unknown outgoing tcp traffic - should I be worried?

Discussion in 'Computer Security' started by abc@abc.com, Nov 8, 2007.

  1. Guest

    I noticed recently almost continuous activity on my Belkin router for
    one of the two Pc's connected to it.

    I am running Peerguardian2 and it shows tcp traffic originating from
    the PC to various destinations

    eg
    60.246.179.201:80

    each entry on the log shows an increment on the port of my PC

    eg
    source destination

    192.168.2.3:2741 60.246.179.201:80
    192.168.2.3:2742 60.246.179.201:80
    192.168.2.3:2743 60.246.179.201:80
    192.168.2.3:2744 60.246.179.201:80
    192.168.2.3:2745 60.246.179.201:80

    etc.


    If I attempt to block the destination IP in Peerguardian the traffic
    continues with my port number incrementing but with a different
    destination IP

    eg
    66.246.179.201:80


    Any idea what is causing this and how to cure it? and is it risky to
    allow this to continue, I can use the other PC on the network ok and
    don't see the same sort of activity from that one.


    tia

    JW
     
    , Nov 8, 2007
    #1
    1. Advertising

  2. Sebastian G. Guest

    wrote:


    > Any idea what is causing this and how to cure it?



    As you already wrote: PeerGuardian2. It might be that it's simply telling
    you fictitious facts, it might block expected replys related to your very
    own requests, it might provoke repeated traffic due to missing TCP Reject
    packets.

    > and is it risky to allow this to continue,



    Risky? Since you're running an application which is supposed to **** up your
    network, it can't be a productive machine anyway.
     
    Sebastian G., Nov 9, 2007
    #2
    1. Advertising

  3. Guest

    On Fri, 09 Nov 2007 01:16:02 +0100, "Sebastian G." <>
    wrote:



    >> Any idea what is causing this and how to cure it?

    >
    >
    >As you already wrote: PeerGuardian2. It might be that it's simply telling
    >you fictitious facts, it might block expected replys related to your very
    >own requests, it might provoke repeated traffic due to missing TCP Reject
    >packets.


    At the time I first noticed the continuous traffic on the router PG2
    was not installed.

    >> and is it risky to allow this to continue,

    >
    >
    >Risky? Since you're running an application which is supposed to **** up your
    >network, it can't be a productive machine anyway.


    Well is a home machine so has never been very productive ,

    Jw
     
    , Nov 9, 2007
    #3
  4. Gerard Bok Guest

    On Thu, 08 Nov 2007 21:39:55 +0000, wrote:

    >I noticed recently almost continuous activity on my Belkin router for
    >one of the two Pc's connected to it.


    >source destination
    >
    >192.168.2.3:2741 60.246.179.201:80


    >Any idea what is causing this and how to cure it?


    Can be almost anything. But it's only harmless once proven to be
    harmless :)

    First: define which PC is causing this traffic.
    (My way: pull the plug, one by one. See when the traffic stops
    :)

    Then, on the offending PC, find out what processes are running.
    Shut them down, one by one, and decide which process is
    responsible.
    Here also, pulling the plug may be a fast one. If you watch CPU
    demand while pulling the network plug, you may well observe that
    one process increases or decreases it's CPU load.
    That can be your OS, noticing that the network connection fails,
    or the culprit, detecting it can no longer phone home :)

    --
    Kind regards,
    Gerard Bok
     
    Gerard Bok, Nov 9, 2007
    #4
  5. Moe Trin Guest

    On Thu, 08 Nov 2007, in the Usenet newsgroup alt.computer.security, in article
    <>, wrote:

    >I noticed recently almost continuous activity on my Belkin router for
    >one of the two Pc's connected to it.
    >
    >I am running Peerguardian2 and it shows tcp traffic originating from
    >the PC to various destinations


    And what did you install on that PC that wants to talk to the net?

    >eg
    >60.246.179.201:80
    >
    >each entry on the log shows an increment on the port of my PC


    If that address is valid, it's a business service in Sydney, Oz. The
    incrementing means that a process is accessing a web site, then another
    process is started up and accesses the site - lather, rinse, repeat.

    >If I attempt to block the destination IP in Peerguardian the traffic
    >continues with my port number incrementing but with a different
    >destination IP
    >
    >eg
    >66.246.179.201:80


    Is that the actual IP address, or is that merely some set of numbers
    you made up? The address is another ISP - just North of Miami Florida.
    That the mal-ware would be using addresses that differ by one digit
    despite being located half-way around the world is highly unusual.

    >Any idea what is causing this and how to cure it?


    You'd have to ask the person who installed this. It's not a piece of
    standard windoze crap. Contrary to the beliefs of many, there really
    isn't a Mal-ware Fairy who flitters about and when you are not looking,
    waves her Magic Wand and installs stuff.

    >is it risky to allow this to continue


    You'll have to wait until you get your credit-card bill next month to
    find out. Presumably it's not violating laws, as the police haven't
    stopped by to arrest you.

    >I can use the other PC on the network ok and don't see the same sort
    >of activity from that one.


    Different user installing different malware.

    Old guy
     
    Moe Trin, Nov 9, 2007
    #5
  6. Guest

    On Fri, 09 Nov 2007 13:36:05 GMT, (Gerard Bok) wrote:

    Thanks for all your suggestions, I am getting nearer but could do with
    a little more help....

    >First: define which PC is causing this traffic.
    >(My way: pull the plug, one by one. See when the traffic stops
    >:)


    the router has separate activity leds for each ethernet connection
    and knowing the IP for the PC I had this already.

    >Then, on the offending PC, find out what processes are running.
    >Shut them down, one by one, and decide which process is
    >responsible.


    In the Task Manager I have four svchost.exe entries, one of them is
    continually in use and killing this process stops the outgoing
    traffic.

    I then get an NT System Authority error and a countdown timer of 60
    secs before the PC shutsdown.

    (Some digging on Google and found I can disable the timer in a command
    prompt with "shutdown -a")

    I think my problem is to identify what program is using the errant
    svchost.

    From a cmd prompt if I enter "tasklist /svc" I get a list of what is
    running in each svchost instance.

    I'm not 100% but I think the one causing the trouble has only one
    entry "rpcss" because after suspending the svchost.exe process in Task
    Manager I can no longer use the "tasklist" command and get an "rpc
    server not available" error.


    Any suggestions as to what to look for next??

    thanks

    JW
     
    , Nov 10, 2007
    #6
  7. Gerard Bok Guest

    On Sat, 10 Nov 2007 15:16:05 +0000, wrote:

    >On Fri, 09 Nov 2007 13:36:05 GMT, (Gerard Bok) wrote:


    >I think my problem is to identify what program is using the errant
    >svchost.
    >
    >From a cmd prompt if I enter "tasklist /svc" I get a list of what is
    >running in each svchost instance.
    >
    >I'm not 100% but I think the one causing the trouble has only one
    >entry "rpcss" because after suspending the svchost.exe process in Task
    >Manager I can no longer use the "tasklist" command and get an "rpc
    >server not available" error.


    >Any suggestions as to what to look for next??


    Well, personally I would install a sniffer (e.g. Wireshark) and
    find out, what is actually insite the traffic on port 80 to
    60.246.179.201

    These may be rather harmless http-get requests to a server that
    is no longer available. (Indicating: originally bad traffic, but
    now harmless because a bad server was taken of the air.)
    Or you might see, that your PC is actually sending (your) data
    over to 60.246.179.201. Which would be unacceptable.

    Another way to go could be, examining your startup items,
    disabling them one by one untill you get the one, responsible for
    this traffic.
    Or --if it is not an automatic process-- find out at which point
    after reboot, the traffic starts.

    --
    Kind regards,
    Gerard Bok
     
    Gerard Bok, Nov 10, 2007
    #7
  8. Guest

    On Sat, 10 Nov 2007 16:04:03 GMT, (Gerard Bok) wrote:


    >
    >Well, personally I would install a sniffer (e.g. Wireshark) and
    >find out, what is actually insite the traffic on port 80 to
    >60.246.179.201


    Interesting, thanks for the pointer to Wireshark.

    I'm still finding my way around the program, (never used anything like
    this before so bear with me), assuming I'm doing this right, selecting
    one of the outgoing packets in the capture list and the 'follow tcp
    stream' builds several webpages and most have the following header

    -----------------------------------
    GET /cat.asp?CategId=2&SubCategId=1014 HTTP/1.1
    Accept: */*
    Accept-Language: en
    User-Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php? )
    Host: www.editora-central.com.br
    Connection: close
    ------------------------------------------

    subsequent code under this header block appear to be webpage html.

    I checked out Majestic12 and it's some kind of distributed search
    engine, is it likely I have this on my system and this is doing
    searches and creating the traffic?

    rgds

    JW
     
    , Nov 10, 2007
    #8
  9. Majestic12 Guest

    Hi all,

    My name is Alex Chudnovsky and I am the founder of the Majestic-12
    project referenced above.

    In the last couple of weeks we were getting reports of fake MJ12bot
    user-agent coming from various IPs, the main flag showing that it is a
    fake was very old version v1.0.8 of the user-agent just like above.

    This is NOT us who do it - we are effectively a victim here as whoever
    does this fakes user-agent in the same way spammers fake From: email
    address :-(

    I am very keen to get to the bottom of exactly what happens - if you
    look at our bots page here : 'Majestic-12 : DSearch : MJ12bot'
    (http://majestic12.co.uk/bot.php) you will see message about fake bot
    and lots of IP addresses from all over the world. I was thinking for
    some time that some botnet with compromised PCs were being used to crawl
    the web (probably for spamming purposes) using fake user-agents.

    Can you try installing Process Explorer from Microsoft:
    http://tinyurl.com/289vcz

    Do you have any of the firewalls installed like Kerio or ZoneAlarm?
    These should have prompted for network traffic coming out asking for
    approval.

    it gives much greater detail about which processes do what, and it
    allows to look at network stats for applications as well. I hope this
    will allow to locate exact application that is doing this stuff. It sure
    isn't ours (MJ12node.exe) :/


    ------------------------------------------------------------------------
    View this thread: http://www.wirelessforums.org/showthread.php?t=31663
    http://www.wirelessforums.org
     
    Majestic12, Nov 11, 2007
    #9
  10. survivor Guest

    survivor, Dec 16, 2007
    #10
  11. covert Guest

    I have got this same botnet.

    On the infected PC I had Norton AV corp on it and I also installed AVG
    to try to find it. No luck.

    Here is another one of my threads with lots of details about what I
    have been trying and what it does.

    'Virus - fake MJ12bot - I can't find it. - Windows - Whirlpool
    Broadband Forums'
    (http://forums.whirlpool.net.au/forum-replies.cfm?t=879242)

    Taking a look around the net I can find very few threads about it.

    Where ever it is hiding it is in there very good.

    What info I can find out about it is that it seems to be a botnet
    responsible for forum posts, file uploading to galleries and so forth.

    It gets it's initial commands from

    best lost dot hk


    ------------------------------------------------------------------------
    View this thread: http://www.wirelessforums.org/showthread.php?t=31663
    http://www.wirelessforums.org
     
    covert, Dec 17, 2007
    #11
  12. survivor Guest

    abc,
    I haven't found it either but I removed the vulnerability that made it
    work (I guess). Now I no longer experience this unwanted traffic. Do
    this:
    1. Get ProcessExplorer from Microsoft. It's free. It doesn't need
    installation, just unzip and run.
    2. When the traffic starts (be sure it's not your own traffic), run
    procexp.exe
    3. Notice that one of the srvhost.exe entries incurs in an unusually
    high CPU utilization. The trojan started this instance. Hover over the
    entry to popup a tooltip. It should say: DCOM service process launcher.
    4. Now, observe the child node (actually is the parent node) that
    emanates from this entry. It will give you the path to the program that
    has the vulnerability.
    5. Do a search to identify which software this program belongs to. I
    can't help you in this.
    6. Replace/upgrade/patch your software so that the vulnerability is
    removed. The trojan will still be there but it won't be able to exploit
    nothing.
    7. Reboot

    Let me know how you did.


    ------------------------------------------------------------------------
    View this thread: http://www.wirelessforums.org/showthread.php?t=31663
    http://www.wirelessforums.org
     
    survivor, Dec 18, 2007
    #12
  13. Guest

    My svchost responsible for the traffic does not have any nodes under
    it in process explorer.

    With OllyDbg I have been able to find the area in memory it is doing
    it's work but I'm not able to find the owner for the memory. OllyDbg
    does not show who it belongs to. When I see a breakpoint to it OllyDbg
    crash's when it is hit.

    survivor wrote:
    > abc,
    > I haven't found it either but I removed the vulnerability that made it
    > work (I guess). Now I no longer experience this unwanted traffic. Do
    > this:
    > 1. Get ProcessExplorer from Microsoft. It's free. It doesn't need
    > installation, just unzip and run.
    > 2. When the traffic starts (be sure it's not your own traffic), run
    > procexp.exe
    > 3. Notice that one of the srvhost.exe entries incurs in an unusually
    > high CPU utilization. The trojan started this instance. Hover over the
    > entry to popup a tooltip. It should say: DCOM service process launcher.
    > 4. Now, observe the child node (actually is the parent node) that
    > emanates from this entry. It will give you the path to the program that
    > has the vulnerability.
    > 5. Do a search to identify which software this program belongs to. I
    > can't help you in this.
    > 6. Replace/upgrade/patch your software so that the vulnerability is
    > removed. The trojan will still be there but it won't be able to exploit
    > nothing.
    > 7. Reboot
    >
    > Let me know how you did.
    >
    >
    > ------------------------------------------------------------------------
    > View this thread: http://www.wirelessforums.org/showthread.php?t=31663
    > http://www.wirelessforums.org
     
    , Dec 20, 2007
    #13
  14. Sebastian G. Guest

    wrote:

    > When I see a breakpoint to it OllyDbg crash's when it is hit.



    Please call it a deadlock.
     
    Sebastian G., Dec 20, 2007
    #14
  15. survivor Guest

    I found a suspicious file named mqperf32.dll in the system32 directory.
    When I tried to check it AVG (antivirus) kept showing an alarm so I
    opted to clean it. There's little info on the net about it but is not an
    OS file (the OS's file is named mqperf.dll). If you find this is the
    case for you could you send me a copy of it before you clean it up? (I
    would like to analyze such clever piece of program)


    ------------------------------------------------------------------------
    View this thread: http://www.wirelessforums.org/showthread.php?t=31663
    http://www.wirelessforums.org
     
    survivor, Dec 24, 2007
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Julie P.

    Computer Display Shakes: Should I Be Worried?

    Julie P., Oct 7, 2005, in forum: Computer Support
    Replies:
    16
    Views:
    5,005
    phrogee
    Oct 8, 2005
  2. alex

    Bill Gates thinks Google should be worried!

    alex, Mar 7, 2007, in forum: Computer Support
    Replies:
    8
    Views:
    496
    Maximum Dog
    Mar 8, 2007
  3. alex

    Bill Gates thinks Google should be worried!

    alex, Mar 7, 2007, in forum: Digital Photography
    Replies:
    2
    Views:
    366
    Fred Garvin, Male Prostitute
    Mar 7, 2007
  4. Krazy Bob

    Should i be worried at this?

    Krazy Bob, Dec 21, 2005, in forum: NZ Computing
    Replies:
    6
    Views:
    395
    Robert Cooze
    Dec 22, 2005
  5. Alan
    Replies:
    18
    Views:
    6,089
Loading...

Share This Page