Strange established connection
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Strange established connection

  1. #1

    Post Strange established connection

    At 3:42 am this morning, I encountered a strange connection.
    I work on three computers, all within my turning distance, at most times (1 desktop, 2 laptops).
    While I was on my desktop, I turned to a laptop, only to see a connection established.
    I netstat'ed 2 different IP's "81.177.0.219" established connections through two different ports, and "81.177.0.199" had just sent a "SYN" packet.

    I ran a "WHOIS" search, and discovered it was with "RIPE".
    Used RIPE's WHOIS, and got "Epolis hosting" in Moscow, Russia.
    While visiting www.ripe.net, in "Announcements and News", I happen to see "RIPE NCC Regional Meeting Moscow, Russia Registration Now Open"; I don't know if that could explain anything.
    I didn't have any browsers, or anything open on the laptop and it's running XP.

    I turned off the laptop to kill the connection, and once rebooted, it displayed "The system has recovered from a serious error". I looked at the technical data and it says something about "Mini081705-01.dmp" and "sysdata.xml" (Could someone explain those to me?).
    Microsoft's website claimed it was a Device Driver error, yet, I have not changed or installed anything lately.

    My desktop's logs, have tons of "Failure Audits" for "unknown user or bad password".
    My other laptop is running SuSE, so of course, I've had no problems with that computer.

    Can someone give me their two cents on what's going on?!

    (As was typing after 3 hours passed, I got those same two connections to my laptop)



    --ThePastorGang

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    If you inadvertently pulled down a piece of spyware, that could account for the Russian connections and attempts to log into your system. The most common Chinese, Taiwan, Korean and Russian IP's I see are in the traffic logs targeting system with spyware infections. On the systems I deal with, there aren't any other legitimate reasons to have sessions active with hosts in those countries.

    Recommend a good scan session.

  3. #3
    Thanks for the advice, I'll get it a shot!

  4. #4
    I ran "Ad-aware", it couldn't find anything after a full system scan.

  5. #5
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    Recommend a good scan session.
    Keep going :

    Spybot S + D
    Ewido
    a squared

    AVG Free
    Avast
    Symantec Online Scan

    To name a few . . .

    All in safe mode.

    You can find links to these elsewhere in the forums.

    If the connection comes up again you should try to see what program is associated with it. Use netstat -ano, note the pid, then use tasklist /svc to see what is using it. Or get TCPview from System Internals. It would narrow things down much more quickly.
    .

  6. #6
    Thanks for the advice!
    I finally found some ojects, removed them, and everything seemed to be fine.
    Yet again, this connection was made around the same time this morning

    Well, at least I've ridded of that adware/spyware.

  7. #7
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    You might try HiJackThis, as well to help ferret out where something may be hiding in the system.

    HiJackThis
    http://www.tomcoyote.org/hjt/

  8. #8
    Good proggy, it just isn't helping me find out why there's so many failed "login" attempts on my desktop.

  9. #9
    Banned
    Join Date
    Jun 2005
    Posts
    445
    Run fport. See what is making the connections. Go from there.

    Afterwards. Go to Trendmicro Housecall and run a full scan.

    Do you have a firewall?

  10. #10
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    ThePastorGang,

    I was reading your post, and I noticed that you did not mention the ports on the machine that were hosting the connections. Could you post them (or if you don't feel comfortable revealing that kind of info in the forums, PM me)? I am thinking that there is a possibility that you may have contracted some form of malware (that you may have already removed), but the offending program/process injected malicious code into the system files, allowing the connections you describe. If I knew what ports were being used, I could better diagnose the problem.

    In regards to the two files that you mentioned, the Mini081705-01.dmp is a memory dump file that Windows XP generates for troubleshooting anytime a stop error occurs. If this file has not been altered or deleted, it can shed light on what process caused the error by providing detailed information. You can use the Microsoft Kernel Debugger (Kd.exe) or Microsoft WinDbg Debugger (Windbg.exe) to analyze the contents of these files, but be warned - they are not for the faint of heart. Here's an easier way to extract the data:

    1) Download and install the Debugging Tools from Microsoft: http://www.microsoft.com/whdc/devtoo...nstallx86.mspx

    2) Locate the memory.dmp file- C:\WINDOWS\ Minidump\Mini081705-01.dmp or whatever

    3) open a CMD prompt and cd\program files\debugging tools for windows\

    4) type the following stuff:
    Code:

    c:\program files\debugging tools>kd -z C:\WINDOWS\ Minidump\Mini081505-01.dmp
    (it will spew a bunch)
    kd> .logopen c:\debuglog.txt
    kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q

    5) You now have a debuglog.txt in c:\ so now you can view in any text editor (I recommend notepad, because it will not alter the contents)

    As for sysdata.xml...it is an XML data file contaning error info, but it is in machine language, and indecipherable for our purposes.

    Also, let me stress...at this point, you should assume that this computer has been compromised, and it is now a threat to the rest of your network. If it is still connected to the LAN, physically disconnect it.

    To everyone else at AO: I'm glad to be back.

    Hope this helps.

    CC
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •