Who is Sophos.com

Discussion in 'NZ Computing' started by Tulsy Tsan, Dec 26, 2005.

  1. Tulsy Tsan

    Tulsy Tsan Guest

    Something is connecting to www.sophos.com and dowloading something. Firewall
    rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    legit?


    C:\>netstat

    Active Connections

    Proto Local Address Foreign Address State
    TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
    Tulsy Tsan, Dec 26, 2005
    #1
    1. Advertising

  2. Tulsy Tsan

    Richard Guest

    Tulsy Tsan wrote:
    > Something is connecting to www.sophos.com and dowloading something. Firewall
    > rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    > www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    > legit?
    >
    >
    > C:\>netstat
    >
    > Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    > TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    > TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    > TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    > TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED



    The last two have the inversr or the first twos ports so I would say that you
    are connecting to yourself and for some reason you are reverse dnsing to
    www.sophos.com. This would be something very dodgey in my mind, were there more
    connections then what you pasted?
    Richard, Dec 26, 2005
    #2
    1. Advertising

  3. On Mon, 26 Dec 2005 16:44:48 +1300, Richard wrote:

    > Tulsy Tsan wrote:
    >> Something is connecting to www.sophos.com and dowloading something. Firewall
    >> rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    >> www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    >> legit?


    I could connect and browse around www.sophos.com okay. Seems like they
    are in the business of producing and selling security suites.

    You didn't download and install any evaluation software from their site or
    the Sony root kit unmasking tool by any chance?
    Pacific Dragon, Dec 26, 2005
    #3
  4. Tulsy Tsan

    Bruce Knox Guest

    On Mon, 26 Dec 2005 16:04:51 +1300, "Tulsy Tsan"
    <> wrote:

    >Something is connecting to www.sophos.com and dowloading something. Firewall
    >rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    >www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    >legit?
    >
    >
    >C:\>netstat
    >
    >Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    > TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    > TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    > TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    > TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
    >
    >

    Sophos are a major antivirus company specialising in sales too large
    corporations, I dont know if they do individual AV. Dont know why you
    would be connecting unless you have installed one of their products or
    maybe used one of their virus removal tools.

    Bruce http://www.baggins.co.nz
    http://physio.otago.ac.nz
    Bruce Knox, Dec 26, 2005
    #4
  5. Tulsy Tsan

    Tulsy Tsan Guest

    Dody indeed. When I ping www.sophos.com I get me!

    Pinging www.sophos.com [127.0.0.1] with 32 bytes of data:

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    But why the download traffic. Is it perhaps a trojan hiding behind a legit
    website?


    "Richard" <> wrote in message
    news:...
    > Tulsy Tsan wrote:
    > > Something is connecting to www.sophos.com and dowloading something.

    Firewall
    > > rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    > > www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    > > legit?
    > >
    > >
    > > C:\>netstat
    > >
    > > Active Connections
    > >
    > > Proto Local Address Foreign Address State
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    > > TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    > > TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    > > TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    > > TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED

    >
    >
    > The last two have the inversr or the first twos ports so I would say that

    you
    > are connecting to yourself and for some reason you are reverse dnsing to
    > www.sophos.com. This would be something very dodgey in my mind, were there

    more
    > connections then what you pasted?
    Tulsy Tsan, Dec 26, 2005
    #5
  6. Tulsy Tsan

    Richard Guest

    Tulsy Tsan wrote:
    > Dody indeed. When I ping www.sophos.com I get me!
    >
    > Pinging www.sophos.com [127.0.0.1] with 32 bytes of data:
    >
    > Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    > Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    > Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    > Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    >
    > Ping statistics for 127.0.0.1:
    > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    > Approximate round trip times in milli-seconds:
    > Minimum = 0ms, Maximum = 0ms, Average = 0ms
    >
    > But why the download traffic. Is it perhaps a trojan hiding behind a legit
    > website?


    If I was an author of a backdoor I would consider a hosts file entry like that
    to make it impossible to update virus definitions on the compromised computer.

    Its normal to have connections from yourself to yourself, its how a lot of
    programs communicate with each other.

    Whats more worrying is why your machine now believes that it is sophos.com when
    its not.
    Richard, Dec 26, 2005
    #6
  7. Tulsy Tsan

    Tulsy Tsan Guest

    Goddamn. Something had rewrittten my hosts file and set all the AV sites to
    127.0.0.1
    eg sophos
    symantec
    avg etc

    Hence I could not browse them.
    What should my hosts look like now that I've deleted it.


    "Tulsy Tsan" <> wrote in message
    news:...
    > Something is connecting to www.sophos.com and dowloading something.

