Strange IP keeps establishing

[enfuego]

I have 3 ip addresses in the same range that keep popping into my system:
207.66.62.22
207.66.62.23
207.66.62.24

They have been persistently connecting for the past week or so. I've been monitoring them with CurrPorts and closing the connection, but they come back within a minute or two.

I'd appreciate any assistance on how to find out who it is and how to block perm.

 

[Nodsu]

Which port are they connecting to?! Obviously you have made a hole in your firewall and it is you who should know what that hole is for.

 

[enfuego]

incoming on several different ports...outgoing on 80

 

[Route44]

I would dare say you are infected. It has happened to me in the past and it is a pain to rectify. Go to the thread above bu Julio entitled "Is your system infected? Read this before Cleaning or Formatting."

 

[Nodsu]

Hum.. It is your computer connecting to these other computers, not vice versa.

Get an advanced network monitor tool and see which program is making these connections. Something like TCPview from Sysinternals.

 

[AlbertLionheart]

This may be part of an autoupdate process - see if disabling these stops the access to these IP addresses.
A check on them does not show they are sinister.

 

[LookinAround]

Some things to do:

1. (As noted by post above)Go through Autoruns and disable all update services
2. Go through Autoruns and identify all the startups. Use a reliable reference source like Pacman's Startup Portal
3. Analyze the network traffic to see what the connections/data are doing. If you need a network data analyzer, try Packetyzer It's freeware and i find it offers alot of really usefull features for a freeware tool

 

[LookinAround]

And one more thing.....

You said the incoming TCP connections come in on various. Are any or all of them have a destination port # less then or equal port 1023?

If yes, identify the destination IP address and and port ( 0 - 1023) of the incoming TCP messages.

 

[enfuego]

Hum.. It is your computer connecting to these other computers, not vice versa.

Get an advanced network monitor tool and see which program is making these connections. Something like TCPview from Sysinternals.

Appreciate the help...I am going to try to reply to all responses so far with one post:

Firefox or IE creates an established connection to three different ips...I also see Outlook connect to the ips as well.

All destination ip's are:

207.66.62.22
207.66.62.23
207.66.62.24

port 80

I've disabled all auto updates and still have issues.

About to try packetanalyzer and will report results next...

 

[enfuego]

Appreciate the help...I am going to try to reply to all responses so far with one post:

Firefox or IE creates an established connection to three different ips...I also see Outlook connect to the ips as well.

All destination ip's are:

207.66.62.22
207.66.62.23
207.66.62.24

port 80

I've disabled all auto updates and still have issues.

About to try packetanalyzer and will report results next...

Packetyzer has a ton of info....almost too much to sift through...suggestions?

 

[LookinAround]

Am i hearing you right that the destination IPs are all 207.66.62.xx meaning it is your computer sending to their computer???

I ask because unexpected inbound tcp connection attempts on from an ip_address:80 is a typical form of spam attack.

One method in using packetyzer is applying display filters on the data it shows. For example, in the display filter box at bottom of display enter
(ip.addr == xx.xx.xx.xx) to only display packet data to or from the ip address you indicate. (Inlclude the parens when you enter the filter)

 

[LookinAround]

As someone asked... "Did you create a hole in your firewall for the connections to be made???" Or do you not have a firewall running???!!!!

No firewall = BIG MISTAKE

 

[Nodsu]

Firefox or IE creates an established connection to three different ips...I also see Outlook connect to the ips as well.

Well, what page(s) do you have open in IE or Firefox or what are you doing in Outlook?

Also, make sure that the program names are the full path to the correct Firefox or IE executables. It may as well be malware posing as your browser.

 

[enfuego]

Well, what page(s) do you have open in IE or Firefox or what are you doing in Outlook?

Also, make sure that the program names are the full path to the correct Firefox or IE executables. It may as well be malware posing as your browser.

It's just about any/all web pages in firefox...In outlook, just connecting and checking email to pop server.

How would I check in sentence #2 (above)?

 

[enfuego]

As someone asked... "Did you create a hole in your firewall for the connections to be made???" Or do you not have a firewall running???!!!!

No firewall = BIG MISTAKE

According to IT guy, our firewall is in our router...

 

[Route44]

According to IT guy, our firewall is in our router...

Well routers are certainly the first best defense for protection and though there are arguments whether or not you should have a software firewall, I personally say better safe then sorry.

A lot of people like to layer their security: router, antivirus, firewall, and anti-spyware or security suits like Kaspersky.

The two best firewalls out there are free: Comodo 3.0 and Online Armor's free version.

 

[LookinAround]

If the requests are originating at your computer (i.e. aren't a response to an inbound request), outbound requests to port 80 are quite common and can be legit.

To still find out more detail I’ll assume you are running TCPview. Have TCPview auto-refresh by clicking View->Update Speed and select an update interval

• Verify the local application making the request
  Some malware will hide by using a familiar sounding name. It can even use the identical name like firefox.exe if it loads itself into a different directory then the real firefox.exe.
  • In TCPview, highlight the process and right click. Then left click to select Process Properties to see the full path of the process. Verify this is the location and filename for the real firefox, or IE or whatever name is displayed
  • If you aren’t familiar how to verify manually, you can download / use Process Explorer. Find the process and process number as shown in TCPview in the Process Explorer display. In Process Explorer, left click on the process, then right click for Properties, then hit the Verify button
• Lookup the remote IP address
  Use an IP address tracking program to find out more about the remote IP. The 3 IPs you state are all hosted by an ISP in New Mexico, Oso Grande Technologies, Inc.

/*Edit*/
Added link for tracking program.

And where is your pop server located???

 

[enfuego]

If the requests are originating at your computer (i.e. aren't a response to an inbound request), outbound requests to port 80 are quite common and can be legit.

To still find out more detail I’ll assume you are running TCPview. Have TCPview auto-refresh by clicking View->Update Speed and select an update interval

• Verify the local application making the request
  Some malware will hide by using a familiar sounding name. It can even use the identical name like firefox.exe if it loads itself into a different directory then the real firefox.exe.
  • In TCPview, highlight the process and right click. Then left click to select Process Properties to see the full path of the process. Verify this is the location and filename for the real firefox, or IE or whatever name is displayed
  • If you aren’t familiar how to verify manually, you can download / use Process Explorer. Find the process and process number as shown in TCPview in the Process Explorer display. In Process Explorer, left click on the process, then right click for Properties, then hit the Verify button
• Lookup the remote IP address
  Use an IP address tracking program to find out more about the remote IP. The 3 IPs you state are all hosted by an ISP in New Mexico, Oso Grande Technologies, Inc.

/*Edit*/
Added link for tracking program.

And where is your pop server located???

ISP in New Mexico, but it's not that one...

 

[enfuego]

I left currport running with logs on last night and nothing open. These IP's established and closed (ports after semicolon):

207.66.62.23:80
207.66.62.23:80
199.93.58.125:80
65.55.192.61:80
199.93.58.125:80
199.93.58.125:80
199.93.58.125:80
65.55.192.61:443
4.23.63.125:80
4.23.63.125:80
65.55.192.61:80
65.55.192.61:443
198.78.223.125:80
65.55.184.61:80
198.78.223.125:80
198.78.223.125:80
65.55.184.61:443
198.78.223.125:80
65.55.184.61:80
65.55.184.61:443

svchost.exe was establishing the connections....?!

 

[LookinAround]

• Were u running with updates turned off? 65.55.192.61 appears frequently and belongs to Microsoft
• It would be much more helpful to give the entire log file which would indicate
  • The port used on your end. Portnumbers < 1024 (or somewhere around there) are predefined for certain usage.
  • The process name and path on your end of the connection.
  • Hostnames resolved for you (You do have that option turned on, right?)

Possibly be more helpful if you could provide all the data collected.

