questionable IP on log files...

A friend of mine got his computer hacked (or so he thinks) a week or 2 ago, so we have been doing hordes or research to ensure our computers are now trojan/virus free. Since that time I have been checking my log files (router log and zone alarm log) for anything unusual. I have an entry in my router log that says its an outbound active trojan (ass sniffer it's called according to linksys site).

there have been 15 outbound transmissions from my main computer to IP 65.29.202.xxx (would rather not expose the IP unless I know its a trojan for sure) in the past few days... they have been using all kinds of ports on my machine to send packets (mostly in the 1000-2400 range of ports) but have been consistently connecting to the remote machine on port 2330.

Now if I was to look into this further to see who's IP this is and where this trojan is stored to ensure I'm not just being paranoid, where could I start?

I run netstat frequently, but everything looks pretty normal, nothing unusual listening (although I might not know if something was amiss). I downloaded fport and use that to trace open ports to a program.

any other ideas?

almost forgot, im running windows 2000, service pack 3.

That domain is registered as follows:

OrgName: Road Runner
OrgID: RRMA

NetRange: 65.28.0.0 - 65.31.255.255

Have you implemented Access Lists on your router? If not, I would recommend this.
I would also get some Trojan Cleaning software just to be sure. Search the forums, you will find a heap of recommended software which will do the trick.

On a side note, have you been doing any FTPing (or vice-versa) to any Addresses within this IP range?

Since you are using ZoneAlarm all you have to do is block any transamission to or from that adress. Next download PestPatrol for a free trial. Use it to scan your hard drive and remove any pests (Trojans, RATS, Spyware, etc). If youre not impressed let it lapse, if you are impressed buy it. Also scan your system using your virus scanning program. That should leave you with a clean system at least for a while. I'll be glad to help if you need any more.

Mayhem

First you need to get a trojan cleaner and run it. Also, you said you're running zone alarm. If you are running the standard version (not Pro) you should make sure you have the latest version. Then you might try going to program control and select medium (you need pro to go to high). Then click on programs tab and set every permission on each program to "ask." This will ask you before performing an outbound transmission. Read the alerts carefully and if you don't recognize the program or know what it is doing, check the "remember this" box (or whatever it's called) and select no.

If you're running ZA Pro, go to advanced settings and shut down every port incoming and outgoing unless you need it for normal operation. Also, you might like to get ZoneLog (free) to help analyze your ZA logs.

i sugest to get a IP Hider (computer nerds best friend)

I thought ass sniffer was an old ip sniffer for mostly chat rooms? Does this mean the tool was used from your machine?

Thanks for all the responses guys,
Lets see....
Soggy, no ftping that I can recall to that IP range. If I had, there would be a port 21 in there somewhere I would think, which there is not. How did u find out where the domain is registered?

Mayhem, Since I noticed this I have blocked that IP on ZA. Thanks for the suggestion, that anti-pest program sounds like the ticket.

Gandalf, I am running the ZA pro version. I would set all programs to ask for permission to access the internet, but many of them may be used for normal operation and I just don't recognize that fact. For instance.. MStask.exe is always listening on port 1025. I did many searches on it and it seems like a legit M$ program so I let it be. My computer listens on ports 130, 135, etc... when I run fport, it tells me they are system programs. If I could tell somehow which programs are normal win 2000 pro programs needed for normal operation, I would be able to recognize the phony ones.

pak, according to a site I looked at ass sniffer is a trojan that uses chat rooms, but it seems like it uses IM chat programs most, like icq, AIM, yahoo, irc. etc.... I'm on icq a lot, so this would make perfect sense.

So, if I find out that this is a trojan, is there a way I can find out who is registered to this IP address so I can report him or at least let him know that I'm on to him? Would I have to contact his ISP to find that out?

find out who ip ranges belong to at.,..

http://www.arin.net/whois

if the address is european, it will tell you and you can get more info at

http://www.ripe.net

and asian

http://www.apnic.net

Hi Phite. One place you could look up information of this nature (names/orgs) that have registered IPs/IP ranges is with a whois search on something like ARIN or you could download a tool like Sam Spade which comes with alot of neat little tools for free. They also have a whois lookup on their site. You should be able to get contact information for whatever purpose, including notification of abuse. For detecting and removing trojans, you can download a 30-day trial of The Cleaner and register it afterwards if you are happy. I hear that people are usually pretty impressed with The Cleaner. I hope that helps a bit.


t2k2


Edit: Sorry to repeat, but IchNiSan saved his post 2 min before me! ;)

Just a handy reference document. Try shutting almost everything, then slowly opening up as a valid request is made to ZA Pro.