Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Something connecting to a webpage every minute

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    15

    Something connecting to a webpage every minute

    I've been looking at the traffic in my wireless network and something checks the webpage login.fric.cn every more or less every minute, i went there and there is only a button that takes you to microsoft but I dont think it's a microsoft thing... Does anyone know what it is? thanks

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Welcome to AO!

    try going to start > run > cmd
    and type 'netstat -a -b' and push enter... [minus the quotes] that will tell you your outbound connections and the executables associated with them... hope this helps...

    westin
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Another program that you can use is from mcrosoft called Port Reporter. This will install only as a service that will log all loaded files in memeory when a socket is opened. We use this as a tool to see what is happening to servers when they are sending out goofy packets.

    Here is the MS webpage http://www.microsoft.com/downloads/d...displaylang=en
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  4. #4
    Junior Member
    Join Date
    Aug 2006
    Posts
    15
    thanks a lot, I think I'll use Port Reporter since I don't think the socket keeps connected after it checks that website.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    some additional sites resolve to the same IP

    http://hphosts.mysteryfcm.co.uk/?s=login.fric.cn

    and it appears on a blocked sites list here
    http://www.ifls.lib.wi.us/about/tech...kedspyware.asp

    i'd say your first step is to set your firewall to block inbound and connections to fric.cn

    rule of thumb...anytime you see unexpected connection to servers in china (.cn) russis (.ru) and a bunch more ...i'd assume you are compromised in one fashion or another...

    i'd get http://www.sophos.com/products/free-...i-rootkit.html and run it..

    and I'd be running anti spyware of your choice (i recommend blink from eEye..it has found stuff nothing else found...it's about 50 bucks but also prevents phishing, and -prevents- spyware, not just detecting and removing. Also protects against zero days

    http://www.eeye.com/html/index.html
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  6. #6
    you can use command line utillity "fport"

    This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated
    one of the great day in my life when i found antionline.com

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Hi there... That is indeed malware. I found that domain in one of my snort sigs.

    alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup fric.cn
    "; content:"|04|fric|02|cn"; nocase; classtype:trojan-activity; reference:url,ww
    w.bleedingsnort.com/blackhole-dns; sid:1033145; rev:1;)
    That domain has been linked to Cool Web Search

    http://www.bleedingsnort.com/forum/v...showtopic=1566

    Download and run CWShredder in safe mode. (don't forget to disable system restore)

    http://www.intermute.com/spysubtract..._download.html

    BTW: It doesn't look as if the domain is still up and running...

    When you went there... if you tried going there with IE and had your default search set to the microsoft search, they'll redirect you to a microsoft search site when the browser could not resolve the ip of the site. (because it appears to be down.)
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Junior Member
    Join Date
    Aug 2006
    Posts
    15
    fric.cn doesnt work but login.fric.cn does.

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by karb0n
    fric.cn doesnt work but login.fric.cn does.
    Not sure why... but I'm unable to resolve either login.fric.cn or fric.cn. No ping, no tracert, etc.
    The only thing I can find is a little bit of whois info. Not much at all.

    http://www.dnsstuff.com/tools/whois.ch?ip=fric.cn

    http://www.samspade.org/t/lookat?a=fric.cn

    When using IE, if you can't resolve the IP, IE will redirect you to your default search provider.
    The default search provider is microsoft. (I have changed mine to google... so I get redirected to a google page.)

    So, the reason you could be seeing microsoft when you try to visit that site is because you're being redirected. But, who knows. I don't have your eyes and can't see what you have on your screen.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Junior Member
    Join Date
    Aug 2006
    Posts
    15
    I am using Firefox, maybe it only accepts some IP's...? If I telnet into port 80 and write something i get this:
    HTTP/1.1 400 Bad Request
    Date: Fri, 31 Aug 2006 12:34:32 GMT
    Content-Length: 49
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    Server: ********.embedded/0.9

    <font size="+1"><b>400 - Bad Request</b></font>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •