-
November 15th, 2008, 10:23 PM
#1
Junior Member
Service running?
i checked the netstat command on my personal PC and i observed that it's establishing a connection to a foreigner address 88.208.250.70:443 (note that this is only connection established no other services is connecting to Internet). i start my investigation to gather more information about the IP using nmap, whois, wireshark. i came to know that the IP is hosted in UK for FastHost UK Network.
my concern is why my pc is connected to the above IP what kind of service exchanged? i run wireshark to analyze the traffic. and i observe that my PC first is sending a SYN request. a complete 3 way handshake complete and SSL connection established. the info given by wireshark is Continuation Data. i didn't get any more details.
from the firewall i create a rule to block the inbound and outbound connection.
my question. since my PC is starting the connection how to know the service or the software run? in order to delete it or kill it.
-
November 16th, 2008, 02:06 AM
#2
Just block everything via your firewall and wait for something to pop up asking for permission to establish a connection.
might take a while though
-
November 16th, 2008, 02:12 AM
#3
-
November 16th, 2008, 04:20 PM
#4
Junior Member
yes it's always connecting to the same address. maybe i have a backdoor that send a request to that address or a running service requesting the same.
i fix it by blocking the the IP from the firewall. but i want to know the root of this connection to kill it.
Since you based in UK maybe the IP belongs to you
-
November 17th, 2008, 08:11 AM
#5
Use netstat -bn, look for an ESTABLISHED to that same IP address, note the PID. Look in taskmanager or process explorer what that PID is.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 17th, 2008, 09:32 AM
#6
Ahh SD - Clever boy
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
November 17th, 2008, 03:01 PM
#7
netstat -aon
One stop shopping
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
November 18th, 2008, 10:17 PM
#8
Junior Member
Thank you a lot SirDice.
i detect the service. the name of the service is servlnks.exe and installed under this directory. C:\Program Files\Windows SSL Transport. another file name is Start.ini the content of the file as the following
site=megabandwidth.ibypass.co.uk
user=Premium
another batch file having the following lines
net stop servlnks
net start servlnks
anybody know about ibypass? our ISP is blocking the site.
i wonder how the folder installed in my PC, i don't recall installing any proxy server. anyhow i solve the problem and thanks everybody for support.
-
November 19th, 2008, 07:47 AM
#9
anybody know about ibypass? our ISP is blocking the site.
It is a proxy server and appears to have been taken down at the moment, so it might not be your ISP blocking it, perhaps they just can't connect?
i wonder how the folder installed in my PC
Some torrent or other download sites are not quite what they seem...........warez sites are certainly to be avoided
Similar Threads
-
By shad0w7 in forum AntiVirus Discussions
Replies: 3
Last Post: May 17th, 2008, 08:48 PM
-
By imported_all_smiles in forum Operating Systems
Replies: 8
Last Post: May 2nd, 2006, 08:36 PM
-
By Liquid_Darkness in forum Newbie Security Questions
Replies: 12
Last Post: June 23rd, 2005, 06:25 PM
-
By Egaladeist in forum Spyware / Adware
Replies: 21
Last Post: April 15th, 2005, 11:30 PM
-
By mohaughn in forum Microsoft Security Discussions
Replies: 2
Last Post: October 13th, 2004, 04:31 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|