Intruders?

Discussion in 'Port Explorer' started by Wayne B, Dec 31, 2003.

Thread Status:
Not open for further replies.
  1. Wayne B

    Wayne B Guest

    In Port Explorer I have traced several connections with Whois. Doug Barton was comming in a lot last night. Tom Kloc from Mindlink, Arin from Liquid Web.

    Tonight I got ARIN as American Registry for Internet Numbers connected from ARIN-NET, then Arin from Liquidweb.

    I always have at least four red lines. Most are my internet provider and one is localhost.

    I got the key for Port Explorer but it wouldn't work, so I went back to using the demo version.

    I have forced serveral people off.

    Also I have heard the having Explorer.exe is a bad sign of a trogan. I have two of those.

    I hope I can trace what is going on and lock these people out.

    Any suggestions would be appreciated.

    I have Wormguard and TDS-3 also. I bought the 3 pack. I haven't got those to show up in the member section yet though. Port Explorer does, but I can't get it to work.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Wayne B, welcome.
    You might like to join as a member to the forum, to be able to use the IM of the board too.

    First things first:
    what seems to be the problem with your PE key?
    Did you close every application except windows and the install for PE when you started?
    Did you manually first uninstall the demo with the uninstall function in the PE directory or did you have PE install taking care of that part?
    Did you reboot after that uninstall, making sure every other program --especially firewall and av/AT scanners-- was still off before continuing the install?
    Did you after that drop the keyfile in the PE directory and act as instructed in the registration email?
    After you might have had an instruction to reboot again or maybe you could first or after that reboot type in your unlock code.
    After that reboot you can fire up all the other protection again.

    From there we can go further. If you have any problems in those first steps to get the registered version working correctly please tell where it goes wrong.
     
  3. Carlos25

    Carlos25 Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    5
    Location:
    Merseyside, England.
    Hello Wayne - I'm no expert ,but i don't think you need to worry too much about explorer.exe being a trojan.

    There are two applications in Windows iexplorer.exe and explorer.exe which i believe are related to Internet explorer and is normal.

    With TDS3 installed you should be relatively safe from trojans - update to the latest trojan definitions and run a full system scan.
    I have found it is important to run a full system scan occasionally as the standard startup scan may miss some trojan elements that may reside on the machine.

    I found this by deliberately infecting myself with athe latest version of Subseven just to see if TDS works and to put your mind at rest it is pretty good and has removed everything I have tried so far :D
    I would not recommend anyone try this though of course :rolleyes:
    Port explorer will show any applications that are communicating via TCP or UDP and will highlite any suspicios applications.
     
  4. Wayne B

    Wayne B Guest

    I changed to a cloned drive and tried to install Port Explorer without ever installing the demo version. I still have the same problem. It will not run and only brings back the screen to enter the code. Before after uninstalling all of Port Explorer I tried to download the version instead of using the version you sent. Still had the same problem.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Wayne B, happy new year!
    I explained in the other thread there will be investigated what might have gone wrong, which due to the holidaybreak takes a little more time then normally.
    So untill that part is solved in a few days please keep with the evaluation version if possible a few more days.


    For the intrusions:
    Which applications were connected to them?
    If you see them in red characters, for instance if you have TDS automated sockets installed, show up as listening in the PE console, in black if TDS is up or in red when minimized, while the moment you click the systray icon they become black again.
    Same with your email and IE etc.

    You migt connect to a site --either by browser or email downloading some images or other info to moment you open it-- which shows in the PE connections, and again hidden red if minimized or back normal when enlarged.

    If you're on a win2000/NT/XP system your system sockets (services) will show up blue, other sockets black.

    Now i like to know what exactly happened that explore.exe connected to internet. That needs all attention. Any idea what it was connected with, ports used, did your firewall protest, have you been able to spy on the data packets to see what was happening there? Was it one time or does it happen more frequently?

    Does your updated TDS alarm on any changes or positive identifications? If explorer.exe is infected it would show in a recent modification date.
    (TDS > System Analyses > Process List > search for explorer.exe and look deeper at it )
    Was it explore.exe or explorer.exe?
    Which windows version are you using?


    For the whois results:
    Those whois results indicate the providers of the IP addresses you see, they are very seldom the same as the user responsible for your connection. The names we see in whois are most often administrative and technical contacts, emailboxes, they are in most cases not the attacker themselves.
     
  6. Wayne

    Wayne Guest

    Lost last reply because of a bad character.

    Port Explorer has been very helpful. I have been able to put some of the intruder IP's in the restricted area of my firewall. I will look forward to getting the full version.

    Right now I have four red lines with msmsgs.exe. I have tried to block that by using Netscape and putting it in the blocked programs, but it keeps coming back. Can I get rid of that by not using Microsoft products except XP Pro or would I have to go to Linux to get rid of it?

    I also have a lot of svchost.exe with remote hosts. What is that?

    I am much happier now that I have been able to block some of these people.

    I look forward to learning more.

    FYI: I always keep Windows updated and my Norton programs every day.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    msmsgs.exe is your msn messenger / windows messenger.
    If you use that or have it in your autostart you will get several connections to the outside world with that.

    svchost.exe rightclick the socket and see to which application it is connected.
    Those are services. In win9x you had them not, but in the XP/2000 systems you see them.
    Can be your virusscanner, mediaplayer, whatever it is exactly the info will tell you.
     
  8. Wayne B

    Wayne B Guest

    I know what msmsgs.exe is. My question was why does it keep showing up if I don't use the IE browser, Outlook or Outlook Express, etc. I only use XP Pro. Then I asked if I would have to use Linux to get rid of it. I always disable it in the task bar. Also why were four of these red?

    Same with svchost.exe, I can look at what it is, but I don't see why so many need to be connected with different remote ports, especially while I am not doing anything on the internet except using Port Explorer.
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    What ports and IP-adresses is svchost.exe connecting to?
    Those lines are showing in red because the processes don't have a visible window
    You can block svchost.exe from connecting to the Internet by your firewall, you can do this with messenger too.
    And yes, Linux will solve those problems as well ;)
    Dolf
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,452
    Location:
    North Carolina, USA
    Hello Wayne B and welcome to Wilder's!!!!!

    Check the remote ports svchost.exe is connected to. It should be port 53 which is used for DNS (Domain Name Server). If this is the case, you have nothing to worry about. The Domain Name Server (DNS) is a distributed Internet directory service. DNS is used mostly to translate between domain names and IP addresses, and to control Internet email delivery. Most Internet services rely on DNS to work, and if DNS fails, web sites cannot be located and email delivery stalls.

    HTH.....

    Regards,
    Kent
     
  11. Wayne B

    Wayne B Guest

    svchost.exe is connected through port 53, but also port 123. The remote address when connected to port 123 is 207.46.130.100. I put that address in the restricted area of my firewall, but it keeps coming up anyway. I have killed it many times.

    There have been other remote ports connected with svchost.exe also. I will be glad to get the full version working of PE so I can see what they are. I know there is a list of common ports, but I have not had time to look it up.

    Some of the connections that are hidden are msmsgs.exe. I don't think svchost.exe has been hidden much. msmsgs.exe has about four hidden connections all the time.
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Wayne

    As noted above, it is normal to see svchost associated with DNS lookups (conncection to remote service/port 53).

    Port 123 is associated with the NTP service (Network Time Protocol). Seeing this connection is also normal if you have the time service active in XP.

    This IP comes back to time.windows.com, the Microsoft Corp. time server.

    No need to block it as it is a normal and safe function of XP.

    Regards,

    CrazyM
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You can use the iana (Internet Assigned Numbers Authority) - port numbers list as a guide to help determine some of what you may be seeing. In particular the service ports 0-1023.

    The Lookup feature in PE under Utilities also has a port to service querry ability. In addition to any common services (iana port list), it will also list any known malware associated with the port. Selecting an entry in the display and right clicking will also give you the port lookup option (amongst others).

    Regards,

    CrazyM
     
  14. Wayne B

    Wayne B Guest

    I will check iana. I don't have the full version of PE working yet so the port function is not available.

    I tried to install the full version on another computer and still have the same problem. It takes the key then asks for it again when I click on PE. I have tried waiting a while and re-booting, but that didn't make any difference.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you have TDS, there is a port reference list utility in that too; they might not differ really much.

