Help required with suspicous internet activity

Discussion in 'Computer Security' started by Michael, Sep 25, 2004.

  1. Michael

    Michael Guest

    I have logged the following outbound traffic from my gateway machine from
    one of the internal XP machines

    It appears to be a sequence of ten connection attempts to a specific IP
    address.

    First there is 2 ping attempts, then a windows share attempt over tcp then
    another 2 ping attempts followed by five windows share attempts over tcp and
    netbios.

    During the last try I did a netstat and found that there was a closed
    connection to the destination address on port 80 (I had no browser open).
    It was going through the svchost super daemon so I could not figure out
    which executable was responsible. How does one associate a connection
    through svchost to a particular executable?

    I have run the usual anti spyware [spybot & adaware] and anti-virus programs
    [bitdefender] with the latest definitions and come up empty.

    If anyone recognises this sequence as being from a particular
    program/malware please let me know. If you have any suggestions what my
    next steps should be please let me know.

    Michael
    Sep 21 20:29:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45248 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=2816

    Sep 21 20:29:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45250 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=3072

    Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45272 DF PROTO=TCP
    SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45273 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=3328

    Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45294 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=3584

    Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45295 DF PROTO=TCP
    SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:29:46 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45297 DF PROTO=TCP
    SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:29:49 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45299 DF PROTO=TCP
    SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:29:50 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45300 DF PROTO=TCP
    SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:29:55 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45302 DF PROTO=TCP
    SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:50:29 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46847 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=3840

    Sep 21 20:50:32 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46848 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=4096

    Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46849 DF PROTO=TCP
    SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46850 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=4352

    Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46851 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=4608

    Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46852 DF PROTO=TCP
    SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:50:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46853 DF PROTO=TCP
    SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:50:42 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46854 DF PROTO=TCP
    SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:50:43 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46858 DF PROTO=TCP
    SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 21 20:50:48 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46900 DF PROTO=TCP
    SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 24 18:54:08 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34874 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=768

    Sep 24 18:54:10 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34908 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=1024

    Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34948 DF PROTO=TCP
    SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34949 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=1280

    Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34950 PROTO=ICMP TYPE=8
    CODE=0 ID=512 SEQ=1536

    Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34951 DF PROTO=TCP
    SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 24 18:54:17 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34952 DF PROTO=TCP
    SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 24 18:54:20 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34971 DF PROTO=TCP
    SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 24 18:54:21 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34972 DF PROTO=TCP
    SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

    Sep 24 18:54:26 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34973 DF PROTO=TCP
    SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    Michael, Sep 25, 2004
    #1
    1. Advertising

  2. Michael

    andy smart Guest

    Michael wrote:

    > I have logged the following outbound traffic from my gateway machine from
    > one of the internal XP machines
    >
    > It appears to be a sequence of ten connection attempts to a specific IP
    > address.
    >
    > First there is 2 ping attempts, then a windows share attempt over tcp then
    > another 2 ping attempts followed by five windows share attempts over tcp and
    > netbios.
    >
    > During the last try I did a netstat and found that there was a closed
    > connection to the destination address on port 80 (I had no browser open).
    > It was going through the svchost super daemon so I could not figure out
    > which executable was responsible. How does one associate a connection
    > through svchost to a particular executable?
    >
    > I have run the usual anti spyware [spybot & adaware] and anti-virus programs
    > [bitdefender] with the latest definitions and come up empty.
    >
    > If anyone recognises this sequence as being from a particular
    > program/malware please let me know. If you have any suggestions what my
    > next steps should be please let me know.
    >
    > Michael
    > Sep 21 20:29:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45248 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=2816
    >
    > Sep 21 20:29:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45250 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3072
    >
    > Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45272 DF PROTO=TCP
    > SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45273 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3328
    >
    > Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45294 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3584
    >
    > Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45295 DF PROTO=TCP
    > SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:46 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45297 DF PROTO=TCP
    > SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:49 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45299 DF PROTO=TCP
    > SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:50 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45300 DF PROTO=TCP
    > SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:55 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45302 DF PROTO=TCP
    > SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:29 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46847 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3840
    >
    > Sep 21 20:50:32 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46848 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=4096
    >
    > Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46849 DF PROTO=TCP
    > SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46850 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=4352
    >
    > Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46851 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=4608
    >
    > Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46852 DF PROTO=TCP
    > SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46853 DF PROTO=TCP
    > SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:42 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46854 DF PROTO=TCP
    > SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:43 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46858 DF PROTO=TCP
    > SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:48 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46900 DF PROTO=TCP
    > SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:08 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34874 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=768
    >
    > Sep 24 18:54:10 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34908 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=1024
    >
    > Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34948 DF PROTO=TCP
    > SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34949 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=1280
    >
    > Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34950 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=1536
    >
    > Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34951 DF PROTO=TCP
    > SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:17 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34952 DF PROTO=TCP
    > SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:20 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34971 DF PROTO=TCP
    > SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:21 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34972 DF PROTO=TCP
    > SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:26 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34973 DF PROTO=TCP
    > SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    >
    >
    >
    >
    >

