Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Unknown phone home pings and spoofed IP addresses.

  1. #11
    bohemian_one Guest

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Oldsod,

    Many thanks for the utility suggestions. The alerts I m seeing are under the Firewall tab of ZAP s privacy viewer, no corresponding entry in the Program log.

    I installed and have been running Micro$oft s Port Reporter. P.R. s log states the system is producing the mystery pings and cannot access module information. Here is one of the entries, I ve replaced my local IP address with X:

    From PR-PORTS:
    06/8/18,15:46:10,TCP,1462,XXX.XXX.XXX.XXX,445,181.36.17 0.208,4,System,
    06/8/18,15:46:10,TCP,1463,XXX.XXX.XXX.XXX,139,181.36.17 0.208,4,System,

    From PR-PIDS:
    ================================================== ====

    Process ID: 4 (System)

    System Process

    PID Port Local IP State Remote IP-Port
    4 TCP 445 0.0.0.0 LISTENING 0.0.0.0
    4 TCP 139 XXX.XXX.XXX.XXX LISTENING 0.0.0.0
    4 TCP 1462 XXX.XXX.XXX.XXX SYN SENT 181.36.170.208:445
    4 TCP 1463 XXX.XXX.XXX.XXX SYN SENT 181.36.170.208:139
    4 UDP 445 0.0.0.0 *:*
    4 UDP 137 XXX.XXX.XXX.XXX *:*
    4 UDP 138 XXX.XXX.XXX.XXX *:*

    Port Statistics

    TCP mappings: 4
    UDP mappings: 3

    TCP ports in a LISTENING state: 2 = 50.00%
    TCP ports in a SYN SENT state: 2 = 50.00%

    Could not access module information for this process.
    ================================================== =====
    Suggestions?

  2. #12
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Hi bohemian_one.

    180.36.170.208 is IANA and this is quite normal as far as the internet traffic is concerned. It just was getting info for the internet use.

    How to disable the BIOS for the ports 137-139. Please open the Network Connections and select the Properties of the NIC. Select the TCP/IP and select Properties. Select the Advanced in General. Select the WINS. Select the "Disable NETBIOS over TCP/IP" and uncheck the "Enable LMHOSTS lookup". Reboot.

    How to disable the BIOS for the port 445. Please write this one down, on paper or file, and save it. Please open the registry and find HKEY_Local_Machine\SYSTEM\CurrentControlSet\NetBT\ Parameters and select in the right pane the "TransportBindname". Select the Modify and delete "\device\"

    Do the same for the NetBT under the ControlSet003 and ControlSet001 (if it is still present).

    Reboot. Now check with the netstat or the TCPViewer. Should be cleaned up and no BIOS ports should be listed. The only port from the BIOS should be 135 and this one is required to listen or there is no internet at all.

    Oldsod
    Best regards.
    oldsod

  3. #13
    bohemian_one Guest

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Oldsod,

    Thank you for the reply. I understand how to disable the parameters you suggest, what I don t understand is why you think the outgoing pings from my machine are normal. The connection attempts are all outbound, some are supposedly to IANA addresses, others are to corporate and military sites. Before ~6 weeks ago I never saw this pattern, something has changed in my local environment. Do you see this pattern of daily outgoing pings on your XP computer(s)? I think new system behavior like this is abnormal and suspect. I'd like to determine and silence the source rather than simply further lock down ports. Please explain your reasoning.

  4. #14
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Hi bohemian_one!

    Do a "tracert" command for all your regular internet visiting sites and contact sites. You will see what I mean.

    "tracert (space) google.com" and enter as an example.You will see that a multitude of servers are connected, not just the DNS servers and IANA server to the couple of servers along in a line to the destination address. In fact the connection can be bouncing over the entire continent. Not unusual and the connections are never consistant either. So the outbound are not the chief concern- I would worry about the inbound from these sites instead!

    To have these undesired sites completed blocked (both in and out connections) I use the ProtoWall from bluetack. I have added the Block list manager converted lists in addition to other ad and malware lists. This is a freeware and not just for the kids downloading music! Very complete listing- I have now over 4 billion sites that are completely unable to connect either in or out.

    ProtoWall:

    http://www.bluetack.co.uk/modules.php?
    name=Content&pa=showpage&pid=13

    BlockList Converter:

    http://www.bluetack.co.uk/converter/index.php

    I suggest you check out the installation info- to install the driver after the software install. Also in the Non-LAN list please do not block out your own LAN (delete the range for your LAN) . Included are the Bogen, trojan and port scanners, spyware, ad tracker and DShield Recommended, and Hijacked IP to name just a few in the list. These were added to the block list in the Protowall just using the notepad (of course the ProtoWall has to be shut off). These are in addition to my own personal favorites. If you have been around the other firewall users forums, you will find the other malware/ad lists (updated as well) are from the bluetack site. Any unwanted connections will cease to happen using this soft the correct way.

    Take care and have a good week.

    Oldsod

    BTW If you do harden the Windows the connections will stop or slowdown. They are occuring if they are allowed to happen- your BIOS port have no business being on the Internet.

    Oldsod

    Message Edited by Oldsod on 08-21-2006 02:32 AM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Anti-Spyware
    Software Version:6.1
    Best regards.
    oldsod

  5. #15
    bohemian_one Guest

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Hello Oldsod,

    I think we may have a misunderstanding about the situation I m asking for assistance on, it has nothing to do with the communication s path between two computers. For the last 6 weeks, once every 24 hours, my computer is attempting to connect to remote computers. My computer is using a wide array of ports, from 1024 to 2418, to access either port 139 or 445 on the remote computers.

    Every 1 to 2 days, the remote destination IP addresse changes. Today, for example, my computer tried two times to connect to port 139 at IP address 164.50.10.208, which is the City of Tempe, Arizona. Port 139 is commonly used to connect two computers for file or printer sharing. I do not know anyone in Tempe, Arizona, file and printer sharing are blocked on my computer. An unknown process on my computer is initiating these random outbound connection attempts. ZAP is blocking the attempts, no unwanted connection is getting through. I m interested in tracking down and permanently killing whatever process is initiating these connection attempts, simply blocking them is not a solution.

    This impresses me as a classic spyware infection. I believe the IP addresses listed in ZAP's and Port Reporter's logs may be spoofed. Port Reporter is unable to tell me their source.

    Can you recommend another security forum, where I might post this case? Thanks.

  6. #16
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Unknown phone home pings and spoofed IP addresses.

    Hi bohemian_one!

    http://www.dshield.org/ipinfo.php?ip...&Submit=Submit


    Yes I think you are completely correct.I think you may have a rootkit or a trojan/malware hiding in the LSP (and will be completely unseen or visible). Either one would never appear in the netstat or port reporter. The dshield lookupshows it as a University in Arizona, with an administrator address to contact. It is safe to assume that they are completely unaware that their servers are either hacked from the internet or is being used internally for malicious purposes.

    I agree that the experienced users on the security forums should be able to solve this problem and may even uncover more than one problem.

    http://www.spywarewarrior.com/index.php

    http://www.castlecops.com/f233-Rootkit_Revelations.html


    http://www.castlecops.com/f67-Hijack...ans_Oh_My.html



    http://gladiator-antivirus.com/forum...854ccad5f20c5&

    http://forums.spywareinfo.com/


    http://forums.majorgeeks.com/forumdi...74f633799&f=35


    A short list of recommended forums to help fight the good fight..

    However I would download and run the HJT and save the log to remit to these sites. I would also try a TCP/IP stack reset in hopes of dropping any malware living in there and hope the malware loses it hold. Also for the rootkit, perhaps the tools from F Secure (blacklight) and sysinternals ( rootkit revealer) will help track the rootkit down.


    http://www.f-secure.com/blacklight/

    http://www.sysinternals.com/Utilitie...tRevealer.html


    The Blacklight, HJT and the RootKit revealer are all freeware. The forum users are free and also experts.


    Hope this helps you!

    Oldsod
    Best regards.
    oldsod

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •