Closed

to gomerpile

Hey gomer
You seem to have a pretty good grasp on this .
I need to know about this address 64.212.198.43:80
i know it isnt formatted correctly but as soon as I boot and turn on tcpview I get this address.
I have seen your posts about wire shark etc. and I think you have seen mine about uninitiated internet traffic.
My trouble is that I no nothing about networks and trouble shoooting, And this is over my head.
Im pretty sure I am being hijacked in some way.
Possibly my DNS is being rerouted.
Im not being redirected though just listening apparently
I know I am having trouble and need your help in terms that I can understand as in step by step.
I dont really want to give my address but PM me and I will give you any of that trapped info that you could need although it is very limited.
35 answers Last reply
More about gomerpile
  1. FWIW, that IP address belongs to Global Crossing in Phoenix, AZ. The :80 at the end is the http port number.

    Grumpy
  2. Thanks for the FAST response grumpy
    Any Ideas why it would be the first one that I come across?
    eg: Boot up (isp automatic start) tcpview then this?
  3. Ok after a quick search once I new who (tks grumpy) I found this
    http://en.wikipedia.org/wiki/Global_Crossing
    Cant be good.
    Now how did it get there (here) and how do I make it go away?
    Is it a concern?
  4. Sorry, but you'll have to explain with a little more detail about what the problem is. Is tcpview a Winternals program?

    Grumpy
  5. Yes Grumpy it is a sys internals prog

    TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the owning process name, remote address and state of TCP connections. TCPView provides a conveniently presented subset of the Netstat program that ships with Windows NT/2000/XP

    It a handy small prog that tracks all of my connections.
    As I stated before I have next to no network knowledge But I know that upon booting my cable connection auto starts and I start TCPView.
    Internet explorer is still off.
    Now at this point I should only see my cable company as I establish my connection and possibly Zone alarm as I have the suite with A/V and anti spyware included.
    To the best of my knowledge I have no progs set to auto update.

    The trouble is I see other addresses from time to time.
    The one mentioned above and this morning I also found this 69.8.217.90:80
    With my limited knowledge I know port 80 scans are common but not good.
    On my last boot ZA stopped 13 hits in 12 minutes but neither of those addresses were among them. So they are getting through.
    Some where inside my system it would seem I have a beacon calling out.
    As you may have seen in other posts I sometimes get tons of uninitiated traffic and I need to find out why.

    Peer guardian helps when I remember to turn it on but not always and it is a bit cumbersome to have on all the time.

    Well its Saturday morn and the temp is 15 so I guess my mission is clear.
    If anyone can offer some help it looks like I'll be here for a while.
  6. What program is associated with 69.8.217.90:80? If your computer is connectly directly to you cable modem, I would strongly suggest you use a router with a firewall even if you don't need additional Internet connections.

    Grumpy
  7. Im not surewhat program. That is what im trying to figure out how to do now. I have done a who is search that Ill post at the bottom but Im having trouble figureing out which program is originating the call.

    I have also found that a company called Beyond the Network was doing a port by port scan trying to find a opening as reported by Peer Guardian.

    Im going to shut down for a bit to hook up my other monitor as I have too many windows open to keep track.

    Here is the who is
    69.8.217.90
    Record Type: IP Address
    Qwest Communications Corporation QWEST-INET-13 (NET-69-8-192-0-1)
    69.8.192.0 - 69.8.255.255
    Akamai Technologies, Inc QWEST-CEC-AKAMAI (NET-69-8-217-64-1)
    69.8.217.64 - 69.8.217.127


    [System Process]:0 TCP 72.240.235.183:1039 205.177.95.102:80 TIME_WAIT
    205.177.95.102
    Record Type: IP Address


    OrgName: Beyond The Network America, Inc.
    OrgID: BNA-42
    Address: 450 Springpark PL
    Address: Suite 100
    City: Herdon
    StateProv: VA
    PostalCode: 20170
    Country: US

    NetRange: 205.177.0.0 - 205.177.255.255
    CIDR: 205.177.0.0/16
    NetName: BTN-CIDR1
    NetHandle: NET-205-177-0-0-1
    Parent: NET-205-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS.CAIS.COM
    NameServer: NS2.CAIS.COM
    Comment: Rwhois information on assignments from this block available from
    Comment: rwhois.cais.net 4321
    RegDate: 1995-03-20
    Updated: 2004-11-12

    OrgAbuseHandle: PAD13-ARIN
    OrgAbuseName: PCCW AUP Department
    OrgAbusePhone: +1-703-621-1637
    OrgAbuseEmail: probinson@pccwglobal.com
  8. Sry just seen this I see download this for now
    http://www.abelhadigital.com/
    hostman create host file once you have it setup which is easy follow the steps
    now edit the host file and add the ip in there that Ip will no longer be a problem. Just do a mvp host for now not the others
    quick fix block port 333 and 500 port 333 is the one I found to be an unknown for that ip also it uses a isakmp key port 500 which is a security probe and can remove security from ones computer

    also do a flush of dns tracking cookie
  9. contact the reporting service
  10. Ok Im back up. It took me a couple of beers and a little time to get the dual monitors setup.
    Had to clean up the room a bit dont ya know.
    I downloaded the prog and Im gonna check it out
    Edit
    Well I tried to run and get the messages that it wants me to disable the DNS cache clients svcs. I said ok
    Then it tells me another prog is using the hosts file. I assume it is Zone alarm but Im not sure.
    Also ipconfig /displaydns returns

    Windows IP Configuration
    Could not display the DNS Resolver Cache

    Im adding to this post by editing not new posts so dont think my thoughts are random.
    I found that my DNS is obtained from my ISP
    Is this good or bad?
    So it would seem it is something on my system initiating this. Or so I think
  11. yes most likely have a tracking cookie, DNS, you have to go into your services.msc and disable client dns which should be disabled. The host file is found in C:\WINDOWS\system32\drivers\etc this file remains in your system and is setup with the installation of windows/win98 you have to make that file.
    You can edit that host file anyway you like with a right click on the file
    you can add the entry of the IP using the folowing format in the host file or accept the IP by eliminating the server IP. I suspect you are sending information caused by a JS entry in system32 file I don't know.
  12. ok here is what I found
    DNS client disabled
    DHCP client started auto

    going to the etc directory and opening hosts in wordpad I just get a sample hosts file probably due to my ISP currently controling my DNS
    Im a bit lost concerning this part of your post

    You can edit that host file anyway you like with a right click on the file
    you can add the entry of the IP using the folowing format in the host file or accept the IP by eliminating the server IP. I suspect you are sending information caused by a JS entry in system32 file I don't know.
  13. Ok Gomer
    I found something I didnt see before
    In the hosts file after all of the #comments there is a line
    127.0.01 Local host
    When I open hosts in notepad and try to edit it then save it wants to save as hosts.txt and the original remains unchanged.
  14. Ok I successfully edited the hosts file.
    Currently It only shows #comments as the ISP is currently controling DNS
    Zone alarm and peer guardian have both slowed down ALOT
    Still getting some traffic but mostly from the naming site 10.28.0.1 and a place called sonic wall and clear blue technologies.
    At least now I have a chance to block sites as they were coming in to fast before.

    You might be right about it possibly being a JS somewhere. Iguess my next step will have to be to delete some of those scripts once I figure out how.
    Thanks so far this has been a terrific help.
    I wish SP3 would hurry up so I can reload.
  15. You edit popped just as I finished mine.
    I only understand a small amount of the screen shot But I see what you meen. I wonder who or what is behind it.
    I did find this 64.212.198.43:80 as a cookie name yesterday and deleted it for FWIW

    Well the trouble isnt gone yet I just did a netstat -a -n -o and found three instances of 127.0.0.1 on ports 123,1047,1900
    123 is comes from svchost and one odd entry I find is
    Distributed Link Tracking Client e:\windows\system32\trkwks.dll
    Not sure if thats normal or not. Im guessing not
  16. If you need to use something with auto update or something of that nature you will need to disable the host file, thats easy with hostman, if not using hostman simply change the name of the host file and do your update than change the name back once done
  17. pat mcgroin said:
    You edit popped just as I finished mine.
    I only understand a small amount of the screen shot But I see what you meen. I wonder who or what is behind it.
    I did find this 64.212.198.43:80 as a cookie name yesterday and deleted it for FWIW
    ok thats it what is the name of that cookie please I need the entire name the other end of this ip is starting to know I'm investigating so I assume they are a little worried by now
  18. thats ok, nothing wrong there your host is working as long as you see that 127.0.0.1 your computer is being protected if that was not their you'd want to do more. Protected means no information go's to their IP
  19. web side story 64.154.81.197
    clear blue technologies 207.211.21.19
    Peak Web hosting (bt fakes) 204.11.221.45
    Are all three current doing port scans right now
    The first 2 are the most persistant

    as for 64.212.198.43:80 I didnt read the cookie just deleted it

    As for 127.0.0.1 on the 3 port they all had a PID along with 7 instances of no PID
  20. I see your getting the hang of this now the better you get the less chance you'll be damaged by unknown bs like your getten and to me your on your next step to being a rookie hacker or should I say get even payback time like me.
  21. Sure gettin some on the fly learin though. Makes me a bit nervous
  22. Now for the next step what do I have is making me a target?
  23. Not actully sure have you looked in your objects to see if there is a active object of unknown
  24. trying to that now having trouble remembering how. The brain is kinda full
  25. right click on IE properties setting then view objects got to go be checking I wish I had that cookie I'd be able to do lot more
  26. Its not letting me have it
    well maybe I have that cookie in the recycle Ill check and post back Tks for the help so far.
    Ill shut a bunch of stuff down and deal with those 2 issues.
    Thank god for dual monitors
  27. ok I'm back up
    I blocked the sites in ZA. They already were in peer guardian.
    That how I found them in the first place.
    No luck with the cookie. Ive been in safe mode for a while as some of the things deleted were from there plus I didnt want to reinfect.

    I also looked into the objects and didnt find anything unusual there.

    Still have the port scans going on though but peer guardian is stopping them.
    Maybe the'll give up some day
  28. gomerpile said:

    quick fix block port 333 and 500 port 333 is the one I found to be an unknown for that ip also it uses a isakmp key port 500 which is a security probe and can remove security from ones computer



    Reading back through the posts I saw the above and tcpview I found a entry for isakmp
    Not sure if it matters but here is my current state.

    IEXPLORE.EXE:992 UDP msixp:1044 *:*
    LSASS.EXE:536 UDP msixp:isakmp *:*
    LSASS.EXE:536 UDP msixp:4500 *:*
    svchost.exe:836 UDP msixp:ntp *:*
    svchost.exe:836 UDP msixp..:ntp *:*
    svchost.exe:920 UDP msixp..:1900 *:*
    svchost.exe:920 UDP msixp:1900 *:*
    System:4 TCP msixp..:netbios-ssn msixp:0 LISTENING
    System:4 TCP msixp:microsoft-ds msixp:0 LISTENING
    System:4 UDP msixp..:netbios-ns *:*
    System:4 UDP msixp..:netbios-dgm *:*
    System:4 UDP msixp:microsoft-ds *:*
    vsmon.exe:952 TCP msixp:1025 msixp:0 LISTENING
  29. Tks Grumpy
    I do have encryption to get to the bank.

    As far as the port scans go it turns out I was reading it wrong.
    I am the one generating.
    Every time I click on something on the net something is trying to phone home to the following
    web side story 64.154.81.197
    clear blue technologies 207.211.21.19
    sonic wall 204.212.170.210
    beyond the network 205.177.95.87
    they are all blocked so it doesnt matter right now.
    I'll figure it out later
    I'm gonna go have a beer or 5 and empty my head
    tks for all of the help and I'll check back later.
  30. no your ok there isakmp is a security key used by ipsec services to verify keys in packets with your security policys/keys
    you do need to be carefull with these keys thats the risk we take on the net.If you see isakmp running as a service thats one indication that something changed
  31. ok tks I'm done for the day
    I wont be baqck till about 430 tomorrow afternoon
  32. Hey gomer quick question who this?
    It has a pretty large range of addresses and it turns up as soon as I connect. Any thoughts on what I may have that could need this? At the very bottom is a link that I found that doesnt sound real promising.
    66.35.250.99
    Record Type: IP Address
    Savvis SAVVIS (NET-66-35-192-0-1)
    66.35.192.0 - 66.35.255.255
    VA Software SAVV-S234813-4 (NET-66-35-250-0-1)
    66.35.250.0 - 66.35.250.255

    http://en.wikipedia.org/wiki/SAVVIS
    As it turns out this is allowed through my firewall so far
  33. I tracked this down to this application from Netgear for remote access of ReadyNAS devices. It uses Juniper Networks technology I think. I still don't know if it's malicious for sure, but I suspect not.

    ReadyNAS Remote (which self lists the following components)
    Version 1.6.2.0

    DataModelBase.dll 1.0.0.1
    gacutil.exe 1.1.4318.0
    Interop.EventSystemLib.dll 1.0.0.0
    Interop.NetFwTypeLib.dll 1.0.0.0
    Interop.SensEvents.dll 2.0.0.0
    LeafExplorer.dll 1.0.0.0
    LeafShareContainer.dll 1.0.0.0
    LeafThreadPool.dll 1.0.0.0
    Libnet.dll unknown
    llmodel.dll 1.0.0.1
    llprotocolhandler.dll 1.0.0.0
    llremrunner.exe 1.0.0.0
    llservice.dll 1.0.0.0
    llutils.dll 1.0.0.0
    lnadptrcnfg.dll 1.0.0.122
    lnadptrcnfgx64.dll 1.0.0.122
    lncomservice.dll 1.0.0.1
    lninitadapter.dll 1.0.0.122
    lnmodel.dll 1.0.0.123
    lnp2p.dll 1.0.0.128
    lnp2padapter.dll 1.0.0.128
    lnp2pclient.dll 1.0.1.128
    lnp2penc.dll 1.0.0.128
    lnp2pfilter.dll 1.0.0.128
    lnp2pnative.dll 1.0.0.128
    lnp2pnotification.dll 1.0.1.128
    lnpluginmngr.dll 1.0.0.1
    lnprotocolhandler.dll 1.0.0.1
    lnregasm.dll 1.0.0.0
    lnregasm.exe 1.0.0.1
    lnresources.dll 1.0.0.1
    lnscrunner.exe 1.0.0.1
    lnshplbr.dll 1.0.0.1
    lnshrcontainer.dll 1.0.0.1
    lnshrmngr.dll 1.0.0.124
    lnSidLibrary.dll 1.0.0.1
    lnThreadPool.dll 1.0.0.1
    lnutils.dll 1.0.0.128
    msvcr71.dll 7.10.3052.4
    packet.dll 4.0.2.1123.Pro
    PacketRoutingPlugin.dll 1.0.0.122
    PluginManager.dll 1.0.0.0
    pthreadVC.dll unknown
    ReadyNASRemote.exe 1.0.0.1
    setp2padapterip.exe unknown
    ShapeLibrary.dll 1.0.0.0
    ShareManager.dll 1.0.0.0
    svcutil.dll unknown
    wpcap.dll 4.0.2.1123.Pro
  34. This topic has been closed by Mousemonkey
Ask a new question

Read More

Windows XP