 

[enfuego]

• Were u running with updates turned off? 65.55.192.61 appears frequently and belongs to Microsoft
• It would be much more helpful to give the entire log file which would indicate
  • The port used on your end. Portnumbers < 1024 (or somewhere around there) are predefined for certain usage.
  • The process name and path on your end of the connection.
  • Hostnames resolved for you (You do have that option turned on, right?)

Possibly be more helpful if you could provide all the data collected.

1/30/2008 1:29:25 AM Added update.exe TCP 192.168.1.151:4931 207.66.62.23:80
1/30/2008 1:29:27 AM Removed update.exe TCP 192.168.1.151:4931 207.66.62.23:80
1/30/2008 2:09:09 AM Added svchost.exe TCP 192.168.1.151:4932 199.93.58.125:80
1/30/2008 2:09:11 AM Added svchost.exe TCP 192.168.1.151:4933 65.55.192.61:80
1/30/2008 2:09:17 AM Added svchost.exe TCP 192.168.1.151:4934 199.93.58.125:80
1/30/2008 2:09:17 AM Removed svchost.exe TCP 192.168.1.151:4932 199.93.58.125:80
1/30/2008 2:09:39 AM Removed svchost.exe TCP 192.168.1.151:4934 199.93.58.125:80
1/30/2008 2:09:47 AM Added svchost.exe TCP 192.168.1.151:4935 65.55.192.61:443
1/30/2008 2:09:55 AM Added svchost.exe TCP 192.168.1.151:4936 4.23.63.125:80
1/30/2008 2:10:09 AM Removed svchost.exe TCP 192.168.1.151:4936 4.23.63.125:80
1/30/2008 2:10:18 AM Removed svchost.exe TCP 192.168.1.151:4933 65.55.192.61:80
1/30/2008 2:11:06 AM Removed svchost.exe TCP 192.168.1.151:4935 65.55.192.61:443
1/30/2008 6:43:32 AM Added svchost.exe TCP 192.168.1.151:4937 198.78.223.125:80
1/30/2008 6:43:34 AM Added svchost.exe TCP 192.168.1.151:4938 65.55.184.61:80
1/30/2008 6:44:02 AM Removed svchost.exe TCP 192.168.1.151:4937 198.78.223.125:80
1/30/2008 6:44:04 AM Added svchost.exe TCP 192.168.1.151:4940 198.78.223.125:80
1/30/2008 6:44:04 AM Added svchost.exe TCP 192.168.1.151:4939 65.55.184.61:443
1/30/2008 6:44:32 AM Removed svchost.exe TCP 192.168.1.151:4940 198.78.223.125:80
1/30/2008 6:44:48 AM Removed svchost.exe TCP 192.168.1.151:4938 65.55.184.61:80
1/30/2008 6:45:12 AM Removed svchost.exe TCP 192.168.1.151:4939 65.55.184.61:443

 

[Nodsu]

Well, something called "update.exe" simply screams "MALWARE!" You should really take a look at the preliminary detection and removal guide.

The connections by svchost seem to be legit.. At least they don't point to some home users.

 

[LookinAround]

• The 3 IPs you originally listed 207.66.62.22, 207.66.62.23, 207.66.62.24 belong to Akamai Technologies based in Cambridge, AM.
• Akamai Technologies IP range (these fall into) 207.66.62.16 - 207.66.62.31 which are all hosted by ISP Oso Grande Technologies, Inc.

Look at Akamai's website. Ask IT if you use any of their products or they know of them. For that matter, why don't you run your problem by them? And if they're the ones maintaining the firewall seems it should be their problem as well.

 

[DelJo63]

The MS WGA 'calls home 1/24 hours' and

whois -H 65.55.192.61shows
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US​

svchost.exe performs several services for MS systems

svchost.exe -k NetworkService

svchost.exe -k LocalService

svchost.exe -k imgsvc

svchost.exe -k DcomLaunch

svchost.exe -k NetworkService

svchost.exe -k rpcss​

the WGA runs as soon as the Internet is accessible after boot

 

[enfuego]

Now I have a new IP popping up as persistently establishing...(along with the others above): 12.129.210.46