Have computer trying to connect to Chinese IP address

**Golgi Apparatus** · May 26th, 2006, 04:49 PM

We have an acl in out routers to not let anything go to certain Chinese IP blocks. We feel that the blocked rang of IP addresses are up to no good. OK so one of the admins looks in the router and sees that 3 computers are trying to get to the addresses. They are sending syn requests and since the ip is being blocked in the router noting happens. Another admin creates a vlan so we can mimic the server and I use the WHAX security disk to run a webserver and ethereal to see what is happening. It looks like it might be spyware but I am not sure. We run Symantec client security on the clients but the logs only tell me that the connection was created from the client to the webserver.

Here is my question; I want to know what program on the server is sending the offending requests. Is there any software on the internet for windows that will capture when a program opens a soc and log that information. I want to log when a connections is made on the client and what is creating the connections.

Thanks
-GA

***SirDice*** · May 26th, 2006, 04:57 PM

Take a look on sysinternals.com. TCPView will probably be what you want..

As a side-note: Symantec sucks at finding ad- and/or spyware.. Use Spybot S&D, Ad-Aware and/or HijackThis..

**Golgi Apparatus** · May 26th, 2006, 04:59 PM

I saw that but I need somthing to log everything when the computer boots. I dont think this has a way to log somthing to a testfile, it just show you at the display. If the socket is opned for a moment I will miss it.

***SirDice*** · May 26th, 2006, 05:03 PM

Originally posted here by Golgi Apparatus
I saw that but I need somthing to log everything when the computer boots. I dont think this has a way to log somthing to a testfile, it just show you at the display. If the socket is opned for a moment I will miss it.

Why don't you just pick up that client and clean it? Just run the above mentioned anti ad/spyware programs and let them figure out what it is..

**Golgi Apparatus** · May 26th, 2006, 06:35 PM

There is no spyware on this computer. I have run adware, spybot and nothing. I ran RootkitRevealer on it and nothing. I need to see what program is sending out this request.

**tin.roof.rabbit** · May 26th, 2006, 07:01 PM

try running Sysinternals Filemon and regmon during boot.

**stlivingston** · May 26th, 2006, 07:02 PM

Give this a try

http://www.winsyslog.com/en/

**Golgi Apparatus** · May 26th, 2006, 07:28 PM

is this software http://www.winsyslog.com/en/ made to run an a client computer?

**ric-o** · May 26th, 2006, 07:36 PM

Golgi:

It sounds like TDIMon by SysInternals is what you are looking for. It captures all TCP and UDP traffic showing you what process is communicating, the local and remote IP addresses, ports, and some other data that might be helpful. And it's FREE.

Link: http://www.sysinternals.com/Utilities/TdiMon.html

**stlivingston** · May 26th, 2006, 07:39 PM

Yes, you have the option of creating a WinSyslog server, which houses each client servers log in a SQL databse. Then there is the option to run it on a standalone machine and log activities to a log file.

Here is the manual.

http://www.adiscon.org/manuals/WinSyslog-70.pdf

I your situation i wouldn't get too deep into WinSyslog. Just install it and have it write to a log file.

Thread: Have computer trying to connect to Chinese IP address

Thread Tools

Display

Have computer trying to connect to Chinese IP address

Posting Permissions