    For the key or unlock code -- almost morning in Perth. Few hours more......
     
  16. Wayne B

    Wayne B Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    48
    What is a208-38-45-184.deploy.akamaitechnologies.com? When I searched akamaitechnologies I came up with FBI government. Is that correct?

    I don't know why they would care about me. My legal record is perfectly clean. I don't even have any traffic tickets.

    Also I have seen some connections with level 3 in the name. This all seems very strange.

    A distant relative has had trouble with the FBI. We ran into him, even though he lives on the other side of the country, and have talked to him. We have no connection with his polictical interests, so I would be annoyed if the FBI is monitoring us.

    Also deep.mindlink.net seems to be related to my email. The difference is that my email ends in 49 and this ends in 4.
     
  17. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Akamai have servers that host content for a large number of sites on the Internet. It would not be unusual to see their IP's showing up in connections when surfing.

    Do you have any more details on this connection?

    Regards,

    CrazyM
     
  18. Wayne B

    Wayne B Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    48
    204.168.26.4 is the IP. Tom Klok. I don't know if this is related to 204.168.26.49 or not.

    What happens when I keep rejecting msmsgs.exe being put in my registry?

    What is the following:

    OrgName: Level 3 Communications, Inc.
    OrgID: LVLT
    Address: 1025 Eldorado Blvd.
    City: Broomfield
    StateProv: CO
    PostalCode: 80021
    Country: US

    NetRange: 209.244.0.0 - 209.247.255.255
    CIDR: 209.244.0.0/14
    NetName: LEVEL3-CIDR
    NetHandle: NET-209-244-0-0-1
    Parent: NET-209-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.LEVEL3.NET
    NameServer: NS2.LEVEL3.NET
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 1998-05-22
    Updated: 2001-05-30

    TechHandle: LC-ORG-ARIN
    TechName: level Communications
    TechPhone: +1-877-453-8353
    TechEmail: ipaddressing@level3.com

    OrgAbuseHandle: APL8-ARIN
    OrgAbuseName: Abuse POC LVLT
    OrgAbusePhone: +1-877-453-8353
    OrgAbuseEmail: abuse@level3.com

    OrgTechHandle: TPL1-ARIN
    OrgTechName: Tech POC LVLT
    OrgTechPhone: +1-877-453-8353
    OrgTechEmail: ipaddressing@level3.com

    OrgTechHandle: ARINC4-ARIN
    OrgTechName: ARIN Contact
    OrgTechPhone: +1-800-436-8489
    OrgTechEmail: arin-contact@genuity.com

    # ARIN WHOIS database, last updated 2004-01-02 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Wayne B,
    you can save your PE table at certain moments and copy a few lines out for posting here (the saved log is a txt file) or if you have the log file on you can copy a few remarkable lines here.

    I told you in the other posting to go to your msconfig (or what's the name in yiour windows version?) and uncheck that one from the startup.
    If that is the MSN messenger.
    If it is the windows system messenger service you can disable that one too completely (must find the exact ways back in older postings as GRC's "shoot the messenger" might be a bit very definitive) unless you really want to use that.
     
  20. Wayne B

    Wayne B Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    48
    When I asked what is this, I meant what is the site that I have listed. I copied it from whois and wonder why it was connected to my computer.

    I got a level 3 notice with my IP address, ISP provider saying I am being watched. I figured it was a scam because there was no reason for it and a part of it was wrong. They wanted me to click on it, but I deleted it.

    Hopefully this is just the name of a site, but I have seen other indications of this. LVL 3 in a site name for example.
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Reason more why i really would like you if it happens again to save and post the line(s) relating to that from the console / logfile.

    You should be able to see which application is using it -
    is it an IE socket?
    You can put the socket under socket spy and look at the data packets belonging to it, or you can disable sending/receiving or killing the connection.
    It can happen you are opening an email which connects to the sender for downloading images or other info, or which is sending a signal to them so they know you received it, validating your email account with that.
    Many windows updates are on akamai sites too, so many are using them so to know what happened really need more info from your detection!
     
  22. Wayne B

    Wayne B Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    48
    I might have been able to block it in the restricted area of my firewall. I guess I could allow it to run again so I could get more information. I killed it several times. I have not learned how to use the Socket Spy yet. Is all this available in the demo version?
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Think it all is, there are but few restrictions in the evaluation version.

    We can help you better if we know what is going on, what are the connections, which applications, which ports on local and remote server, etc etc etc.
    This is why i ask for the log, a few lines from the table and or the log file.
    Without this proper information i can't do nothing.
    I get hundreds of connections each hour but all depends which application is responsible for it and how and when and if i'm on a page what is happening, etc etc
    It could even be a banner on a website which is making the connection, anything.
    So please give us the log info and we can give info, as at the moment i can but give some theories which are not even helpful in this situation at all.
    Thanks for posting the few lines i'm asking.
     
  24. Wayne B

    Wayne B Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    48
    This was an odd connection and hopefully has a little more info. It showed in my Norton Internet Explorer log, but not in Port Explorer for some reason. I was watching the demo Port Explorer quite often last night. It is was not in the Port Explorer log either.

    Details:
    Connection: us.js1.yimg.com(63.208.33.7): http(80)
    from p4(192.168.1.100): 3023
    2794 bytes sent
    21880 bytes received
    2:02.812 elapsed time




    There are several entries of this. The log looks like it increases the time on each entry.



    I got the above information from my Internet Security log.



    I don’t know which program because it does not show in Port Explorer.



    This shows a connection for over two hours and I have not seen this in Port Explorer.



    There is another entry of it below with a slightly different address.



    I wonder why this does not show in Port Explorer.



    Details:
    Connection: us.js1.yimg.com(63.208.33.21): http(80)
    from p4(192.168.1.100): 3057
    313 bytes sent
    3620 bytes received
    1:02.906 elapsed time




    Below if from whois.







    OrgName: Level 3 Communications, Inc.

    OrgID: LVLT

    Address: 1025 Eldorado Blvd.

    City: Broomfield

    StateProv: CO

    PostalCode: 80021

    Country: US



    NetRange: 63.208.0.0 - 63.215.255.255

    CIDR: 63.208.0.0/13

    NetName: LEVEL4-CIDR

    NetHandle: NET-63-208-0-0-1

    Parent: NET-63-0-0-0-0

    NetType: Direct Allocation

    NameServer: NS1.LEVEL3.NET

    NameServer: NS2.LEVEL3.NET

    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

    RegDate: 1999-05-28

    Updated: 2001-05-30



    TechHandle: LC-ORG-ARIN

    TechName: level Communications

    TechPhone: +1-877-453-8353

    TechEmail: ipaddressing@level3.com



    OrgAbuseHandle: APL8-ARIN

    OrgAbuseName: Abuse POC LVLT

    OrgAbusePhone: +1-877-453-8353

    OrgAbuseEmail: abuse@level3.com



    OrgTechHandle: TPL1-ARIN

    OrgTechName: Tech POC LVLT

    OrgTechPhone: +1-877-453-8353

    OrgTechEmail: ipaddressing@level3.com



    OrgTechHandle: ARINC4-ARIN

    OrgTechName: ARIN Contact

    OrgTechPhone: +1-800-436-8489

    OrgTechEmail: arin-contact@genuity.com



    # ARIN WHOIS database, last updated 2004-01-06 19:15

    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Can you tell more about this from this entry?
     
  25. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Wayne

    That will most likely be just a server providing content for a site you went to. Web sites will draw content from other servers, in which case you will see multiple connections when connecting to xyz.com

    If you check your NIS connection log for the entry immediately prior to that one, you will likely see a connection to a site that you remember going to.

    An example from my router logs:
    Code:
    08/01/2004  05:02:17:386
    
    Action:              Permitted Outbound TCP connection
    Local IP, Port:      192.168.1.3, 2322
    Remote IP, Port:   http://66.218.66.240 (groups.yahoo.com), 80 (http)
    
    08/01/2004  05:02:17:937
    
    Action:              Permitted Outbound TCP connection
    Local IP, Port:      192.168.1.3, 2323
    Remote IP, Port:   http://208.38.45.182 (us.js1.yimg.com), 80 (http)
    Edit: Servers such as us.js1.yimg.com (and akamai as mentioned) are not unexpected and normal connections.

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.