.g. Wireshark) and
>find out, what is actually insite the traffic on port 80 to
>60.246.179.201

Interesting, thanks for the pointer to Wireshark.

I'm still finding my way around the program, (never used anything like
this before so bear with me), assuming I'm doing this right, selecting
one of the outgoing packets in the capture list and the 'follow tcp
stream' builds several webpages and most have the following header

-----------------------------------
GET /cat.asp?CategId=2&SubCategId=1014 HTTP/1.1
Accept: */*
Accept-Language: en
User-Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)
Host: www.editora-central.com.br
Connection: close
------------------------------------------

subsequent code under this header block appear to be webpage html.

I checked out Majestic12 and it's some kind of distributed search
engine, is it likely I have this on my system and this is doing
searches and creating the traffic?

rgds

JW

abc@abc.com

Hi all,

My name is Alex Chudnovsky and I am the founder of the Majestic-12
project referenced above.

In the last couple of weeks we were getting reports of fake MJ12bot
user-agent coming from various IPs, the main flag showing that it is a
fake was very old version v1.0.8 of the user-agent just like above.

This is NOT us who do it - we are effectively a victim here as whoever
does this fakes user-agent in the same way spammers fake From: email
address

I am very keen to get to the bottom of exactly what happens - if you
look at our bots page here : 'Majestic-12 : DSearch : MJ12bot'
(http://majestic12.co.uk/bot.php) you will see message about fake bot
and lots of IP addresses from all over the world. I was thinking for
some time that some botnet with compromised PCs were being used to crawl
the web (probably for spamming purposes) using fake user-agents.

Can you try installing Process Explorer from Microsoft:
http://tinyurl.com/289vcz

Do you have any of the firewalls installed like Kerio or ZoneAlarm?
These should have prompted for network traffic coming out asking for
approval.

it gives much greater detail about which processes do what, and it
allows to look at network stats for applications as well. I hope this
will allow to locate exact application that is doing this stuff. It sure
isn't ours (MJ12node.exe) :/


------------------------------------------------------------------------
View this thread: http://www.wirelessforums.org/showthread.php?t=31663
http://www.wirelessforums.org

Majestic12

Hi abc,
I'm experiencing the same problem and I suspect it's a NAI
vulnerability.
What antivirus software are you using? and which version


------------------------------------------------------------------------
View this thread: http://www.wirelessforums.org/showthread.php?t=31663
http://www.wirelessforums.org

survivor