    A whois with http://www.apnic.net/ showed that this IP address (
    202.168.8.80)is in Australia .... OK so it's not much use but hey :)
    andy smart, Sep 25, 2004
    #2
    1. Advertising

  3. Michael

    johns Guest

    Sounds a bit like Kaung2 .. a keylogger. The Aussies
    are pushing them. Generally, I've found that if a user
    has a Yahoo Email account, this sort of thing starts
    happening. Not that Yahoo is a bunch of Scumware
    Pushers, but every time I see this sort of thing start up
    ..... Yahoo is strangely associated with it. The program
    that I'm using to spot this garbage is F-secure firewall.
    It will tell you which exe on your machine is yakking,
    and it will tell you who is replying or probing. Once this
    mess gets going, your machine can become very very
    popular with the Aussies, Russians, Canadians, etc
    I also see them pushing Sasser, and some kind of ftp-
    server for mp3s. That is why the constant probes
    once you are "known" by the crooked kiddies looking
    for free music. Seriously .. F-secure firewall is getting
    the job done, and it doesn't feed us any bullshit and
    jargon like the MS (so-called) firewall. It actually works
    and will help you in your job.

    johns
    johns, Sep 25, 2004
    #3
  4. Michael

    Michael Guest

    "johns" <> wrote in message
    news:cj4h5d$2bea$...
    > Sounds a bit like Kaung2 .. a keylogger. The Aussies
    > are pushing them. Generally, I've found that if a user
    > has a Yahoo Email account, this sort of thing starts
    > happening. Not that Yahoo is a bunch of Scumware
    > Pushers, but every time I see this sort of thing start up


    Thanks johns,

    I am one of those Aussies but am not pushing these things. I am trying to
    get rid of but think I have at least contained it by blocking the IP that it
    was trying to connect to. You will notice the IP is always the same.

    It appears you are pretty keen on f-secure at the campus you are at.

    Anyway Kaung2 (and other keyloggers) often use email to send data to their
    masters. The machine in question has no email client set up and tcp port 25
    is blocked at the router. The router has not logged any port 25 traffic
    from that machine. (Also the ISP blocks port 25 now so you should see less
    viruses from Aussie Land in the last few months). I have checked the size,
    date & version info for explorer.exe and it appears to be OK - or at least
    the same as other machines that do not exhibit the same behavour. The date
    stamp corresponds to the date I installed SP2.

    I wish I used netstat with the -ab option when it was hapening to find out
    which program was the one causing the connection attempts.

    Because it happens so infrequently (only 3 connection attemts in 5 days) its
    pretty hard to trace. This does appear like keylogger behavour.

    I tried the symatec online scanner and also found nothing.

    It appears that the connection attempts are getting further appart. 2 on
    the first day I detected it then on two days later. None since.

    There are no suspicous processes running in the process list (but I am told
    they can be hidden in a rootkit).

    michael

    > johns
    Michael, Sep 26, 2004
    #4
  5. Michael

    Michael Guest

    "andy smart" <> wrote in message
    news:...
    > Michael wrote:


    >>

    > A whois with http://www.apnic.net/ showed that this IP address (
    > 202.168.8.80)is in Australia .... OK so it's not much use but hey :)


    Thanks andy,

    I forgot to mention that i did get that far and did a whois on the IP. It
    gave a rather large chunk of addresses.
    Michael, Sep 26, 2004
    #5
  6. Michael

    Mark Guest

    Michael wrote:
    > I have logged the following outbound traffic from my gateway machine from
    > one of the internal XP machines
    >
    > It appears to be a sequence of ten connection attempts to a specific IP
    > address.
    >
    > First there is 2 ping attempts, then a windows share attempt over tcp then
    > another 2 ping attempts followed by five windows share attempts over tcp and
    > netbios.
    >
    > During the last try I did a netstat and found that there was a closed
    > connection to the destination address on port 80 (I had no browser open).
    > It was going through the svchost super daemon so I could not figure out
    > which executable was responsible. How does one associate a connection
    > through svchost to a particular executable?
    >
    > I have run the usual anti spyware [spybot & adaware] and anti-virus programs
    > [bitdefender] with the latest definitions and come up empty.
    >
    > If anyone recognises this sequence as being from a particular
    > program/malware please let me know. If you have any suggestions what my
    > next steps should be please let me know.
    >
    > Michael
    > Sep 21 20:29:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45248 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=2816
    >
    > Sep 21 20:29:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45250 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3072
    >
    > Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45272 DF PROTO=TCP
    > SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:41 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45273 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3328
    >
    > Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45294 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3584
    >
    > Sep 21 20:29:44 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45295 DF PROTO=TCP
    > SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:46 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45297 DF PROTO=TCP
    > SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:49 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45299 DF PROTO=TCP
    > SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:50 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45300 DF PROTO=TCP
    > SPT=1956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:29:55 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=45302 DF PROTO=TCP
    > SPT=1957 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:29 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46847 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=3840
    >
    > Sep 21 20:50:32 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46848 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=4096
    >
    > Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46849 DF PROTO=TCP
    > SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:34 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46850 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=4352
    >
    > Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=46851 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=4608
    >
    > Sep 21 20:50:37 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46852 DF PROTO=TCP
    > SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:39 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46853 DF PROTO=TCP
    > SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:42 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46854 DF PROTO=TCP
    > SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:43 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46858 DF PROTO=TCP
    > SPT=1975 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 21 20:50:48 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46900 DF PROTO=TCP
    > SPT=1976 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:08 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34874 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=768
    >
    > Sep 24 18:54:10 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34908 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=1024
    >
    > Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34948 DF PROTO=TCP
    > SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:12 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34949 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=1280
    >
    > Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=34950 PROTO=ICMP TYPE=8
    > CODE=0 ID=512 SEQ=1536
    >
    > Sep 24 18:54:15 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34951 DF PROTO=TCP
    > SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:17 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34952 DF PROTO=TCP
    > SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:20 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34971 DF PROTO=TCP
    > SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:21 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34972 DF PROTO=TCP
    > SPT=1291 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    > Sep 24 18:54:26 GWMachine kernel: IN=eth1 OUT=ppp0 SRC=XPMachine32
    > DST=202.168.8.80 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=34973 DF PROTO=TCP
    > SPT=1292 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
    >
    >
    >
    >
    >
    >

    I don't know how much help this is going to be, but based on the above
    capture it does appear to be suspicious. What catches my eye is the
    initial TTL of the ICMP packets. XP uses an initial TTL of 128
    normally, so those ICMPs with a TTL of 31 (probably initial TTL was 32)
    would appear to be crafted using a program other than the normal Windows
    ping.exe. Note that the connection attempts to ports 139 and 445 have a
    more expected value of 127 for the TTL.

    A quick google though didn't turn up anything obvious about malware that
    modifies the initial TTL of a echo request. But, this link certainly
    looks like similar behavior.

    http://archives.neohapsis.com/archives/snort/2003-04/1246.html

    Like I said, I don't know if that helps or not, but...

    Mark
    Mark, Sep 26, 2004
    #6
  7. Michael

    andy smart Guest

    Michael wrote:

    > "andy smart" <> wrote in message
    > news:...
    >
    >>Michael wrote:

    >
    >
    >>A whois with http://www.apnic.net/ showed that this IP address (
    >>202.168.8.80)is in Australia .... OK so it's not much use but hey :)

    >
    >
    > Thanks andy,
    >
    > I forgot to mention that i did get that far and did a whois on the IP. It
    > gave a rather large chunk of addresses.
    >
    >

    They're all with one ISP though weren't they? You might try dropping a
    copy of this info to them :)
    andy smart, Sep 26, 2004
    #7
  8. Michael

    Michael Guest

    "Mark" <> wrote in message
    news:C_z5d.121211$D%.86794@attbi_s51...
    > Michael wrote:
    > I don't know how much help this is going to be, but based on the above
    > capture it does appear to be suspicious. What catches my eye is the
    > initial TTL of the ICMP packets. XP uses an initial TTL of 128 normally,
    > so those ICMPs with a TTL of 31 (probably initial TTL was 32) would appear
    > to be crafted using a program other than the normal Windows ping.exe.
    > Note that the connection attempts to ports 139 and 445 have a more
    > expected value of 127 for the TTL.
    >
    > A quick google though didn't turn up anything obvious about malware that
    > modifies the initial TTL of a echo request. But, this link certainly
    > looks like similar behavior.
    >
    > http://archives.neohapsis.com/archives/snort/2003-04/1246.html
    >
    > Like I said, I don't know if that helps or not, but...
    >
    > Mark


    Thanks for spotting this Mark. I ran the ping command from the command
    prompt and got the result you expected in my logs. So this appears to
    comfirm your statements. I spent a large proportion of the day searching
    the net for information on malware that does this but found nothing of any
    use as the ping reply appears to have a TTL of 32

    It does appear that whatever is sending out the pings makes its own packets
    instead of asking the windows ping to do it.

    One of the troubles is the extremely long time (many days) between these
    sequences being sent out. I don't know what triggers it.
    Michael, Sep 27, 2004
    #8
  9. Michael

    Michael Guest

    "andy smart" <> wrote in message
    news:...
    >> Thanks andy,
    >>
    >> I forgot to mention that i did get that far and did a whois on the IP.
    >> It gave a rather large chunk of addresses.
    >>
    >>

    > They're all with one ISP though weren't they? You might try dropping a
    > copy of this info to them :)


    Yep. I found out they are www.participateinhealth.org.au but they claim
    they do not install any phone home stuff (spyware) on computers from their
    web site. I contacted them today.

    I had visited their web site early last week.
    Michael, Sep 27, 2004
    #9
  10. Michael

    Michael Guest

    "Michael" <> wrote in message
    news:6g25d.3171$...
    >I have logged the following outbound traffic from my gateway machine from
    > one of the internal XP machines
    >
    > It appears to be a sequence of ten connection attempts to a specific IP
    > address.


    [snip]

    To follow up - I managed to do a netstat using -b and got the following
    "unknown components" when the connection was in a CLOSE_WAIT state

    Active Connections
    TCP XPMachine32:3389 XPMachine32:0 LISTENING 756
    -- unknown component(s) --
    [svchost.exe]
    TCP XPMachine32:1668 202.168.8.80:http CLOSE_WAIT 992
    c:\windows\system32\WS2_32.dll
    C:\WINDOWS\system32\WININET.dll
    -- unknown component(s) --
    [svchost.exe]
    UDP XPMachine32:ntp *:* 880
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    -- unknown component(s) --
    [svchost.exe]

    Using process explorer from sysinternals at the same time the services for
    that instance of svchost were
    LmHosts
    SSDPSRV
    WebClient
    Michael, Sep 28, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stuart

    Stored Internet activity

    Stuart, Feb 21, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    5,322
    vinney
    Aug 26, 2009
  2. Duncan

    Internet activity - Virus?

    Duncan, Mar 6, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    660
    Duncan
    Mar 6, 2004
  3. Linkinx

    Need to hide internet activity from isp..please

    Linkinx, Jun 24, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    9,623
    Ian Moyce the drain maker
    Jun 24, 2004
  4. DD
    Replies:
    1
    Views:
    482
    Jerry G.
    Oct 23, 2004
  5. dave
    Replies:
    4
    Views:
    908
Loading...

Share This Page