TechSpot

Strange IP keeps establishing

By enfuego
Jan 22, 2008
  1. I have 3 ip addresses in the same range that keep popping into my system:
    207.66.62.22
    207.66.62.23
    207.66.62.24

    They have been persistently connecting for the past week or so. I've been monitoring them with CurrPorts and closing the connection, but they come back within a minute or two.

    I'd appreciate any assistance on how to find out who it is and how to block perm.
     
  2. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Which port are they connecting to?! Obviously you have made a hole in your firewall and it is you who should know what that hole is for.
     
  3. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    incoming on several different ports...outgoing on 80
     
  4. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    I would dare say you are infected. It has happened to me in the past and it is a pain to rectify. Go to the thread above bu Julio entitled "Is your system infected? Read this before Cleaning or Formatting."
     
  5. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Hum.. It is your computer connecting to these other computers, not vice versa.

    Get an advanced network monitor tool and see which program is making these connections. Something like TCPview from Sysinternals.
     
  6. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,026

    This may be part of an autoupdate process - see if disabling these stops the access to these IP addresses.
    A check on them does not show they are sinister.
     
  7. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Some things to do:
    1. (As noted by post above)Go through Autoruns and disable all update services
    2. Go through Autoruns and identify all the startups. Use a reliable reference source like Pacman's Startup Portal
    3. Analyze the network traffic to see what the connections/data are doing. If you need a network data analyzer, try Packetyzer It's freeware and i find it offers alot of really usefull features for a freeware tool
     
  8. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    And one more thing.....

    You said the incoming TCP connections come in on various. Are any or all of them have a destination port # less then or equal port 1023?

    If yes, identify the destination IP address and and port ( 0 - 1023) of the incoming TCP messages.
     
  9. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    Appreciate the help...I am going to try to reply to all responses so far with one post:

    Firefox or IE creates an established connection to three different ips...I also see Outlook connect to the ips as well.

    All destination ip's are:

    207.66.62.22
    207.66.62.23
    207.66.62.24

    port 80

    I've disabled all auto updates and still have issues.

    About to try packetanalyzer and will report results next...
     
  10. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    Packetyzer has a ton of info....almost too much to sift through...suggestions?
     
  11. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Am i hearing you right that the destination IPs are all 207.66.62.xx meaning it is your computer sending to their computer???

    I ask because unexpected inbound tcp connection attempts on from an ip_address:80 is a typical form of spam attack.

    One method in using packetyzer is applying display filters on the data it shows. For example, in the display filter box at bottom of display enter
    (ip.addr == xx.xx.xx.xx) to only display packet data to or from the ip address you indicate. (Inlclude the parens when you enter the filter)
     
  12. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    As someone asked... "Did you create a hole in your firewall for the connections to be made???" Or do you not have a firewall running???!!!!

    No firewall = BIG MISTAKE
     
  13. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Well, what page(s) do you have open in IE or Firefox or what are you doing in Outlook?

    Also, make sure that the program names are the full path to the correct Firefox or IE executables. It may as well be malware posing as your browser.
     
  14. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    It's just about any/all web pages in firefox...In outlook, just connecting and checking email to pop server.

    How would I check in sentence #2 (above)?
     
  15. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    According to IT guy, our firewall is in our router...
     
  16. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70


    Well routers are certainly the first best defense for protection and though there are arguments whether or not you should have a software firewall, I personally say better safe then sorry.

    A lot of people like to layer their security: router, antivirus, firewall, and anti-spyware or security suits like Kaspersky.

    The two best firewalls out there are free: Comodo 3.0 and Online Armor's free version.
     
  17. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    If the requests are originating at your computer (i.e. aren't a response to an inbound request), outbound requests to port 80 are quite common and can be legit.

    To still find out more detail I’ll assume you are running TCPview. Have TCPview auto-refresh by clicking View->Update Speed and select an update interval
    • Verify the local application making the request
      Some malware will hide by using a familiar sounding name. It can even use the identical name like firefox.exe if it loads itself into a different directory then the real firefox.exe.
      • In TCPview, highlight the process and right click. Then left click to select Process Properties to see the full path of the process. Verify this is the location and filename for the real firefox, or IE or whatever name is displayed
      • If you aren’t familiar how to verify manually, you can download / use Process Explorer. Find the process and process number as shown in TCPview in the Process Explorer display. In Process Explorer, left click on the process, then right click for Properties, then hit the Verify button
    • Lookup the remote IP address
      Use an IP address tracking program to find out more about the remote IP. The 3 IPs you state are all hosted by an ISP in New Mexico, Oso Grande Technologies, Inc.

    /*Edit*/
    Added link for tracking program.

    And where is your pop server located???
     
  18. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    ISP in New Mexico, but it's not that one...
     
  19. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    I left currport running with logs on last night and nothing open. These IP's established and closed (ports after semicolon):

    207.66.62.23:80
    207.66.62.23:80
    199.93.58.125:80
    65.55.192.61:80
    199.93.58.125:80
    199.93.58.125:80
    199.93.58.125:80
    65.55.192.61:443
    4.23.63.125:80
    4.23.63.125:80
    65.55.192.61:80
    65.55.192.61:443
    198.78.223.125:80
    65.55.184.61:80
    198.78.223.125:80
    198.78.223.125:80
    65.55.184.61:443
    198.78.223.125:80
    65.55.184.61:80
    65.55.184.61:443

    svchost.exe was establishing the connections....?!
     
  20. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    • Were u running with updates turned off? 65.55.192.61 appears frequently and belongs to Microsoft
    • It would be much more helpful to give the entire log file which would indicate
      • The port used on your end. Portnumbers < 1024 (or somewhere around there) are predefined for certain usage.
      • The process name and path on your end of the connection.
      • Hostnames resolved for you (You do have that option turned on, right?)
    Possibly be more helpful if you could provide all the data collected.
     
  21. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    1/30/2008 1:29:25 AM Added update.exe TCP 192.168.1.151:4931 207.66.62.23:80
    1/30/2008 1:29:27 AM Removed update.exe TCP 192.168.1.151:4931 207.66.62.23:80
    1/30/2008 2:09:09 AM Added svchost.exe TCP 192.168.1.151:4932 199.93.58.125:80
    1/30/2008 2:09:11 AM Added svchost.exe TCP 192.168.1.151:4933 65.55.192.61:80
    1/30/2008 2:09:17 AM Added svchost.exe TCP 192.168.1.151:4934 199.93.58.125:80
    1/30/2008 2:09:17 AM Removed svchost.exe TCP 192.168.1.151:4932 199.93.58.125:80
    1/30/2008 2:09:39 AM Removed svchost.exe TCP 192.168.1.151:4934 199.93.58.125:80
    1/30/2008 2:09:47 AM Added svchost.exe TCP 192.168.1.151:4935 65.55.192.61:443
    1/30/2008 2:09:55 AM Added svchost.exe TCP 192.168.1.151:4936 4.23.63.125:80
    1/30/2008 2:10:09 AM Removed svchost.exe TCP 192.168.1.151:4936 4.23.63.125:80
    1/30/2008 2:10:18 AM Removed svchost.exe TCP 192.168.1.151:4933 65.55.192.61:80
    1/30/2008 2:11:06 AM Removed svchost.exe TCP 192.168.1.151:4935 65.55.192.61:443
    1/30/2008 6:43:32 AM Added svchost.exe TCP 192.168.1.151:4937 198.78.223.125:80
    1/30/2008 6:43:34 AM Added svchost.exe TCP 192.168.1.151:4938 65.55.184.61:80
    1/30/2008 6:44:02 AM Removed svchost.exe TCP 192.168.1.151:4937 198.78.223.125:80
    1/30/2008 6:44:04 AM Added svchost.exe TCP 192.168.1.151:4940 198.78.223.125:80
    1/30/2008 6:44:04 AM Added svchost.exe TCP 192.168.1.151:4939 65.55.184.61:443
    1/30/2008 6:44:32 AM Removed svchost.exe TCP 192.168.1.151:4940 198.78.223.125:80
    1/30/2008 6:44:48 AM Removed svchost.exe TCP 192.168.1.151:4938 65.55.184.61:80
    1/30/2008 6:45:12 AM Removed svchost.exe TCP 192.168.1.151:4939 65.55.184.61:443
     
  22. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Well, something called "update.exe" simply screams "MALWARE!" You should really take a look at the preliminary detection and removal guide.

    The connections by svchost seem to be legit.. At least they don't point to some home users.
     
  23. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    • The 3 IPs you originally listed 207.66.62.22, 207.66.62.23, 207.66.62.24 belong to Akamai Technologies based in Cambridge, AM.
    • Akamai Technologies IP range (these fall into) 207.66.62.16 - 207.66.62.31 which are all hosted by ISP Oso Grande Technologies, Inc.
    Look at Akamai's website. Ask IT if you use any of their products or they know of them. For that matter, why don't you run your problem by them? And if they're the ones maintaining the firewall seems it should be their problem as well.
     
  24. jobeard

    jobeard TS Ambassador Posts: 9,312   +617

    The MS WGA 'calls home 1/24 hours' and
    whois -H 65.55.192.61shows
    OrgName: Microsoft Corp
    OrgID: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US​
    svchost.exe performs several services for MS systems
    svchost.exe -k NetworkService

    svchost.exe -k LocalService

    svchost.exe -k imgsvc

    svchost.exe -k DcomLaunch

    svchost.exe -k NetworkService

    svchost.exe -k rpcss​

    the WGA runs as soon as the Internet is accessible after boot
     
  25. enfuego

    enfuego TS Rookie Topic Starter Posts: 16

    Now I have a new IP popping up as persistently establishing...(along with the others above): 12.129.210.46
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...