Results 1 to 10 of 10

Thread: possible connection hijack

  1. #1
    mrsj Guest

    Default possible connection hijack

    Something new seems to be going on with my internet connection and my ZL6 Security Suite . (WinXP, btw)

    Before , the first IP address to show on the log was always incoming from my isp. But now it goes like this :

    Outgoing 224.0.0.22 IGMP.MCAST.NET
    Incoming 224.0.0.22 IGMP.MCAST.NET
    Routed , to a different IP address that seems to trace back to a branch of my isp

    Then the my usual ip address that used to come first shows up.

    This has only been going on for the past week . I am wondering what I am connecting to , what is being sent out of my computer, etc. Everything is set to high ,and ZoneAlarm says it's blocking everything , but it always says that ! I've been hacked at least 10 times in the past year and ZoneAlarm seems powerless to do anything to prevent it.(I wipe the hard drive and do a total reinstall every time .) Scans say nothing is wrong . GRC port scans come back as all good.

    I spoke to my isp about it, and they seem to think something is not right too. But, they really have no solutions . As usual , I get the well meaning offshore tech people who give me the standard pat answers that don't address the problem. (For example, one of them told me today to reset my IE page to the isp home page, which has nothing to do it.I don't use IE anyway - bad idea. )

    This is a another re-installation of ZL6, only a week old , recently updated . Since the update, it says it's blocked 0 intrusions since install , even though it's logging everything it's blocked .

    My plan right now is to unistall ZL6 , reinstall, and then do the updates again and see what happens. I would appreciate any other advice anyone has , thanks .

  2. #2
    billc Guest

    Default Re: possible connection hijack

    I'm not exactly sure what is going on, but it doesn't stick me as 'evil' per se. The IP you posted (224.0.0.22) looked strange and I found it to be:<hr>NetRange: 224.0.0.0 - 239.255.255.255
    CIDR: 224.0.0.0/4
    NetName: MCAST-NET
    NetHandle: NET-224-0-0-0-1
    Parent:
    NetType: IANA Special Use
    NameServer: FLAG.EP.NET
    NameServer: STRUL.STUPI.SE
    NameServer: NS.ISI.EDU
    NameServer: NIC.NEAR.NET
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 3171 for additional information.<hr> Which means it is not part of the general 'open' internet. And, the IGMP is "Internet Group Management Protocol" defined in RFC 1112 as the standard for IP multicasting in the Internet. This refers to RFC 3171 and information can be found here .

    All this leads me to ask if you're part of some private network?

  3. #3
    mrsj Guest

    Default Re: possible connection hijack

    Thanks for replying !!

    No, I am not part of any network that I know of. This MCAST thing has never showed up before . It could be fraudulent too. In the past I've had a lot of ip addresses trying to get in that turned out to be forged ones , according to ZL .

  4. #4
    billc Guest

    Default Re: possible connection hijack

    Sometimes multicast information/data is dispersed by first sending it out to machines that in turn send the information/data out to other machines. In general I don't think this is a security risk. I'm sorry, but I've not got a better understanding than that. I'll post back if I can research it a bit more.

  5. #5
    mrsj Guest

    Default Re: possible connection hijack

    Hi again !

    O know it has legitimate uses , and I'd like to believe it isn't a risk, but I've been hacked too many times now to brush it off. (This never used to happen before I moved to this small town . )I googled &quot;mcast trojan&quot; and found some strange stuff .

    I reinstalled Zone Alarm , and that's logging correctly now . I used a couple of other programs to try find suspicious stuff, one of which was Rootkit Revealer , and they found a few odd things I tried to fix. Logged on this morning and noticed there was a real change. Nothing outgoing right off the bat to mcast , just something from them trying to get in. Progress ! My thought then was that I had better change my sign in and password. Did that , logged off &amp; on, and voila - no more mcast coming in either .

    Now I am back to the usual suspects trying to get stuff in &amp; out. The faked 72 range addresses, and the 221 range neverending Chinese intruders. I'll keep my fingers crossed that this problem is solved, but if history predicts the future I'll be wiping the hard drive again within a month.

  6. #6
    mrsj Guest

    Default Re: possible connection hijack

    Hi again !

    I know it has legitimate uses , and I'd like to believe it isn't a risk, but I've been hacked too many times now to brush it off. (This never used to happen before I moved to this small town . )I googled &quot;mcast trojan&quot; and found some strange stuff .

    I reinstalled Zone Alarm , and that's logging correctly now . I used a couple of other programs to try find suspicious stuff, one of which was Rootkit Revealer , and they found a few odd things I tried to fix. Logged on this morning and noticed there was a real change. Nothing outgoing right off the bat to mcast , just something from them trying to get in. Progress ! My thought then was that I had better change my sign in and password. Did that , logged off &amp; on, and voila - no more mcast coming in either .

