questionable IP on log files...
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: questionable IP on log files...

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    15

    questionable IP on log files...

    A friend of mine got his computer hacked (or so he thinks) a week or 2 ago, so we have been doing hordes or research to ensure our computers are now trojan/virus free. Since that time I have been checking my log files (router log and zone alarm log) for anything unusual. I have an entry in my router log that says its an outbound active trojan (ass sniffer it's called according to linksys site).

    there have been 15 outbound transmissions from my main computer to IP 65.29.202.xxx (would rather not expose the IP unless I know its a trojan for sure) in the past few days... they have been using all kinds of ports on my machine to send packets (mostly in the 1000-2400 range of ports) but have been consistently connecting to the remote machine on port 2330.

    Now if I was to look into this further to see who's IP this is and where this trojan is stored to ensure I'm not just being paranoid, where could I start?

    I run netstat frequently, but everything looks pretty normal, nothing unusual listening (although I might not know if something was amiss). I downloaded fport and use that to trace open ports to a program.

    any other ideas?

    almost forgot, im running windows 2000, service pack 3.

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    That domain is registered as follows:

    OrgName: Road Runner
    OrgID: RRMA

    NetRange: 65.28.0.0 - 65.31.255.255

    Have you implemented Access Lists on your router? If not, I would recommend this.
    I would also get some Trojan Cleaning software just to be sure. Search the forums, you will find a heap of recommended software which will do the trick.

    On a side note, have you been doing any FTPing (or vice-versa) to any Addresses within this IP range?
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  3. #3
    Member
    Join Date
    Aug 2002
    Posts
    88
    Since you are using ZoneAlarm all you have to do is block any transamission to or from that adress. Next download PestPatrol for a free trial. Use it to scan your hard drive and remove any pests (Trojans, RATS, Spyware, etc). If youre not impressed let it lapse, if you are impressed buy it. Also scan your system using your virus scanning program. That should leave you with a clean system at least for a while. I'll be glad to help if you need any more.

    Mayhem

  4. #4
    Member GandalfTheGray's Avatar
    Join Date
    Jan 2003
    Posts
    96
    First you need to get a trojan cleaner and run it. Also, you said you're running zone alarm. If you are running the standard version (not Pro) you should make sure you have the latest version. Then you might try going to program control and select medium (you need pro to go to high). Then click on programs tab and set every permission on each program to "ask." This will ask you before performing an outbound transmission. Read the alerts carefully and if you don't recognize the program or know what it is doing, check the "remember this" box (or whatever it's called) and select no.

    If you're running ZA Pro, go to advanced settings and shut down every port incoming and outgoing unless you need it for normal operation. Also, you might like to get ZoneLog (free) to help analyze your ZA logs.

  5. #5
    Member
    Join Date
    Sep 2002
    Posts
    51
    i sugest to get a IP Hider (computer nerds best friend)

  6. #6
    Member
    Join Date
    Dec 2002
    Posts
    63

    Lightbulb

    I thought ass sniffer was an old ip sniffer for mostly chat rooms? Does this mean the tool was used from your machine?

  7. #7
    Junior Member
    Join Date
    Feb 2003
    Posts
    15
    Thanks for all the responses guys,
    Lets see....
    Soggy, no ftping that I can recall to that IP range. If I had, there would be a port 21 in there somewhere I would think, which there is not. How did u find out where the domain is registered?

    Mayhem, Since I noticed this I have blocked that IP on ZA. Thanks for the suggestion, that anti-pest program sounds like the ticket.

    Gandalf, I am running the ZA pro version. I would set all programs to ask for permission to access the internet, but many of them may be used for normal operation and I just don't recognize that fact. For instance.. MStask.exe is always listening on port 1025. I did many searches on it and it seems like a legit M$ program so I let it be. My computer listens on ports 130, 135, etc... when I run fport, it tells me they are system programs. If I could tell somehow which programs are normal win 2000 pro programs needed for normal operation, I would be able to recognize the phony ones.

    pak, according to a site I looked at ass sniffer is a trojan that uses chat rooms, but it seems like it uses IM chat programs most, like icq, AIM, yahoo, irc. etc.... I'm on icq a lot, so this would make perfect sense.

    So, if I find out that this is a trojan, is there a way I can find out who is registered to this IP address so I can report him or at least let him know that I'm on to him? Would I have to contact his ISP to find that out?

  8. #8
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    find out who ip ranges belong to at.,..

    http://www.arin.net/whois

    if the address is european, it will tell you and you can get more info at

    http://www.ripe.net

    and asian

    http://www.apnic.net

  9. #9
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Hi Phite. One place you could look up information of this nature (names/orgs) that have registered IPs/IP ranges is with a whois search on something like ARIN or you could download a tool like Sam Spade which comes with alot of neat little tools for free. They also have a whois lookup on their site. You should be able to get contact information for whatever purpose, including notification of abuse. For detecting and removing trojans, you can download a 30-day trial of The Cleaner and register it afterwards if you are happy. I hear that people are usually pretty impressed with The Cleaner. I hope that helps a bit.


    t2k2


    Edit: Sorry to repeat, but IchNiSan saved his post 2 min before me!
    Opinions are like holes - everybody\'s got\'em.

    Smile

  10. #10
    Member GandalfTheGray's Avatar
    Join Date
    Jan 2003
    Posts
    96
    Just a handy reference document. Try shutting almost everything, then slowly opening up as a valid request is made to ZA Pro.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •