Who is Sophos.com

Discussion in 'NZ Computing' started by Tulsy Tsan, Dec 26, 2005.

  1. Tulsy Tsan

    Tulsy Tsan Guest

    Something is connecting to www.sophos.com and dowloading something. Firewall
    rule picked it up first as Symantecs ccApp.exe then later Mozilla.
    www.sophos.co.uk is legit but I cant browse sophos.com. Is this traffic
    legit?


    C:\>netstat

    Active Connections

    Proto Local Address Foreign Address State
    TCP tinned-cc82o9yh:1027 www.sophos.com:3096 ESTABLISHED
    TCP tinned-cc82o9yh:1027 www.sophos.com:3128 ESTABLISHED
    TCP tinned-cc82o9yh:1027 www.sophos.com:3139 TIME_WAIT
    TCP tinned-cc82o9yh:1027 www.sophos.com:3141 TIME_WAIT
    TCP tinned-cc82o9yh:1027 www.sophos.com:3143 TIME_WAIT
    TCP tinned-cc82o9yh:1027 www.sophos.com:3145 TIME_WAIT
    TCP tinned-cc82o9yh:3039 www.sophos.com:3040 ESTABLISHED
    TCP tinned-cc82o9yh:3040 www.sophos.com:3039 ESTABLISHED
    TCP tinned-cc82o9yh:3096 www.sophos.com:1027 ESTABLISHED
    TCP tinned-cc82o9yh:3128 www.sophos.com:1027 ESTABLISHED
     
    Tulsy Tsan, Dec 26, 2005
    #1
    1. Advertisements

  2. Tulsy Tsan

    Richard Guest


    The last two have the inversr or the first twos ports so I would say that you
    are connecting to yourself and for some reason you are reverse dnsing to
    www.sophos.com. This would be something very dodgey in my mind, were there more
    connections then what you pasted?
     
    Richard, Dec 26, 2005
    #2
    1. Advertisements

  3. I could connect and browse around www.sophos.com okay. Seems like they
    are in the business of producing and selling security suites.

    You didn't download and install any evaluation software from their site or
    the Sony root kit unmasking tool by any chance?
     
    Pacific Dragon, Dec 26, 2005
    #3
  4. Tulsy Tsan

    Bruce Knox Guest

    Sophos are a major antivirus company specialising in sales too large
    corporations, I dont know if they do individual AV. Dont know why you
    would be connecting unless you have installed one of their products or
    maybe used one of their virus removal tools.

    Bruce http://www.baggins.co.nz
    http://physio.otago.ac.nz
     
    Bruce Knox, Dec 26, 2005
    #4
  5. Tulsy Tsan

    Tulsy Tsan Guest

    Dody indeed. When I ping www.sophos.com I get me!

    Pinging www.sophos.com [127.0.0.1] with 32 bytes of data:

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    But why the download traffic. Is it perhaps a trojan hiding behind a legit
    website?
     
    Tulsy Tsan, Dec 26, 2005
    #5
  6. Tulsy Tsan

    Richard Guest

    If I was an author of a backdoor I would consider a hosts file entry like that
    to make it impossible to update virus definitions on the compromised computer.

    Its normal to have connections from yourself to yourself, its how a lot of
    programs communicate with each other.

    Whats more worrying is why your machine now believes that it is sophos.com when
    its not.
     
    Richard, Dec 26, 2005
    #6
  7. Tulsy Tsan

    Tulsy Tsan Guest

    Goddamn. Something had rewrittten my hosts file and set all the AV sites to
    127.0.0.1
    eg sophos
    symantec
    avg etc

    Hence I could not browse them.
    What should my hosts look like now that I've deleted it.
     
    Tulsy Tsan, Dec 26, 2005
    #7
  8. Tulsy Tsan

    Rob J Guest

    You should download updates to any antivirus package or install one as
    it is highly likely a virus has infected your PC.

    Normally there is nothing in the hosts file unless you are running a
    server on your PC or some add blockers use the hosts file to block
    downloads from advertising sites.
     
    Rob J, Dec 26, 2005
    #8
  9. Tulsy Tsan

    Enkidu Guest

    Usually there is a 'localhost' entry relating to 127.0.0.1

    Cheers,

    Cliff
     
    Enkidu, Dec 26, 2005
    #9
  10. Your hosts file is the least of your problems.

    You need to track down and remove all the viruses from your computer.

    It's usually easier to reinstall the operating system from scratch, especially
    if you are unfamiliar with virus removal.
     
    Mark Robinson, Dec 27, 2005
    #10
  11. Tulsy Tsan

    PC Guest



    You've been infected by a Virus.
    Very common action by Virus's these days to modify the hosts file to prevent
    access to antivirus updates.
    Go into Safe mode.
    Delete the hosts file.
    Install Spybod search & destroy and use their hosts file (under advanced
    tools)
    Then start looking for Virus's.

    Cheers
    Paul.
     
    PC, Dec 27, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.