-
August 29th, 2006, 06:14 PM
#1
Junior Member
Something connecting to a webpage every minute
I've been looking at the traffic in my wireless network and something checks the webpage login.fric.cn every more or less every minute, i went there and there is only a button that takes you to microsoft but I dont think it's a microsoft thing... Does anyone know what it is? thanks
-
August 29th, 2006, 07:10 PM
#2
Welcome to AO!
try going to start > run > cmd
and type 'netstat -a -b' and push enter... [minus the quotes] that will tell you your outbound connections and the executables associated with them... hope this helps...
westin
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
August 29th, 2006, 08:22 PM
#3
Another program that you can use is from mcrosoft called Port Reporter. This will install only as a service that will log all loaded files in memeory when a socket is opened. We use this as a tool to see what is happening to servers when they are sending out goofy packets.
Here is the MS webpage http://www.microsoft.com/downloads/d...displaylang=en
Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!
-
August 29th, 2006, 08:32 PM
#4
Junior Member
thanks a lot, I think I'll use Port Reporter since I don't think the socket keeps connected after it checks that website.
-
August 30th, 2006, 12:56 AM
#5
some additional sites resolve to the same IP
http://hphosts.mysteryfcm.co.uk/?s=login.fric.cn
and it appears on a blocked sites list here
http://www.ifls.lib.wi.us/about/tech...kedspyware.asp
i'd say your first step is to set your firewall to block inbound and connections to fric.cn
rule of thumb...anytime you see unexpected connection to servers in china (.cn) russis (.ru) and a bunch more ...i'd assume you are compromised in one fashion or another...
i'd get http://www.sophos.com/products/free-...i-rootkit.html and run it..
and I'd be running anti spyware of your choice (i recommend blink from eEye..it has found stuff nothing else found...it's about 50 bucks but also prevents phishing, and -prevents- spyware, not just detecting and removing. Also protects against zero days
http://www.eeye.com/html/index.html
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
August 30th, 2006, 08:38 AM
#6
Member
you can use command line utillity "fport"
This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated
one of the great day in my life when i found antionline.com
-
August 30th, 2006, 03:38 PM
#7
Hi there... That is indeed malware. I found that domain in one of my snort sigs.
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup fric.cn
"; content:"|04|fric|02|cn"; nocase; classtype:trojan-activity; reference:url,ww
w.bleedingsnort.com/blackhole-dns; sid:1033145; rev:1;)
That domain has been linked to Cool Web Search
http://www.bleedingsnort.com/forum/v...showtopic=1566
Download and run CWShredder in safe mode. (don't forget to disable system restore)
http://www.intermute.com/spysubtract..._download.html
BTW: It doesn't look as if the domain is still up and running...
When you went there... if you tried going there with IE and had your default search set to the microsoft search, they'll redirect you to a microsoft search site when the browser could not resolve the ip of the site. (because it appears to be down.)
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
August 30th, 2006, 08:30 PM
#8
Junior Member
fric.cn doesnt work but login.fric.cn does.
-
August 31st, 2006, 01:28 PM
#9
Originally posted here by karb0n
fric.cn doesnt work but login.fric.cn does.
Not sure why... but I'm unable to resolve either login.fric.cn or fric.cn. No ping, no tracert, etc.
The only thing I can find is a little bit of whois info. Not much at all.
http://www.dnsstuff.com/tools/whois.ch?ip=fric.cn
http://www.samspade.org/t/lookat?a=fric.cn
When using IE, if you can't resolve the IP, IE will redirect you to your default search provider.
The default search provider is microsoft. (I have changed mine to google... so I get redirected to a google page.)
So, the reason you could be seeing microsoft when you try to visit that site is because you're being redirected. But, who knows. I don't have your eyes and can't see what you have on your screen.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
August 31st, 2006, 01:35 PM
#10
Junior Member
I am using Firefox, maybe it only accepts some IP's...? If I telnet into port 80 and write something i get this:
HTTP/1.1 400 Bad Request
Date: Fri, 31 Aug 2006 12:34:32 GMT
Content-Length: 49
Connection: close
Content-Type: text/html; charset=iso-8859-1
Server: ********.embedded/0.9
<font size="+1"><b>400 - Bad Request</b></font>
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|