Sign in with
Sign up | Sign in
Your question
Closed

to gomerpile

Last response: in Windows XP
Share
January 18, 2008 11:12:34 PM

Hey gomer
You seem to have a pretty good grasp on this .
I need to know about this address 64.212.198.43:80
i know it isnt formatted correctly but as soon as I boot and turn on tcpview I get this address.
I have seen your posts about wire shark etc. and I think you have seen mine about uninitiated internet traffic.
My trouble is that I no nothing about networks and trouble shoooting, And this is over my head.
Im pretty sure I am being hijacked in some way.
Possibly my DNS is being rerouted.
Im not being redirected though just listening apparently
I know I am having trouble and need your help in terms that I can understand as in step by step.
I dont really want to give my address but PM me and I will give you any of that trapped info that you could need although it is very limited.

More about : gomerpile

Anonymous
January 18, 2008 11:27:49 PM

FWIW, that IP address belongs to Global Crossing in Phoenix, AZ. The :80 at the end is the http port number.

Grumpy
January 18, 2008 11:38:30 PM

Thanks for the FAST response grumpy
Any Ideas why it would be the first one that I come across?
eg: Boot up (isp automatic start) tcpview then this?
Anonymous
January 19, 2008 12:14:24 AM

Sorry, but you'll have to explain with a little more detail about what the problem is. Is tcpview a Winternals program?

Grumpy
January 19, 2008 11:54:59 AM

Yes Grumpy it is a sys internals prog

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the owning process name, remote address and state of TCP connections. TCPView provides a conveniently presented subset of the Netstat program that ships with Windows NT/2000/XP

It a handy small prog that tracks all of my connections.
As I stated before I have next to no network knowledge But I know that upon booting my cable connection auto starts and I start TCPView.
Internet explorer is still off.
Now at this point I should only see my cable company as I establish my connection and possibly Zone alarm as I have the suite with A/V and anti spyware included.
To the best of my knowledge I have no progs set to auto update.

The trouble is I see other addresses from time to time.
The one mentioned above and this morning I also found this 69.8.217.90:80
With my limited knowledge I know port 80 scans are common but not good.
On my last boot ZA stopped 13 hits in 12 minutes but neither of those addresses were among them. So they are getting through.
Some where inside my system it would seem I have a beacon calling out.
As you may have seen in other posts I sometimes get tons of uninitiated traffic and I need to find out why.

Peer guardian helps when I remember to turn it on but not always and it is a bit cumbersome to have on all the time.

Well its Saturday morn and the temp is 15 so I guess my mission is clear.
If anyone can offer some help it looks like I'll be here for a while.
Anonymous
January 19, 2008 1:08:08 PM

What program is associated with 69.8.217.90:80? If your computer is connectly directly to you cable modem, I would strongly suggest you use a router with a firewall even if you don't need additional Internet connections.

Grumpy
January 19, 2008 2:35:40 PM

Im not surewhat program. That is what im trying to figure out how to do now. I have done a who is search that Ill post at the bottom but Im having trouble figureing out which program is originating the call.

I have also found that a company called Beyond the Network was doing a port by port scan trying to find a opening as reported by Peer Guardian.

Im going to shut down for a bit to hook up my other monitor as I have too many windows open to keep track.

Here is the who is
69.8.217.90
Record Type: IP Address
Qwest Communications Corporation QWEST-INET-13 (NET-69-8-192-0-1)
69.8.192.0 - 69.8.255.255
Akamai Technologies, Inc QWEST-CEC-AKAMAI (NET-69-8-217-64-1)
69.8.217.64 - 69.8.217.127


[System Process]:0 TCP 72.240.235.183:1039 205.177.95.102:80 TIME_WAIT
205.177.95.102
Record Type: IP Address


OrgName: Beyond The Network America, Inc.
OrgID: BNA-42
Address: 450 Springpark PL
Address: Suite 100
City: Herdon
StateProv: VA
PostalCode: 20170
Country: US

NetRange: 205.177.0.0 - 205.177.255.255
CIDR: 205.177.0.0/16
NetName: BTN-CIDR1
NetHandle: NET-205-177-0-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: NS.CAIS.COM
NameServer: NS2.CAIS.COM
Comment: Rwhois information on assignments from this block available from
Comment: rwhois.cais.net 4321
RegDate: 1995-03-20
Updated: 2004-11-12

OrgAbuseHandle: PAD13-ARIN
OrgAbuseName: PCCW AUP Department
OrgAbusePhone: +1-703-621-1637
OrgAbuseEmail: probinson@pccwglobal.com
January 19, 2008 5:02:17 PM

Sry just seen this I see download this for now
http://www.abelhadigital.com/
hostman create host file once you have it setup which is easy follow the steps
now edit the host file and add the ip in there that Ip will no longer be a problem. Just do a mvp host for now not the others
quick fix block port 333 and 500 port 333 is the one I found to be an unknown for that ip also it uses a isakmp key port 500 which is a security probe and can remove security from ones computer

also do a flush of dns tracking cookie
January 19, 2008 5:30:32 PM

contact the reporting service
January 19, 2008 6:15:09 PM

Ok Im back up. It took me a couple of beers and a little time to get the dual monitors setup.
Had to clean up the room a bit dont ya know.
I downloaded the prog and Im gonna check it out
Edit
Well I tried to run and get the messages that it wants me to disable the DNS cache clients svcs. I said ok
Then it tells me another prog is using the hosts file. I assume it is Zone alarm but Im not sure.
Also ipconfig /displaydns returns

Windows IP Configuration
Could not display the DNS Resolver Cache

Im adding to this post by editing not new posts so dont think my thoughts are random.
I found that my DNS is obtained from my ISP
Is this good or bad?
So it would seem it is something on my system initiating this. Or so I think
January 19, 2008 7:18:49 PM

yes most likely have a tracking cookie, DNS, you have to go into your services.msc and disable client dns which should be disabled. The host file is found in C:\WINDOWS\system32\drivers\etc this file remains in your system and is setup with the installation of windows/win98 you have to make that file.
You can edit that host file anyway you like with a right click on the file
you can add the entry of the IP using the folowing format in the host file or accept the IP by eliminating the server IP. I suspect you are sending information caused by a JS entry in system32 file I don't know.
January 19, 2008 7:39:42 PM

ok here is what I found
DNS client disabled
DHCP client started auto

going to the etc directory and opening hosts in wordpad I just get a sample hosts file probably due to my ISP currently controling my DNS
Im a bit lost concerning this part of your post

You can edit that host file anyway you like with a right click on the file
you can add the entry of the IP using the folowing format in the host file or accept the IP by eliminating the server IP. I suspect you are sending information caused by a JS entry in system32 file I don't know.
January 20, 2008 8:10:15 AM

Ok Gomer
I found something I didnt see before
In the hosts file after all of the #comments there is a line
127.0.01 Local host
When I open hosts in notepad and try to edit it then save it wants to save as hosts.txt and the original remains unchanged.

January 20, 2008 10:10:31 AM

Ok I successfully edited the hosts file.
Currently It only shows #comments as the ISP is currently controling DNS
Zone alarm and peer guardian have both slowed down ALOT
Still getting some traffic but mostly from the naming site 10.28.0.1 and a place called sonic wall and clear blue technologies.
At least now I have a chance to block sites as they were coming in to fast before.

You might be right about it possibly being a JS somewhere. Iguess my next step will have to be to delete some of those scripts once I figure out how.
Thanks so far this has been a terrific help.
I wish SP3 would hurry up so I can reload.
January 20, 2008 10:16:54 AM

You edit popped just as I finished mine.
I only understand a small amount of the screen shot But I see what you meen. I wonder who or what is behind it.
I did find this 64.212.198.43:80 as a cookie name yesterday and deleted it for FWIW

Well the trouble isnt gone yet I just did a netstat -a -n -o and found three instances of 127.0.0.1 on ports 123,1047,1900
123 is comes from svchost and one odd entry I find is
Distributed Link Tracking Client e:\windows\system32\trkwks.dll
Not sure if thats normal or not. Im guessing not
January 20, 2008 10:20:39 AM

If you need to use something with auto update or something of that nature you will need to disable the host file, thats easy with hostman, if not using hostman simply change the name of the host file and do your update than change the name back once done
January 20, 2008 10:23:03 AM

pat mcgroin said:
You edit popped just as I finished mine.
I only understand a small amount of the screen shot But I see what you meen. I wonder who or what is behind it.
I did find this 64.212.198.43:80 as a cookie name yesterday and deleted it for FWIW
ok thats it what is the name of that cookie please I need the entire name the other end of this ip is starting to know I'm investigating so I assume they are a little worried by now
January 20, 2008 10:36:19 AM

thats ok, nothing wrong there your host is working as long as you see that 127.0.0.1 your computer is being protected if that was not their you'd want to do more. Protected means no information go's to their IP
January 20, 2008 10:38:56 AM

web side story 64.154.81.197
clear blue technologies 207.211.21.19
Peak Web hosting (bt fakes) 204.11.221.45
Are all three current doing port scans right now
The first 2 are the most persistant

as for 64.212.198.43:80 I didnt read the cookie just deleted it

As for 127.0.0.1 on the 3 port they all had a PID along with 7 instances of no PID
January 20, 2008 10:41:47 AM

I see your getting the hang of this now the better you get the less chance you'll be damaged by unknown bs like your getten and to me your on your next step to being a rookie hacker or should I say get even payback time like me.
January 20, 2008 10:51:13 AM

Sure gettin some on the fly learin though. Makes me a bit nervous
January 20, 2008 10:53:18 AM

Now for the next step what do I have is making me a target?
January 20, 2008 10:56:24 AM

Not actully sure have you looked in your objects to see if there is a active object of unknown
January 20, 2008 10:58:00 AM

trying to that now having trouble remembering how. The brain is kinda full
January 20, 2008 10:58:49 AM

right click on IE properties setting then view objects got to go be checking I wish I had that cookie I'd be able to do lot more
January 20, 2008 11:06:10 AM

Its not letting me have it
well maybe I have that cookie in the recycle Ill check and post back Tks for the help so far.
Ill shut a bunch of stuff down and deal with those 2 issues.
Thank god for dual monitors
January 20, 2008 1:00:12 PM

ok I'm back up
I blocked the sites in ZA. They already were in peer guardian.
That how I found them in the first place.
No luck with the cookie. Ive been in safe mode for a while as some of the things deleted were from there plus I didnt want to reinfect.

I also looked into the objects and didnt find anything unusual there.

Still have the port scans going on though but peer guardian is stopping them.
Maybe the'll give up some day
January 20, 2008 1:18:02 PM

gomerpile said:

quick fix block port 333 and 500 port 333 is the one I found to be an unknown for that ip also it uses a isakmp key port 500 which is a security probe and can remove security from ones computer



Reading back through the posts I saw the above and tcpview I found a entry for isakmp
Not sure if it matters but here is my current state.

IEXPLORE.EXE:992 UDP msixp:1044 *:*
LSASS.EXE:536 UDP msixp:isakmp *:*
LSASS.EXE:536 UDP msixp:4500 *:*
svchost.exe:836 UDP msixp:ntp *:*
svchost.exe:836 UDP msixp..:ntp *:*
svchost.exe:920 UDP msixp..:1900 *:*
svchost.exe:920 UDP msixp:1900 *:*
System:4 TCP msixp..:netbios-ssn msixp:0 LISTENING
System:4 TCP msixp:microsoft-ds msixp:0 LISTENING
System:4 UDP msixp..:netbios-ns *:*
System:4 UDP msixp..:netbios-dgm *:*
System:4 UDP msixp:microsoft-ds *:*
vsmon.exe:952 TCP msixp:1025 msixp:0 LISTENING

January 20, 2008 2:30:28 PM

Tks Grumpy
I do have encryption to get to the bank.

As far as the port scans go it turns out I was reading it wrong.
I am the one generating.
Every time I click on something on the net something is trying to phone home to the following
web side story 64.154.81.197
clear blue technologies 207.211.21.19
sonic wall 204.212.170.210
beyond the network 205.177.95.87
they are all blocked so it doesnt matter right now.
I'll figure it out later
I'm gonna go have a beer or 5 and empty my head
tks for all of the help and I'll check back later.
January 20, 2008 2:31:59 PM

no your ok there isakmp is a security key used by ipsec services to verify keys in packets with your security policys/keys
you do need to be carefull with these keys thats the risk we take on the net.If you see isakmp running as a service thats one indication that something changed
January 20, 2008 10:31:23 PM

ok tks I'm done for the day
I wont be baqck till about 430 tomorrow afternoon
January 22, 2008 1:46:40 AM

Hey gomer quick question who this?
It has a pretty large range of addresses and it turns up as soon as I connect. Any thoughts on what I may have that could need this? At the very bottom is a link that I found that doesnt sound real promising.
66.35.250.99
Record Type: IP Address
Savvis SAVVIS (NET-66-35-192-0-1)
66.35.192.0 - 66.35.255.255
VA Software SAVV-S234813-4 (NET-66-35-250-0-1)
66.35.250.0 - 66.35.250.255

http://en.wikipedia.org/wiki/SAVVIS
As it turns out this is allowed through my firewall so far
August 3, 2010 5:01:07 AM

I tracked this down to this application from Netgear for remote access of ReadyNAS devices. It uses Juniper Networks technology I think. I still don't know if it's malicious for sure, but I suspect not.

ReadyNAS Remote (which self lists the following components)
Version 1.6.2.0

DataModelBase.dll 1.0.0.1
gacutil.exe 1.1.4318.0
Interop.EventSystemLib.dll 1.0.0.0
Interop.NetFwTypeLib.dll 1.0.0.0
Interop.SensEvents.dll 2.0.0.0
LeafExplorer.dll 1.0.0.0
LeafShareContainer.dll 1.0.0.0
LeafThreadPool.dll 1.0.0.0
Libnet.dll unknown
llmodel.dll 1.0.0.1
llprotocolhandler.dll 1.0.0.0
llremrunner.exe 1.0.0.0
llservice.dll 1.0.0.0
llutils.dll 1.0.0.0
lnadptrcnfg.dll 1.0.0.122
lnadptrcnfgx64.dll 1.0.0.122
lncomservice.dll 1.0.0.1
lninitadapter.dll 1.0.0.122
lnmodel.dll 1.0.0.123
lnp2p.dll 1.0.0.128
lnp2padapter.dll 1.0.0.128
lnp2pclient.dll 1.0.1.128
lnp2penc.dll 1.0.0.128
lnp2pfilter.dll 1.0.0.128
lnp2pnative.dll 1.0.0.128
lnp2pnotification.dll 1.0.1.128
lnpluginmngr.dll 1.0.0.1
lnprotocolhandler.dll 1.0.0.1
lnregasm.dll 1.0.0.0
lnregasm.exe 1.0.0.1
lnresources.dll 1.0.0.1
lnscrunner.exe 1.0.0.1
lnshplbr.dll 1.0.0.1
lnshrcontainer.dll 1.0.0.1
lnshrmngr.dll 1.0.0.124
lnSidLibrary.dll 1.0.0.1
lnThreadPool.dll 1.0.0.1
lnutils.dll 1.0.0.128
msvcr71.dll 7.10.3052.4
packet.dll 4.0.2.1123.Pro
PacketRoutingPlugin.dll 1.0.0.122
PluginManager.dll 1.0.0.0
pthreadVC.dll unknown
ReadyNASRemote.exe 1.0.0.1
setp2padapterip.exe unknown
ShapeLibrary.dll 1.0.0.0
ShareManager.dll 1.0.0.0
svcutil.dll unknown
wpcap.dll 4.0.2.1123.Pro
August 3, 2010 8:51:01 AM

This topic has been closed by Mousemonkey
!