Have computer trying to connect to Chinese IP address
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Have computer trying to connect to Chinese IP address

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    20

    Have computer trying to connect to Chinese IP address

    We have an acl in out routers to not let anything go to certain Chinese IP blocks. We feel that the blocked rang of IP addresses are up to no good. OK so one of the admins looks in the router and sees that 3 computers are trying to get to the addresses. They are sending syn requests and since the ip is being blocked in the router noting happens. Another admin creates a vlan so we can mimic the server and I use the WHAX security disk to run a webserver and ethereal to see what is happening. It looks like it might be spyware but I am not sure. We run Symantec client security on the clients but the logs only tell me that the connection was created from the client to the webserver.

    Here is my question; I want to know what program on the server is sending the offending requests. Is there any software on the internet for windows that will capture when a program opens a soc and log that information. I want to log when a connections is made on the client and what is creating the connections.

    Thanks
    -GA
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Take a look on sysinternals.com. TCPView will probably be what you want..

    As a side-note: Symantec sucks at finding ad- and/or spyware.. Use Spybot S&D, Ad-Aware and/or HijackThis..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    I saw that but I need somthing to log everything when the computer boots. I dont think this has a way to log somthing to a testfile, it just show you at the display. If the socket is opned for a moment I will miss it.
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Golgi Apparatus
    I saw that but I need somthing to log everything when the computer boots. I dont think this has a way to log somthing to a testfile, it just show you at the display. If the socket is opned for a moment I will miss it.
    Why don't you just pick up that client and clean it? Just run the above mentioned anti ad/spyware programs and let them figure out what it is..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    There is no spyware on this computer. I have run adware, spybot and nothing. I ran RootkitRevealer on it and nothing. I need to see what program is sending out this request.
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  6. #6
    Member tin.roof.rabbit's Avatar
    Join Date
    Apr 2006
    Posts
    63
    try running Sysinternals Filemon and regmon during boot.

  7. #7
    Junior Member
    Join Date
    Apr 2006
    Posts
    20

  8. #8
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    is this software http://www.winsyslog.com/en/ made to run an a client computer?
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  9. #9
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Golgi:

    It sounds like TDIMon by SysInternals is what you are looking for. It captures all TCP and UDP traffic showing you what process is communicating, the local and remote IP addresses, ports, and some other data that might be helpful. And it's FREE.

    Link: http://www.sysinternals.com/Utilities/TdiMon.html

  10. #10
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    Yes, you have the option of creating a WinSyslog server, which houses each client servers log in a SQL databse. Then there is the option to run it on a standalone machine and log activities to a log file.

    Here is the manual.

    http://www.adiscon.org/manuals/WinSyslog-70.pdf

    I your situation i wouldn't get too deep into WinSyslog. Just install it and have it write to a log file.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •