What's sending this?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: What's sending this?

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    6

    Question What's sending this?

    I've recently noticed that my machine is trying to reach ns.winroute.cz:80 on a regular basis. It seems hourly. Now, I'm in N. America, and have no ties to CZ at all, so I'm not sure why I would be trying to go there. Has anyone heard of this before?

    On the same topic, is there any way to determine what software is generating those requests? It would have to be something that can sit and monitor for the attempts, and then identify what's trying to send it. The box is running Win2k Pro, btw.

    I have no idea what it could be, but it's troubling me. Any suggestions would be appreciated.


    -- The Director

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Umm.. Have you got Anti-Virus software installed? Off-hand I'd guess one of two things: spyware or more likely Code Red. How up-to-date is your AV and when did you last do a FULL SCAN?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Hiya, looking deeper into this, the link translates to reg.kerio.com. The Domain info is as such:

    Domain Name: KERIO.COM

    Registrant:
    fubar

    Administrative Contact:
    fubar mviktora@kerio.com


    Technical Contact:
    VeriSign, Inc. (HOST-ORG) namehost@WORLDNIC.NET
    VeriSign, Inc.
    21355 Ridgetop Circle
    Dulles, VA 20166
    US
    1-888-642-9675

    Record expires on 07-Feb-2004.
    Record created on 02-Apr-2001.
    Database last updated on 8-Apr-2003 18:48:36 EDT.

    Domain Name Servers:

    NS.WINROUTE.COM 194.213.194.16
    NS.WINROUTE.CZ 194.228.3.66

    Looks like Spyware to me........Winroute.com's contact info lists Tiny Software. Ad-Aware time..
    Hope this helps....Bye for now.
    "It is a shame that stupidity is not painful" - Anton LaVey

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    117
    Based on Wazz's reply:

    You aren't by any chance running the Kerio personal firewall ( former Tiny)?

    If this is the case, this could be your firewall connecting for something, probably to check for updates or something similar, I ve never used it so I cant tell... just a thought as usuall
    .sig - There never was a .sig?
    I own a Schneider EuroPC with MS-Dos 3.3 and it works.

  5. #5
    Member
    Join Date
    Dec 2002
    Posts
    63
    As for discovering the service behind the resquest, a tool like TCPView v2.3 may help you. You can find that at www.sysinternals.com.

  6. #6
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Port 80 is a HTTP:// port so I wouldn't worry about it much unless your infected with some adware/trojans. If you truely are infected with something then the program may bring up spam or pages that has plugins and updates for all the maleware on your PC. Do a nice www.google.com search and there are alot of free ad/spyware & trojan removal.

    If it come out clean then its probably a legitamit windows program (IE) when your online and listening to music windows media-player will try loading some of MSN's webpages. Im sure that if you take a good look around your box you'll find a option to turn off auto-updates. Once you turn these things off it usually asks you to update over and over agian but alot of times you can just click a check box that says something like "don't show this window agian".

  7. #7
    I Think you need to install Antivirus ok Then do a fullscan in your system .Then search in

    www.google.com

    to find what kind of virus n always update your virus ok.
    Good Luck

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    You may want to capture the traffic to and from your machine. For all you know, a webpage your looking at is showing you an ad from that server.



    PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  9. #9
    Junior Member
    Join Date
    Feb 2003
    Posts
    6
    Thanks for all the responses. Here is some additional information:
    • I always have my AV software running, and it's updated at least several times a week.
    • I run Ad-Aware 6 around once every week or two.
    • I had already found the connection between Kerio and Tiny software. Tiny makes a firewall product, called Tiny Personal Firewall, which I use. It's a pretty good firewall, generally. I guess I was having trouble believing they could have something to do with it. Heck, I was even trying to use it to help identify the application generating the traffic! I'm surprised, and frankly disappointed by this kind of behavior. Even if it was just checking for updates, as was suggested, it would have been nice to know. I wonder what it's been sending.
    • I have turned off TPF, and am monitoring with Windump for those packets. Haven't seen any since. Will monitor for the rest of the day just to see. Yesterday, I had the same windump string monitoring, and it picked up the traffic about every hour.
    • This still doesn't provide what I wanted in terms of monitoring for which apps send out packets. Fport and TCPView can monitor what's running, but there doesn't seem to be a way to monitor - a la windump - for a given packet pattern from a specific app. That would be a cool thing to know, forensically. Especially when it's intermittent.

    Thanks again for the help.


    -- The Director

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Could you not filter it to look for specific things like port 80 or winroute.cz? The only tool that I know that could filter as it's collecting would be something like Snort IDS where you can create your own ruleset and have it only detect those that match that pattern. All others it just ignores and let's pass.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides