Results 1 to 3 of 3

Thread: Question on IP# and RNAAPP.EXE

  1. March 30th, 2003, 04:42 PM #1
    cru
    cru is offline
    Junior Member
    Join Date
    Mar 2003
    Posts
    5

    Question on IP# and RNAAPP.EXE

    When I disconnect from the internet (on dailup) I get the following. Sygate firewall pro pick up the following packet. Everytime it is differant packet....

    File Version : 4.90.3000
    File Description : Dial-Up Networking Application
    File Path : C:\WINDOWS\SYSTEM\RNAAPP.EXE
    Process ID : FFFC07D5 (Heximal) 4294707157 (Decimal)

    Connection origin : local initiated

    Ethernet packet details:
    Ethernet II (Packet Length: 48)
    Destination: 01-00-5e-00-00-02
    Source: 44-45-53-54-00-00
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 24 bytes
    Flags:
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 1
    Protocol: 0x2 (IGMP - Internet Group Management Message Protocol)
    Header checksum: 0x2abf (Correct)
    Source: 144.247.105.193
    Destination: 224.0.0.2

    Binary dump of the packet:
    0000: 01 00 5E 00 00 02 44 45 : 53 54 00 00 08 00 46 00 | ..^...DEST....F.
    0010: 00 20 8A F2 00 00 01 02 : BF 2A 90 F7 69 C1 E0 00 | . .......*..i...
    0020: 00 02 94 04 00 00 17 00 : F9 04 EF FF FF FA 65 64 | ..............ed

    OrgName: SUPSHIP, Groton, U.S.N.
    OrgID: SGU-2
    Address: 3101 WASHINGTON AVE
    Address: BUILDING 635
    City: NEWPORT NEWS
    StateProv: VA
    PostalCode: 23607
    Country: US

    NetRange: 144.247.0.0 - 144.247.255.255
    CIDR: 144.247.0.0/16
    NetName: SOSGNET
    NetHandle: NET-144-247-0-0-1
    Parent: NET-144-0-0-0-0
    NetType: Direct Assignment
    NameServer: AISCDNS1.SUPSHIP.NAVY.MIL
    NameServer: AISCFW2.SUPSHIP.NAVY.MIL
    NameServer: MONITOR.SSSD.NAVY.MIL
    Comment:
    RegDate: 1990-01-11
    Updated: 2003-03-25

    TechHandle: LC686-ARIN
    TechName: Crowder, Lee
    TechPhone: +1-757-688-0284
    TechEmail: [email protected]

    # ARIN WHOIS database, last updated 2003-03-28 20:00
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    =============
    ile Version : 4.90.3000
    File Description : Dial-Up Networking Application
    File Path : C:\WINDOWS\SYSTEM\RNAAPP.EXE
    Process ID : FFFE1497 (Heximal) 4294841495 (Decimal)

    Connection origin : local initiated

    Ethernet packet details:
    Ethernet II (Packet Length: 48)
    Destination: 01-00-5e-00-00-02
    Source: 44-45-53-54-00-00
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 24 bytes
    Flags:
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 1
    Protocol: 0x2 (IGMP - Internet Group Management Message Protocol)
    Header checksum: 0xce4e (Correct)
    Source: 128.246.105.193
    Destination: 224.0.0.2

    Binary dump of the packet:
    0000: 01 00 5E 00 00 02 44 45 : 53 54 00 00 08 00 46 00 | ..^...DEST....F.
    0010: 00 20 0B 50 00 00 01 02 : 4E CE 80 F6 69 C1 E0 00 | . .P....N...i...
    0020: 00 02 94 04 00 00 17 00 : F9 04 EF FF FF FA 68 74 | ..............ht
    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-serv...copyright.html

    inetnum: 128.246.0.0 - 128.246.255.255
    netname: CIBA-NET
    descr: Ciba Speciialty Chemicals
    descr: 4002 Basel
    descr: Switzerland
    country: CH
    admin-c: KP1727-RIPE
    tech-c: KP1727-RIPE
    status: ASSIGNED PI
    mnt-by: CIBA-MNT
    changed: [email protected] 20020802
    source: RIPE

    route: 128.246.0.0/16
    descr: CH-CIBA
    origin: AS15799
    mnt-by: CIBA-MNT
    changed: [email protected] 20010329
    source: RIPE

    person: Peter Krause
    address: Ciba Specialty Chemicals
    address: Klybeckstrasse 141
    address: CH-4002 Basel
    phone: +41 61 636 47 71
    fax-no: +41 61 636 88 77
    e-mail: [email protected]
    nic-hdl: KP1727-RIPE
    changed: [email protected] 19971020
    source: RIPE
    Reply With Quote Reply With Quote
  2. March 30th, 2003, 04:57 PM #2
    phishphreek
    phishphreek is offline
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    RNAAPP.EXE is a core component to the windows dial up networking.

    This would explain why it happens when you dial up.
    source
    rnaapp - rnaapp.exe - Process Information
    Process File: rnaapp or rnaapp.exe
    Process Name: Windows Modem Connection
    Description: The Windows Modem Connection Process handles dial-up modem connections
    Common Errors: N/A
    System Process: No
    techies guide to combating rnaapp
    Reply With Quote Reply With Quote
  3. March 30th, 2003, 05:10 PM #3
    cru
    cru is offline
    Junior Member
    Join Date
    Mar 2003
    Posts
    5
    The problem is when I disconnect it throws up the packets.....It only started here recently.......I have norton AV, AVG, Anti-Trojan, TDS-3 of course not all running at the same time....

    I have scanned with all of then to see if there is some keylogger set up on this box....Have not turned up anything have checked ports nothing, I am wondering if I have DL something that has a new keylogger running on stealth ports and the only way I see anything is when I disconnect fron the internet....

    By disconnecting and it tries to reconnect and Sygate picks it up....
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules