April 8th, 2003, 10:53 PM
What's sending this?
I've recently noticed that my machine is trying to reach ns.winroute.cz:80 on a regular basis. It seems hourly. Now, I'm in N. America, and have no ties to CZ at all, so I'm not sure why I would be trying to go there. Has anyone heard of this before?
On the same topic, is there any way to determine what software is generating those requests? It would have to be something that can sit and monitor for the attempts, and then identify what's trying to send it. The box is running Win2k Pro, btw.
I have no idea what it could be, but it's troubling me. Any suggestions would be appreciated.
April 8th, 2003, 10:57 PM
Umm.. Have you got Anti-Virus software installed? Off-hand I'd guess one of two things: spyware or more likely Code Red. How up-to-date is your AV and when did you last do a FULL SCAN?
April 8th, 2003, 11:50 PM
Hiya, looking deeper into this, the link translates to reg.kerio.com. The Domain info is as such:
Domain Name: KERIO.COM
VeriSign, Inc. (HOST-ORG) namehost@WORLDNIC.NET
21355 Ridgetop Circle
Dulles, VA 20166
Record expires on 07-Feb-2004.
Record created on 02-Apr-2001.
Database last updated on 8-Apr-2003 18:48:36 EDT.
Domain Name Servers:
Looks like Spyware to me........Winroute.com's contact info lists Tiny Software. Ad-Aware time..
Hope this helps....Bye for now.
"It is a shame that stupidity is not painful" - Anton LaVey
April 9th, 2003, 02:48 AM
Based on Wazz's reply:
You aren't by any chance running the Kerio personal firewall ( former Tiny)?
If this is the case, this could be your firewall connecting for something, probably to check for updates or something similar, I ve never used it so I cant tell... just a thought as usuall
.sig - There never was a .sig?
I own a Schneider EuroPC with MS-Dos 3.3 and it works.
April 9th, 2003, 03:11 AM
As for discovering the service behind the resquest, a tool like TCPView v2.3 may help you. You can find that at www.sysinternals.com.
April 9th, 2003, 04:00 AM
Port 80 is a HTTP:// port so I wouldn't worry about it much unless your infected with some adware/trojans. If you truely are infected with something then the program may bring up spam or pages that has plugins and updates for all the maleware on your PC. Do a nice www.google.com search and there are alot of free ad/spyware & trojan removal.
If it come out clean then its probably a legitamit windows program (IE) when your online and listening to music windows media-player will try loading some of MSN's webpages. Im sure that if you take a good look around your box you'll find a option to turn off auto-updates. Once you turn these things off it usually asks you to update over and over agian but alot of times you can just click a check box that says something like "don't show this window agian".
April 9th, 2003, 06:58 AM
I Think you need to install Antivirus ok Then do a fullscan in your system .Then search in
to find what kind of virus n always update your virus ok.
April 9th, 2003, 07:24 AM
You may want to capture the traffic to and from your machine. For all you know, a webpage your looking at is showing you an ad from that server.
April 9th, 2003, 04:51 PM
Thanks for all the responses. Here is some additional information:
- I always have my AV software running, and it's updated at least several times a week.
- I run Ad-Aware 6 around once every week or two.
- I had already found the connection between Kerio and Tiny software. Tiny makes a firewall product, called Tiny Personal Firewall, which I use. It's a pretty good firewall, generally. I guess I was having trouble believing they could have something to do with it. Heck, I was even trying to use it to help identify the application generating the traffic! I'm surprised, and frankly disappointed by this kind of behavior. Even if it was just checking for updates, as was suggested, it would have been nice to know. I wonder what it's been sending.
- I have turned off TPF, and am monitoring with Windump for those packets. Haven't seen any since. Will monitor for the rest of the day just to see. Yesterday, I had the same windump string monitoring, and it picked up the traffic about every hour.
- This still doesn't provide what I wanted in terms of monitoring for which apps send out packets. Fport and TCPView can monitor what's running, but there doesn't seem to be a way to monitor - a la windump - for a given packet pattern from a specific app. That would be a cool thing to know, forensically. Especially when it's intermittent.
Thanks again for the help.
April 9th, 2003, 04:56 PM
Could you not filter it to look for specific things like port 80 or winroute.cz? The only tool that I know that could filter as it's collecting would be something like Snort IDS where you can create your own ruleset and have it only detect those that match that pattern. All others it just ignores and let's pass.