August 25th, 2005, 12:25 PM
Strange established connection
At 3:42 am this morning, I encountered a strange connection.
I work on three computers, all within my turning distance, at most times (1 desktop, 2 laptops).
While I was on my desktop, I turned to a laptop, only to see a connection established.
I netstat'ed 2 different IP's "220.127.116.11" established connections through two different ports, and "18.104.22.168" had just sent a "SYN" packet.
I ran a "WHOIS" search, and discovered it was with "RIPE".
Used RIPE's WHOIS, and got "Epolis hosting" in Moscow, Russia.
While visiting www.ripe.net, in "Announcements and News", I happen to see "RIPE NCC Regional Meeting Moscow, Russia Registration Now Open"; I don't know if that could explain anything.
I didn't have any browsers, or anything open on the laptop and it's running XP.
I turned off the laptop to kill the connection, and once rebooted, it displayed "The system has recovered from a serious error". I looked at the technical data and it says something about "Mini081705-01.dmp" and "sysdata.xml" (Could someone explain those to me?).
Microsoft's website claimed it was a Device Driver error, yet, I have not changed or installed anything lately.
My desktop's logs, have tons of "Failure Audits" for "unknown user or bad password".
My other laptop is running SuSE, so of course, I've had no problems with that computer.
Can someone give me their two cents on what's going on?!
(As was typing after 3 hours passed, I got those same two connections to my laptop)
August 25th, 2005, 10:31 PM
If you inadvertently pulled down a piece of spyware, that could account for the Russian connections and attempts to log into your system. The most common Chinese, Taiwan, Korean and Russian IP's I see are in the traffic logs targeting system with spyware infections. On the systems I deal with, there aren't any other legitimate reasons to have sessions active with hosts in those countries.
Recommend a good scan session.
August 26th, 2005, 03:55 AM
Thanks for the advice, I'll get it a shot!
August 26th, 2005, 04:13 AM
I ran "Ad-aware", it couldn't find anything after a full system scan.
August 26th, 2005, 04:32 AM
Keep going :
Recommend a good scan session.
Spybot S + D
Symantec Online Scan
To name a few . . .
All in safe mode.
You can find links to these elsewhere in the forums.
If the connection comes up again you should try to see what program is associated with it. Use netstat -ano, note the pid, then use tasklist /svc to see what is using it. Or get TCPview from System Internals. It would narrow things down much more quickly.
August 26th, 2005, 03:54 PM
Thanks for the advice!
I finally found some ojects, removed them, and everything seemed to be fine.
Yet again, this connection was made around the same time this morning
Well, at least I've ridded of that adware/spyware.
August 26th, 2005, 04:46 PM
You might try HiJackThis, as well to help ferret out where something may be hiding in the system.
August 29th, 2005, 03:07 PM
Good proggy, it just isn't helping me find out why there's so many failed "login" attempts on my desktop.
August 29th, 2005, 03:18 PM
Run fport. See what is making the connections. Go from there.
Afterwards. Go to Trendmicro Housecall and run a full scan.
Do you have a firewall?
August 29th, 2005, 11:52 PM
I was reading your post, and I noticed that you did not mention the ports on the machine that were hosting the connections. Could you post them (or if you don't feel comfortable revealing that kind of info in the forums, PM me)? I am thinking that there is a possibility that you may have contracted some form of malware (that you may have already removed), but the offending program/process injected malicious code into the system files, allowing the connections you describe. If I knew what ports were being used, I could better diagnose the problem.
In regards to the two files that you mentioned, the Mini081705-01.dmp is a memory dump file that Windows XP generates for troubleshooting anytime a stop error occurs. If this file has not been altered or deleted, it can shed light on what process caused the error by providing detailed information. You can use the Microsoft Kernel Debugger (Kd.exe) or Microsoft WinDbg Debugger (Windbg.exe) to analyze the contents of these files, but be warned - they are not for the faint of heart. Here's an easier way to extract the data:
1) Download and install the Debugging Tools from Microsoft: http://www.microsoft.com/whdc/devtoo...nstallx86.mspx
2) Locate the memory.dmp file- C:\WINDOWS\ Minidump\Mini081705-01.dmp or whatever
3) open a CMD prompt and cd\program files\debugging tools for windows\
4) type the following stuff:
c:\program files\debugging tools>kd -z C:\WINDOWS\ Minidump\Mini081505-01.dmp
(it will spew a bunch)
kd> .logopen c:\debuglog.txt
kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q
5) You now have a debuglog.txt in c:\ so now you can view in any text editor (I recommend notepad, because it will not alter the contents)
As for sysdata.xml...it is an XML data file contaning error info, but it is in machine language, and indecipherable for our purposes.
Also, let me stress...at this point, you should assume that this computer has been compromised, and it is now a threat to the rest of your network. If it is still connected to the LAN, physically disconnect it.
To everyone else at AO: I'm glad to be back.
Hope this helps.
Windows 9x: n.
A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.