    Firewall
    > rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    > www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    > legit?
    >
    >
    > C:\>netstat
    >
    > Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    > TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    > TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    > TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    > TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    > TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
    >
    >
    >
    Tulsy Tsan, Dec 26, 2005
    #7
  8. Tulsy Tsan

    Rob J Guest

    In article <>, says...
    > Goddamn. Something had rewrittten my hosts file and set all the AV sites to
    > 127.0.0.1
    > eg sophos
    > symantec
    > avg etc
    >
    > Hence I could not browse them.
    > What should my hosts look like now that I've deleted it.


    You should download updates to any antivirus package or install one as
    it is highly likely a virus has infected your PC.

    Normally there is nothing in the hosts file unless you are running a
    server on your PC or some add blockers use the hosts file to block
    downloads from advertising sites.

    >
    >
    > "Tulsy Tsan" <> wrote in message
    > news:...
    > > Something is connecting to www.sophos.com and dowloading something.

    > Firewall
    > > rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    > > www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    > > legit?
    > >
    > >
    > > C:\>netstat
    > >
    > > Active Connections
    > >
    > > Proto Local Address Foreign Address State
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    > > TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    > > TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    > > TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    > > TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    > > TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
    > >
    > >
    > >

    >
    >
    >
    Rob J, Dec 26, 2005
    #8
  9. Tulsy Tsan

    Enkidu Guest

    Rob J wrote:
    > In article <>, says...
    >
    >>Goddamn. Something had rewrittten my hosts file and set all the AV sites to
    >>127.0.0.1
    >>eg sophos
    >>symantec
    >>avg etc
    >>
    >>Hence I could not browse them.
    >>What should my hosts look like now that I've deleted it.

    >
    >
    > You should download updates to any antivirus package or install one as
    > it is highly likely a virus has infected your PC.
    >
    > Normally there is nothing in the hosts file unless you are running a
    > server on your PC or some add blockers use the hosts file to block
    > downloads from advertising sites.
    >

    Usually there is a 'localhost' entry relating to 127.0.0.1

    Cheers,

    Cliff
    Enkidu, Dec 26, 2005
    #9
  10. Tulsy Tsan wrote:
    > Goddamn. Something had rewrittten my hosts file and set all the AV sites to
    > 127.0.0.1
    > eg sophos
    > symantec
    > avg etc
    >
    > Hence I could not browse them.
    > What should my hosts look like now that I've deleted it.


    Your hosts file is the least of your problems.

    You need to track down and remove all the viruses from your computer.

    It's usually easier to reinstall the operating system from scratch, especially
    if you are unfamiliar with virus removal.
    Mark Robinson, Dec 27, 2005
    #10
  11. Tulsy Tsan

    PC Guest

    "Tulsy Tsan" <> wrote in message
    news:...
    > Goddamn. Something had rewrittten my hosts file and set all the AV sites
    > to
    > 127.0.0.1
    > eg sophos
    > symantec
    > avg etc
    >
    > Hence I could not browse them.
    > What should my hosts look like now that I've deleted it.
    >
    >
    > "Tulsy Tsan" <> wrote in message
    > news:...
    >> Something is connecting to www.sophos.com and dowloading something.

    > Firewall
    >> rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    >> www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    >> legit?
    >>
    >>
    >> C:\>netstat
    >>
    >> Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    >> TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    >> TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    >> TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    >> TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    >> TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    >> TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    >> TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    >> TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    >> TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
    >>
    >>
    >>

    >
    >




    You've been infected by a Virus.
    Very common action by Virus's these days to modify the hosts file to prevent
    access to antivirus updates.
    Go into Safe mode.
    Delete the hosts file.
    Install Spybod search & destroy and use their hosts file (under advanced
    tools)
    Then start looking for Virus's.

    Cheers
    Paul.
    PC, Dec 27, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim

    Sophos AntiVirus Vs Norton AntiVirus

    Tim, Aug 16, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    10,405
    Robert de Brus
    Aug 17, 2003
  2. R Green - WoWsat.com

    How is Sophos Antivirus?

    R Green - WoWsat.com, Jan 8, 2004, in forum: Computer Security
    Replies:
    5
    Views:
    580
  3. Frog

    SOPHOS Antivirus

    Frog, May 27, 2004, in forum: Computer Security
    Replies:
    17
    Views:
    1,017
  4. Era
    Replies:
    2
    Views:
    2,021
    winged
    Feb 16, 2005
  5. Era
    Replies:
    0
    Views:
    399
Loading...

Share This Page