Am I in trouble? Hacked?

Hi all,

I'm rather perplexed in that some of my apps are displaying strange behaviour in that they'd want to connect to the site 64.15.205.241 first.

For example, I've just installed spywareguard from javacool and it too wants to connect to 64.15.205.241

Windows messenger same story.

What's happening?

ps
I've just done a fresh reinstall of WinXp home edition and updated it to all the latest hotfixes.
Am using Kerio 2.15

 

Re: Why?

Hi perplexed,

Could that be your ISP's DNS server?

Steve

 

Re: Why?

Hi Dog,

Thanks for the reply. How do I verify whether it's my isp dns server? I never use to notice this, been using kerio 2.15 all this while. When browse 64.15.205.241 I get something like a site placeholder directory with links which seem to come from roar.com. At times it seems to be linked with www.pageseeker.com

Still perplexed

 

Re: Why?

hmmm shouldn't be my isp dns server cos when I get kerio to deny it I still get to browse websites and such. Also my webbrowser doesn't seem to need to go through 64.15.205.241. Strange thing is that prior to my reinstallation of winxp, when I browse some sites like eg www.mepis.org I'd get the same placeholder directory site as 64.15.205.241

perplexed

 

snapdragin, thanks for changing the title for me. posted too quick and didn't realise i couldn't edit the title.

anyone able to provide some insight?

 

have tried lavasoft, spybot search and destroy and nothing found yet. have scanned with pc cillin 2002, avast 4.5 with no results thus far.

 

I've just Googled it??.....Don't think it's your ISP....Check it out...



Cochise,

 

Hi Cochise,

Indeed I already highly doubt it's my ISP. The ip address seems to be associated to pageseeker.com / roar.com... The thing which perplexes me is how have they come into my system? Remember I did a fresh reinstall and immediately installed kerio and then all the security updates for winxp...

and yet?

 

Just completed a scan with ewido. No infections found.

Hmmm anyone with some ideas on what / where I should do / look / investigate next?

 

Used Kerio to block out 64.15.205.241
then blocked out 64.15.205.240

Right now i attempt to trigger this through launching windows messenger. After blocking the 2 ip addresses above... it came up with the ip address 64.15.205.180 which I've blocked...

any theories/ideas on how this can happen?

 

Just a thought

All 3 of those IP's belong to Savvis Communications....an Internet backbone....similar to Level3 Communications, one of the largest Internet backbones in the world. At one time Level3 and Savvis had network service agreements....and they may still do. Level3 definetly helps Microsoft with their load....so perhaps Savvis is helping Level3 to help Microsoft ?

Do you lose any functions when you disallow any of those IP's....gifs, ads....etc ?

 

i'm now trying a different isp now and interestingly i'm not getting the problem. windows messenger, spyware blaster behave as one'd expect.

still i'm not sure exactly what the problem is. the "problem" isp is a reputable one who mainly deal with business customers.

Or is it more likely to be the case where... somehow my ip range is actually recorded by some server somewhere. take the case of windows messenger. after i'd blocked the first ip 64.15.205.241, the second time when i attempted to sign-in, there was a noticeable delay before the second ip 64.15.205.240 popped up as a kerio alert.

@ bubba:
No don't seem to lose any functionality. The more worrisome thing is that if you google those ip addresses, one would notice that they seem to be on the block lists of spyware addresses.

how is the mysterious communication taking place?
perplexed

 

anyone else with some thoughts on this?

 

My thoughts...

run IPCONFIG /ALL to see what ip address your DNS server actually is (so you'll know)

run NETSTAT -A to see all the ports that are being accessed

That is just a start.

 

@ capp

Thanks. I'm not using the "problematic" isp at the moment. Will see what happens when i get back to it. A comparison of kerio and the output from netstat -a looks fine for the moment.

And yup ipconfig does confirm that those addresses are most certainly not the isp's dns servers. (jogged my memory when you mentioned using ipconfig)

 

Hi,

If many of your trusted applications try to be connected on 64.15.205.241 on port 53, it does not mean that you have been hacked.
I think it's quite normal:this IP may be your provider.

You could make a search online: http://www.samspade.org

Or you could use IPTicker or eStop (show the ip connection):

*IPTcker: http://www.soft-trek.com.au/prjIPTicker.asp

*eStop: http://www.nwpsw.com/estopmain.html

Regards

 

Glad to help and sorry I couldn't be of more help. I don't know Kerio so I won't touch that one

 

DRM(digit'l rights mgmt.) as a component of M$ WINXP

 

No you havn't been hacked - loooks like some nasty spyware for example Cydoor! run Hijackthis, then copy and paste the log file at www.hijackthis.de for a quick check to see whats on your comp.

 

Just in case noone has traced the Ip here it is in part

 

second part

 

I just read this post searching for troubleshooting same. May this help others.

What I found is using this DOS command:

Run...Cmd..netstat -b

that showed the software using the port to that connection we are aware, in this case to SAVVIS.. the software was msnmgr.exe. Even when I was not connected to it, the app was in the system tray, once I closed the app, the connection to savvis dissapeared.

Regards