March 8th, 2004, 10:15 AM
No Clue about this one, any ideas?
Well, I know this is my first post but I've been registered for a while. I don't consider myself a noob at computers, but I'm certaintly not as good as you guys haha, hence why I read your forums (as in that movie Short Circuit "INPUT, INPUUUTTT!"). But, meh, I stumbled across something that pretty much baffles me eh. (I am not Canadian by the way if you're wondering about the Eh) It's 5:10AM so if I'm rambling sorry, but I mean no harm . Anyways, back to my point. I use Sygate Personal Firewall (anyone heard of it, I am sure you have heh) and it's always worked fine and well. Recently I discovered that whenever I open a search, my computer sends out data (or tries to anywho). I, of course, block it always but its sort of leaving me clueless here. Hmm let me take a screeny of what I'm getting... (I've run all the AV's and spyware detectors I have and seem to be available, and nada-zip. That worried me more then if it had found something of course, so I come to you now PC gurus. It only does it now and then, so of course I can't seem to get the message from Sygate (Why am I thinking of Terminator 2?!) when it doesn't do it... Eh, just need to wait I guess. In the meantime, any thoughts? I will post what IP it is trying to connect to, and hopefully we can go from there somehow.
March 8th, 2004, 12:20 PM
I couldnt think of anything yet but did you try clicking yes at least once and see what happened...and you could use neotrace to get some info on that IP (im in school right now )
March 8th, 2004, 12:48 PM
Strange.........the IP looks like some sort of proxy? I get it as IANA but whois says that it is an EU addy that is really worldwide?
9 184.108.40.206 27ms 27ms 28ms TTL: 0 (so-3-0.ipcolo2.London2.Level3.net ok)
10 220.127.116.11 27ms 28ms 27ms TTL: 0 (ge-4-3-1.mp1.London2.Level3.net ok)
11 18.104.22.168 96ms 110ms 110ms TTL: 0 (so-1-0-0.bbr1.Washington1.Level3.net ok)
12 22.214.171.124 110ms 124ms 110ms TTL: 0 (so-2-3-0.bbr1.Chicago1.Level3.net ok)
13 126.96.36.199 124ms 124ms 124ms TTL: 0 (ge-8-0.hsa1.Chicago1.Level3.net ok)
14 188.8.131.52 124ms 123ms 124ms TTL: 0 (unknown.Level3.net fraudulent rDNS)
15 184.108.40.206 124ms 124ms 123ms TTL: 0 (64-198-101-201.ip.mcleodusa.net ok)
16 220.127.116.11 123ms 124ms 123ms TTL: 0 (CHCGILOCC7201-CHCGILOCJM201.mcleodusa.net ok)
17 18.104.22.168 220ms 138ms 138ms TTL: 0 (209-253-102-38.ip.mcleodusa.net ok)
18 22.214.171.124 151ms 151ms 151ms TTL: 0 (No rDNS)
19 126.96.36.199 151ms 151ms 151ms TTL: 43 (No rDNS)
That is the backend of traceroute for clintoris.com?.....................I cannot get a whois for that domain.
I will leave it to those who are more knowlegeable
March 8th, 2004, 01:10 PM
188.8.131.52 - 184.108.40.206 is assigned as the Local Network Control Block, as described in RFC 3171.
Local Network Control Block (224.0.0/24)
Addresses in the Local Network Control block are used for protocol
control traffic that is not forwarded off link. Examples of this
type of use include OSPFIGP All Routers (220.127.116.11) [RFC2328].
And here's the OSPF protocol.
March 8th, 2004, 01:20 PM
I just ran a sniff with iris, its actually a broadcast over netbios by the master browser.
Its due to the operations of the "master browser" (see http://support.microsoft.com/default...NoWebContent=1)
for discussion on browsers.
(Also, i`m guessing the machine you are looking at is on a very small network?). So... the machine first asks over ARP who has the Address it has received via DHCP, if its not taken it then registers the address by broadcasting NetBIOS Name Service (port 137) over the subnets broadcast IP. It then registers its workgroup if it doesn`t detect that its workgroup is up, again over netbios name service. Once this is done it uses the master browser, broadcasting over the LAN at its subnet level that its a win2k/xp etc workstation.
So I guess its explorer being helpful and making sure it knows the local subnet, in case you want to use the search fucntion for network resources.
You can disable it by setting the following key to 0
Hope this helps.
Quis custodiet ipsos custodes
March 8th, 2004, 01:24 PM
You won't find that address in a whois. 18.104.22.168 is the multicast address used by multicast apps to locate multicast routers.
Broadcast: Everyone gets the packets eg: ARP
Unicast: Single host gets the packets eg: TCP
Multicast: A select group of hosts get the packets eg: streaming video.
It would seem that you have some addin, (Realplayer type of thing), with IE that is looking for a mulitcast router on the local network. Past that I can't be of much more help.... sorry.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 8th, 2004, 01:45 PM
to find out which application it is...
You can use netstat before and after to see if anything has changed. fport is pretty good for this. www.foundstone.com
You can also use filemon and regmon from www.systernals.com to see what files are being used at that time. This can give good clues most of the time.
Just make sure to disable your realtime antivirus. The av activity will flood your logs and make it really hard to read.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
March 8th, 2004, 11:05 PM
Ah, I see now. Thanks guys, I was initially worried it may be a new trojan thats unidentified by everything since it just came out. Again, thanks for the infor