Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Unknown phone home pings and spoofed IP addresses.

  1. #1
    bohemian_one Guest

    Default Unknown phone home pings and spoofed IP addresses.

    For approximately six weeks, ZAP has blocked something on my computer that tries usually two times a day to ping remote servers. I've run safe mode and regular security scans with several A/V, anti-trojan and anti-spyware software packages, nothing has been found.

    The odd thing about these outgoing IP address pings is that many of them are to either non-existent or reserved addresses. ZAP's reverse IP lookup states that for several "The Internet Assigned Numbers Authority (IANA) has reserved this address for its own use. Unless you are on a network that is actively involved in the development of the system for assigning IP addresses, this address was probably forged in order to hide the identity of the sender." The other addresses are all are within the U.S., several are to AOL servers, corporate servers (not residential users) and one U.S. military server. Usually two pings, one after another, every day.

    ZAP s out-going firewall settings are set to High, no outbound communications unless an application is set up and allowed internet access. I installed MailFrontier (anti-SPAM software) around the time this started; it did phone home with spoofed addresses to check a known spammer list. I removed the software after 48 hours and combed both the registry and drive for left behind remnants, as far as I can tell, it's completely gone. I ve installed no other software since last year.

    HiJack This scans haven't picked up anything unusual. I ve never loaded any Sony music CDs, last year they installed Rootkits on some of their CDs to prevent unauthorized music copying.

    I m searching for answers. I run a tightly protected computer, practice safe computing and internet practices (no internet downloads of "free" unknown software, use Firefox with high security settings, install all Micro$oft security patches, etc.), run the proper security software and sweep the machine regularly for malware. Can anyone recommend a software utility that will search for remnants of uninstalled software? I d appreciate any suggestions you can offer.

    ZAP 6.1.774, NOD32, Spy Sweeper, Trojan Hunter, Spybot, Ad Aware, M$ Anti-Spyware, HiJack This

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.1

    Message Edited by bohemian_one on 08-16-2006 11:57 AM

  2. #2
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Hi, Welcome to the Forum!I am going to try to help you. PLEASE specify exactly what is trying to access out? If you are not getting any type of an alert, PLEASE go to Alerts -> Advanced and click ALL. If you are getting an alert option, PLEASE click MORE info. PLEASE keep me posted on your results, as I would like to find out also what is the problem, as I do have more options for you. SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  3. bohemian_one Guest

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Hi Sly,

    Here are 3 entries out of ZAP s log, I ve changed the IP address of my computer to XXX for privacy:

    FWOUT,2006/08/03,21:42:18 -5:00 GMT,XXX.XXX.XXX.XXX:2414,172.53.250.208:445,TCP (flags:S)
    FWOUT,2006/08/03,21:42:18 -5:00 GMT,XXX.XXX.XXX.XXX:2415,172.53.250.208:139,TCP (flags:S)
    FWOUT,2006/08/04,11:34:02 -5:00 GMT,XXX.XXX.XXX.XXX:1025,82.165.250.33:80,TCP (flags:S)

    When I click on More Info, Zone Labs Smart Defense Advisor tells me ZoneAlarm Pro prevented my computer from connecting to port 139 (or 445 or 80) on another computer. Lower on the same page it states if the IP address of the computer my computer was trying to access is not on my local network, it is possible that my computer connected to the Internet as part of a network-based attack. Perform an updated anti-virus sweep of your computer. With some of the warnings, when I select Hacker ID, Smart Advisor tells me the remote address I ve queried "is a reserved address,The Internet Assigned Numbers Authority (IANA) has reserved this address for its own use. Unless you are on a network that is actively involved in the development of the system for assigning IP addresses, this address was probably forged in order to hide the identity of the sender."

    Obviously something on my machine is trying to connect to remote computers. The remote ports are always 80, 139 or 445, which are common web, printer or communications ports. Unfortunately ZAP doesn t tell me what programs are initiating the contact on my machine, I have ports 139 and 445 blocked.

    Suggestions?

    Dylan

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Unknown phone home pings and spoofed IP addresses.

    I just did a DNS lookup at dnsstuff.com for the first two and got no correct answer. However the third one showed up as u5.eset.com in Germany

    http://www.dnsstuff.com/tools/ptr.ch?ip=82.165.250.33

    I googled the 172.163.250.208 and got no joy.However I did a SANS lookup
    http://isc.sans.org/

    and found an answer

    http://www.dshield.org/ipinfo.php

    It is the AOL in the United States.

    Just to let you know.

    Oldsod
    Best regards.
    oldsod

  5. #5
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Hi, To add on to Guru Oldsod's info, you can always create a total block in your firewall wall for the AOL I.P. Addresses, as long as you are not using AOL as your ISP. If AOL is not your ISP, PLEASE go into your Firewall and start with 172.128.0.0 thru 172.191.255.255 block out the entire range. This way no connection to your computer from AOL. For the other, that belongs to your NOD32 Anti-Virus program, I don't think you want to do anything with that. I use the following program a lot while I am here on the Forum, but I keep a separate window open, so I can watch who is listening to my ports or trying to sneak in some how. But, that will NEVER HAPPENED, catch themevery time and block them for good.In my opinion, I don't care who or what they are, they have NO RIGHT and I WILL BLOCK THEM. Here is the program. Netstat

    http://www.microsoft.com/resources/d....mspx?mfr=true


    Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.

    PLEASE keep me posted on your results, if this program does not help you, I will try to find another one for you, but I believe it will. Just record their IP Addresses, trace them back, find out who they are, if no one you know, BLOCK THEM at your firewall. If you are unsure about an IP Address, if you want to post it, I will find out who it is for you.

    SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  6. Default Re: Unknown phone home pings and spoofed IP addresses.

    In addition to Guru SlyFox's post..

    If AOL really is your provider, then the AOL DNS servers should be listed as Trusted in the Zones in your ZA firewall. Do a "ipconfig /all" in the command and let us see what the two servers for the DNS really are.This maybe the problem also. Or do you use the AOL messenger?

    Oldsod
    Best regards.
    oldsod

  7. #7
    bohemian_one Guest

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Thanks for the multiple responses, unfortunately I still don t know what s occurring in the background. To answer the questions posed:

    1. AOL is not my ISP, don t have any AOL software on my computer, never have, never will.

    2. I should have not listed the Eset IP address, it is for my A/V software. As you noted, the other IP addresses are not listed, I think they are spoofed.

    3. Two additional IP addresses that show up are 164.171.10.208 and 164.145.58.208. The first is for the military and the second is for Honeywell Corp. I ve looked up all these IP addresses and I don t see a pattern. Perhaps they are all spoofed or perhaps ZAP is not reporting properly. I wish I could determine what program(s) are issuing the pings, ZAP would be more helpful if it did.

    4. I use TrojanHunter s Netstat Viewer and have not seen anything unusual, no unknown ports being used. What ZAP is telling me is something is sending out a single ping, between 2 & 4 times a day, nothing more, perhaps a phone home that is not getting through ZAP. Whatever it is, it either lies dormant the rest of the time as I've not picked it up with HiJack This or perhaps it's a Rootkit or something that none of the software security products I've used can detect. I think ZAP is successfully blocking all attempts; I would like to find out what, if anything, is hiding on my machine.

  8. #8
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: Unknown phone home pings and spoofed IP addresses.

    <blockquote><hr>bohemian_one wrote:
    I wish I could determine what program(s) are issuing the pings, ZAP would be more helpful if it did.
    <hr></blockquote>
    Netstat is okay but there are some very nice front end GUI's for it. Netstat being a DOS program makes it a bit klunky.

    Try using TCPView from Sysinternals, or CurrPorts from NirSoft.

  9. #9
    bohemian_one Guest

    Default Re: Unknown phone home pings and spoofed IP addresses.

    I downloaded and ran Sysinternal s Process Explorer, Root Revealer and TCP View, nothing found. Can anyone recommend an IP log software utility, that would record all local processes initiating IP connections?

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Unknown phone home pings and spoofed IP addresses.

    What about the logs in the ZA?

    Za Pro > Alerts and Logs > Log Viewer > select "Program" in the Alert drop down and view the processes accessing the internet.Please ensure that the logging is extended to a long time period to have a complete listing.

    Consider the Port Reporter ( with port query or parser, I forgot which is just for the XP) from Microsoft. FREE and it works.It has logging as well

    http://support.microsoft.com/?id=837243

    Also TDIMON from sysinternals.com is a nifty little tool. The freeware is limited in function, but the paid version has a few more options.

    Paid software could be the Port Explorer from diamondcs.com.au

    http://www.diamondcs.com.au/portexplorer/

    Oldsod

    Message Edited by Oldsod on 08-18-2006 12:21 PM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:6.1
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •