Results 1 to 9 of 9

Thread: Service running?

  1. #1
    Junior Member
    Join Date
    Oct 2006
    Posts
    5

    Service running?

    i checked the netstat command on my personal PC and i observed that it's establishing a connection to a foreigner address 88.208.250.70:443 (note that this is only connection established no other services is connecting to Internet). i start my investigation to gather more information about the IP using nmap, whois, wireshark. i came to know that the IP is hosted in UK for FastHost UK Network.

    my concern is why my pc is connected to the above IP what kind of service exchanged? i run wireshark to analyze the traffic. and i observe that my PC first is sending a SYN request. a complete 3 way handshake complete and SSL connection established. the info given by wireshark is Continuation Data. i didn't get any more details.

    from the firewall i create a rule to block the inbound and outbound connection.

    my question. since my PC is starting the connection how to know the service or the software run? in order to delete it or kill it.

  2. #2
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    Just block everything via your firewall and wait for something to pop up asking for permission to establish a connection.

    might take a while though

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    What kind of service?

    Just Google them and you will find out.

    Scumbags lost this one:

    http://www.amazon.com/Fasthosts-Inte.../dp/B00006BLT7

    And have been in trouble with our Advertising Standards Agency:

    http://www.asa.org.uk/asa/adjudicati...ation_id=40505

    I find it hard to imagine McCocolo as pure as the driven snow, but......................sort of reminds me of SCO

    So, the question is, does the connection always go to that IP address?........ if it is fixed please let me know, as I am based in the UK

  4. #4
    Junior Member
    Join Date
    Oct 2006
    Posts
    5
    yes it's always connecting to the same address. maybe i have a backdoor that send a request to that address or a running service requesting the same.

    i fix it by blocking the the IP from the firewall. but i want to know the root of this connection to kill it.

    Since you based in UK maybe the IP belongs to you

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Use netstat -bn, look for an ESTABLISHED to that same IP address, note the PID. Look in taskmanager or process explorer what that PID is.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Ahh SD - Clever boy
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    netstat -aon

    One stop shopping
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  8. #8
    Junior Member
    Join Date
    Oct 2006
    Posts
    5
    Thank you a lot SirDice.

    i detect the service. the name of the service is servlnks.exe and installed under this directory. C:\Program Files\Windows SSL Transport. another file name is Start.ini the content of the file as the following

    site=megabandwidth.ibypass.co.uk
    user=Premium

    another batch file having the following lines

    net stop servlnks
    net start servlnks

    anybody know about ibypass? our ISP is blocking the site.

    i wonder how the folder installed in my PC, i don't recall installing any proxy server. anyhow i solve the problem and thanks everybody for support.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    anybody know about ibypass? our ISP is blocking the site.
    It is a proxy server and appears to have been taken down at the moment, so it might not be your ISP blocking it, perhaps they just can't connect?

    i wonder how the folder installed in my PC
    Some torrent or other download sites are not quite what they seem...........warez sites are certainly to be avoided

Similar Threads

  1. need to remove qbot
    By shad0w7 in forum AntiVirus Discussions
    Replies: 3
    Last Post: May 17th, 2008, 08:48 PM
  2. explorer.exe utilizing all available resources
    By imported_all_smiles in forum Operating Systems
    Replies: 8
    Last Post: May 2nd, 2006, 08:36 PM
  3. Security logs... Is this what I think it is?
    By Liquid_Darkness in forum Newbie Security Questions
    Replies: 12
    Last Post: June 23rd, 2005, 06:25 PM
  4. Snail Alert!
    By Egaladeist in forum Spyware / Adware
    Replies: 21
    Last Post: April 15th, 2005, 11:30 PM
  5. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 04:31 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •