Am I in trouble? Hacked?

Discussion in 'privacy problems' started by perplexed, Feb 11, 2005.

Thread Status:
Not open for further replies.
  1. perplexed

    perplexed Guest

    Hi all,

    I'm rather perplexed in that some of my apps are displaying strange behaviour in that they'd want to connect to the site 64.15.205.241 first.

    For example, I've just installed spywareguard from javacool and it too wants to connect to 64.15.205.241

    Windows messenger same story.

    What's happening?

    ps
    I've just done a fresh reinstall of WinXp home edition and updated it to all the latest hotfixes.
    Am using Kerio 2.15
     
  2. dog

    dog Guest

    Re: Why?

    Hi perplexed, ;)

    Could that be your ISP's DNS server?

    Steve
     
  3. perplexed

    perplexed Guest

    Re: Why?

    Hi Dog,

    Thanks for the reply. How do I verify whether it's my isp dns server? I never use to notice this, been using kerio 2.15 all this while. When browse 64.15.205.241 I get something like a site placeholder directory with links which seem to come from roar.com. At times it seems to be linked with www.pageseeker.com

    Still perplexed
     
  4. perplexed

    perplexed Guest

    Re: Why?

    hmmm shouldn't be my isp dns server cos when I get kerio to deny it I still get to browse websites and such. Also my webbrowser doesn't seem to need to go through 64.15.205.241. Strange thing is that prior to my reinstallation of winxp, when I browse some sites like eg www.mepis.org I'd get the same placeholder directory site as 64.15.205.241

    perplexed
     
  5. perplexed

    perplexed Guest

    snapdragin, thanks for changing the title for me. posted too quick and didn't realise i couldn't edit the title.

    anyone able to provide some insight?
     
  6. perplexed

    perplexed Guest

    have tried lavasoft, spybot search and destroy and nothing found yet. have scanned with pc cillin 2002, avast 4.5 with no results thus far.
     
  7. Cochise

    Cochise A missed friend

    Joined:
    Jan 26, 2003
    Posts:
    2,549
    Location:
    North Thoresby Lincs Good Olde England
    I've just Googled it??.....Don't think it's your ISP....Check it out...



    Cochise, :cool:
     
  8. perplexed

    perplexed Guest

    Hi Cochise,

    Indeed I already highly doubt it's my ISP. The ip address seems to be associated to pageseeker.com / roar.com... The thing which perplexes me is how have they come into my system? Remember I did a fresh reinstall and immediately installed kerio and then all the security updates for winxp...

    and yet?
     
  9. perplexed

    perplexed Guest

    Just completed a scan with ewido. No infections found.

    Hmmm anyone with some ideas on what / where I should do / look / investigate next?
     
  10. perplexed

    perplexed Guest

    Used Kerio to block out 64.15.205.241
    then blocked out 64.15.205.240

    Right now i attempt to trigger this through launching windows messenger. After blocking the 2 ip addresses above... it came up with the ip address 64.15.205.180 which I've blocked...

    any theories/ideas on how this can happen?
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just a thought :doubt:

    All 3 of those IP's belong to Savvis Communications....an Internet backbone....similar to Level3 Communications, one of the largest Internet backbones in the world. At one time Level3 and Savvis had network service agreements....and they may still do. Level3 definetly helps Microsoft with their load....so perhaps Savvis is helping Level3 to help Microsoft ?

    Do you lose any functions when you disallow any of those IP's....gifs, ads....etc ?
     
  12. perplexed

    perplexed Guest

    i'm now trying a different isp now and interestingly i'm not getting the problem. windows messenger, spyware blaster behave as one'd expect.

    still i'm not sure exactly what the problem is. the "problem" isp is a reputable one who mainly deal with business customers.

    Or is it more likely to be the case where... somehow my ip range is actually recorded by some server somewhere. take the case of windows messenger. after i'd blocked the first ip 64.15.205.241, the second time when i attempted to sign-in, there was a noticeable delay before the second ip 64.15.205.240 popped up as a kerio alert.

    @ bubba:
    No don't seem to lose any functionality. The more worrisome thing is that if you google those ip addresses, one would notice that they seem to be on the block lists of spyware addresses.

    how is the mysterious communication taking place?
    perplexed
     
  13. perplexed

    perplexed Guest

    anyone else with some thoughts on this?
     
  14. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    My thoughts...

    run IPCONFIG /ALL to see what ip address your DNS server actually is (so you'll know)

    run NETSTAT -A to see all the ports that are being accessed

    That is just a start.
     
  15. perplexed

    perplexed Guest

    @ capp

    Thanks. I'm not using the "problematic" isp at the moment. Will see what happens when i get back to it. A comparison of kerio and the output from netstat -a looks fine for the moment.

    And yup ipconfig does confirm that those addresses are most certainly not the isp's dns servers. (jogged my memory when you mentioned using ipconfig)
     
  16. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  17. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States

    Glad to help and sorry I couldn't be of more help. I don't know Kerio so I won't touch that one :)
     
  18. joeseriously

    joeseriously Guest

    DRM(digit'l rights mgmt.) as a component of M$ WINXP
     
  19. dezel

    dezel Guest

    No you havn't been hacked - loooks like some nasty spyware for example Cydoor! run Hijackthis, then copy and paste the log file at www.hijackthis.de for a quick check to see whats on your comp.
     
  20. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Just in case noone has traced the Ip here it is in part
     

    Attached Files:

  21. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    second part
     

    Attached Files:

  22. bizet

    bizet Registered Member

    Joined:
    Sep 26, 2005
    Posts:
    1
    I just read this post searching for troubleshooting same. May this help others.

    What I found is using this DOS command:

    Run...Cmd..netstat -b

    that showed the software using the port to that connection we are aware, in this case to SAVVIS.. the software was msnmgr.exe. Even when I was not connected to it, the app was in the system tray, once I closed the app, the connection to savvis dissapeared.

    Regards
     
Loading...
Similar Threads
  1. Holysmoke
    Replies:
    137
    Views:
    8,237
Thread Status:
Not open for further replies.