    Now I am back to the usual suspects trying to get stuff in &amp; out. The faked 72 range addresses, and the 221 range neverending Chinese intruders. I'll keep my fingers crossed that this problem is solved, but if history predicts the future I'll be wiping the hard drive again within a month.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: possible connection hijack

    When performing the Format/ Reinstall to lose trojans and virus, please remember this: always use a proper disk wiper to completely remove all traces. then TURN OFF the PC. Then reformat the HDD, then pull the plug or TURN OFF the PC. Many trojans and virus will survive the format by sneaking into the Boot sector or the BIOS. Please be careful and do record all of the BIOS setting, since these may change or even completely reset or vanish (some models do not show the factory presets). Killing the power, during the cleaning and reformatting, is the only sure way to eradicate all traces. Just re-formating and re-installing is not a sure method of cleaning a HDD. Some versions of the Rootkits may even survive this entire process. The best way to actually destroy this kind of rootkit is kill the power and remove the HDD and replace it a newly purchased HDD! The old HDD becomes a paperweight or a doorstop. Sorry for the bad news. Oldsod

    Message Edited by Oldsod on 04-22-200608:03 AM

    Operating System:
    Windows XP Home Edition
    Product Name:
    ZoneAlarm Pro
    Software Version:
    6.1

    Message Edited by Oldsod on 04-22-200608:06 AM
    Best regards.
    oldsod

  8. #8
    ebondante Guest

    Default Re: possible connection hijack

    Another tool in your quest for the complete picture, is Port Explorer. They have a trial so you can check it out. It's a fancy netstat that really can glean insight to network mischief. Unless you've been felled by a rootkit.

    If at any time I ever feel that there is funny business going down on my computer, I take a brand new box (Win32/Linux/etc) and set it up as a router with ethereal in full capture mode and make it a &quot;man in the middle&quot; between me and my router. If there's rootkits/hidden software on your PC, you'll see NOTHING in your logs/tools, but activity captured by ethereal, revealing the undead packets.

    Good luck!

  9. #9
    the_z_man Guest

    Default Re: possible connection hijack

    Hi there Oldsod!!

    I'm a fairly new ZA-Suite 6.1 customer (4-5 months) and I've just been browsing these forums in the last couple of days. I'd just like to say that I think the work and information you (Oldsod) have been providing here are second to none! I'm not 100% sure but I'm guessing you don't get paid for this either, which makes it all the more admirable in my eyes! I sure there are others out there that give as much input as yourself, (ie: SlyFox is another that pops into mind) but ,like I said earlier, I've only been browsing for the last few days, so I don't mean to offend anyone else that has been putting their time and effort in, it's just that the threads I have looked at had a lot of information and detailed help (great for dummies like me!) from yourself, more so than any other name I'd recognised. Keep up the &quot;FANTASTIC&quot; work work mate!!

    Also, re: that last thread, I would like to know a bit more about wiping a disk with reguards to rootkits. I have a &quot;Seagate&quot; drive and I use &quot;Seagate Disk Wizard - 2003&quot; to &quot;low-level&quot; formatt my drive. Would this class as a disk wiper? Also, when you mentioned turning off the PC to make sure all remains of the rootkit is cleared, I'm guessing you were referring to do so when the wiping is complete- is that correct? Also, (oh no, not ANOTHER question!) is &quot;low-level&quot; formatting ie: writing zero's to the whole drive, as is the case of Seagates disk wizard, the same as &quot;disk wiping&quot; or not?

    Sorry if I'm writing a 50 page essay, but I'm new to all this and I really wanted to get that first paragraph out since I feel it's well deserved!

    P.S. Please excuse if I've posted in the wrong section/thread, coz like mentioned earlier I'm a &quot;NOOB&quot;.

    Cheers people,

    Thunder from down-under!!

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: possible connection hijack

    Hi The-Z-Man! I have for &quot;THE EMERGENCY ONLY&quot; (hidden in the desk drawer) an unopened Drive Scrubber 2. It works with all OS, all file formats, and all harddrives. It will permanently clean any drive to be 100% &quot;unreadable&quot; and 100% &quot;virus and malware&quot; clean. It will flatten all the volumes's partitions (nothing can hide in the cracks). Yes, turn off the PC, when finishing the format process or the wipe, to &quot;kill&quot; any malware hiding in memory. If the Seagate Disk Wizard say something like &quot;Government Standards&quot; or &quot;Military Standards&quot; clean-wipe, then it's okay. Any &quot;once&quot; over disk wipe will not clean a disk to 100% clean. Many trojans and malware will still be existing, even in a crippled state, and still continue doing evil deeds. It is good to backup all vital info and data on an external USB drive, since it's physically or electronically independant of the PC. This does ensure that the weekly backup is &quot;clean&quot; and &quot;safe&quot; to use in the &quot;new&quot; installation. Glad you like the ZA Forum and the discusions, all are unpaid! Thanks for the praise! Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •