strange connection attempts detected..

[pin]

hihi..

i posted this on the lavasoft bbs, but it seems they can't find out what's wrong.. i hope you can help.

quite suddenly one day, tcpview showed me connecting out to www14.dixiesys.com, through very many connections, as if i was being flooded. it happened periodically, and was becoming annoying, so i make a Tiny firewall rule to block all connections to that site. and clicked on log when this rule is applied.

when i looked in the log, it said that iexplore.exe was the program trying to connect out, but of course was blocked.

it seems to happen from any port (and always to port 80), but there is a pattern that with each blocked attempt, iexplore tries to connect to dixiesys from a higher port until it eventually gives up... until the next time.

i ran the cleaner and TDS, but found nothing. i posted a startuplist to the lavasoft bbs, and there was nothing suspicious there.

i also run adsgone, which changes the HOSTS file, and so i thought maybe it was showing up as dixiesys because i had it blocked. but no, it wasn't there, so i added it. besides, when that happens, the IP listed is the localhost, not this other strange one.

today i decided to make a web block rule in my router also for the word dixiesys.
...
on a -possibly- unrelated issue, the log in the status window of my router often lists SYN floods and SMURF attacks. this seems to happen especially just after someone connects to the router from the LAN.

sorry for long post... but, any advice?

[Paul Wilders]

pin,

Let's go for the pragmatic route first. As it seems, connection attempts are made to a site hosted by dixies.com.

Since you obviously do have log files, contacting the host from the site you mentioned, accompanied with an explanation and log files, asking the urgently to look into this, seems a logical first step:

www.dixiesys.com/index.php?display=contact

Keep us posted!

As for the "unrelated issue": in order to keep threads as clean as possible, please open a new thread for that one

regards.

paul

[Primrose]

http://www14.dixiesys.com/

IS...


"This is the placeholder for domain www14.dixiesys.com. If you see this page after uploading site content you probably have not replaced the index.html file.

This page has been automatically generated by Server Administrator. "
_____________

That means either something is coming or has left.

Did you ever even go to dixe before? They are into webhosting....games and maybe IRC>

[Pieter_Arntz]

Hi pin,

I've just gone over your thread at the Adaware forum and I must say you did the best you could to try and protect yourself.
I noticed you use Windows Washer, but have you tried cleaning out your temp files in safe mode?

Regards,

Pieter

[pin]

i have not gone into safemode yet, no! thx for the idea.

there's no reason for me to go to dixiesys.

i emailed them, (thx for the contact page), and they are going to look into it for me. i will try and stay optimistic =).

apparently that router firewall rule i set up doesn't block it, which makes me think i don't know how to set up router firewall rules =P.

anyway, we'll see what happens.

[pin]

problem solved. it had to do with http referrals of an avatar, or something like that. nothing dangerous!

thx for the help though =) i feel as though i wasted the time of many ppl on this one!

[Detox]

hey BTW isn't that avatar of yours from the first Final Fantasy game on Nintendo or something??

[pin]

it is from the sega genesis game, phantasy star II.

[Paul Wilders]

Quote:

i feel as though i wasted the time of many ppl on this one!

No, you didn't: you are sure now nothing's wrong - and that's worth the effort!

regards.

paul

[pin]

thx again..

at least i can say i'm slightly more knowledgeable about normal internet activity, and that can only be a good thing. =).