Strange outgoing connections

Discussion in 'other firewalls' started by <DreamCatcher>, Feb 20, 2006.

Thread Status:
Not open for further replies.
  1. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hi all,

    Today for some strange reason My firewall Zone Alarm pro alerted me to 'McVSEscn.exe located in program files' was attempting to connect out to 82.173.58.141 :110 > destination dns > ip141-58-173-82.dyndsl.versatel.nl. Being it was McAfee I though ok, but as soon as I thought about it I quickly blocked it. The reason being I’m not using POP3 and don’t download my emails. I have never seen this type of strange connection before. First I Googled to see if anyone has had similar things happen, and I found this only link>

    http://www.experts-exchange.com/Security/Win_Security/Q_21731830.html

    ''82.173.58.141 = [ ip141-58-173-82.dyndsl.versatel.nl ]''

    Then I searched for what both the IP address were and I came up with this, I’m confused because even if this was legit, I’m in the UK not the Netherlands, so why was McAfee trying to connect out to this address to receive mail? I was using p2p at the time so maybe this has something to do with it?

    I would really Appreciate any advice,

    Thanks in advance.









    82.173.58.141
    -------------------------------------------------------------------------

    Information related to '82.173.56.0 - 82.173.63.255'

    inetnum: 82.173.56.0 - 82.173.63.255
    netname: VERSATEL-CONSUMER-2
    descr: Versatel Consumer is one of the largest ISP\'s in the Netherlands
    descr: Bras Alkmaar
    country: NL
    admin-c: ZA134-RIPE
    tech-c: ZA134-RIPE
    tech-c: VT1029-RIPE
    remarks: ------------------------------------------
    remarks: For abuse issues please contact
    remarks: abuse@versatel.nl
    remarks: ------------------------------------------
    status: ASSIGNED PA
    mnt-by: AS13127-MNT
    source: RIPE # Filtered

    role: ZONnet Administrator
    address: Hullenbergweg 101
    address: 1101 CL Amsterdam Zuidoost
    address: the Netherlands
    phone: +31 (0)20 7507772
    fax-no: +31 (0)20 7507750
    admin-c: AZ260-RIPE
    tech-c: AZ260-RIPE
    tech-c: VT1029-RIPE
    nic-hdl: ZA134-RIPE
    remarks: -------------------------------------------
    remarks: For abuse issues please contact
    remarks: abuse@zonnet.nl
    remarks: ------------------------------------------
    mnt-by: AS13127-MNT
    source: RIPE # Filtered

    role: VT HOSTMASTER
    address: Hullenbergweg 101
    address: 1101 CL Amsterdam ZuidOost
    address: The Netherlands
    remarks: trouble: For ZON related abuse issues please contact abuse@zonnet.nl
    remarks: trouble: For all abuse issues please contact abuse@versatel.net
    admin-c: RVDK1-RIPE
    tech-c: RVDK1-RIPE
    tech-c: ROBH1-RIPE
    tech-c: RW487-RIPE
    nic-hdl: VT1029-RIPE
    remarks: This is the Versatel hostmaster role
    remarks: Please direct all queries to this role and *not* to person objects
    mnt-by: AS13127-MNT
    source: RIPE # Filtered
    abuse-mailbox: abuse@zonnet.nl
    abuse-mailbox: abuse@zonnet.nl
    abuse-mailbox: abuse@versatel.net

    % Information related to '82.172.0.0/14AS13127'

    route: 82.172.0.0/14
    descr: Versatel customers
    origin: AS13127
    mnt-by: AS13127-MNT
    source: RIPE # Filtered


    141.58.173.82
    ---------------------------------------------------------------------

    OrgName: Verizon Internet Services Inc.
    OrgID: VRIS
    Address: 1880 Campus Commons Dr
    City: Reston
    StateProv: VA
    PostalCode: 20191
    Country: US

    NetRange: 141.149.0.0 - 141.158.255.255
    CIDR: 141.149.0.0/16, 141.150.0.0/15, 141.152.0.0/14, 141.156.0.0/15, 141.158.0.0/16
    NetName: VIS-141-149
    NetHandle: NET-141-149-0-0-1
    Parent: NET-141-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.BELLATLANTIC.NET
    NameServer: NS2.BELLATLANTIC.NET
    NameServer: NS2.VERIZON.NET
    NameServer: NS4.VERIZON.NET
    Comment: Please send all abuse reports to abuse@verizon.net.
    Comment: DO NOT send e-mail to DIA.ADMIN@verizon.com as it will not be answered.
    RegDate:
    Updated: 2005-04-21

    RTechHandle: ZV20-ARIN
    RTechName: Verizon Internet Services
    RTechPhone: +1-703-295-4583
    RTechEmail: IPNMC@gnilink.net

    OrgAbuseHandle: VISAB-ARIN
    OrgAbuseName: VIS Abuse
    OrgAbusePhone: +1-214-513-6711
    OrgAbuseEmail: abuse@verizon.net

    OrgTechHandle: ZV20-ARIN
    OrgTechName: Verizon Internet Services
    OrgTechPhone: +1-703-295-4583
    OrgTechEmail: IPNMC@gnilink.net

    # ARIN WHOIS database, last updated 2006-02-19 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
     
    Last edited: Feb 20, 2006
  2. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hey,

    This is strange I have found another link about this IP address >

    http://forum.grisoft.cz/freeforum/read.php?8,59680,backpage=8,sv=

    One thing I forgot to mention was that certain programs in task manager had rather long PIDS, more than i have ever seen. Maybe be unrelated, but I would sure like to know what was goin on!
     
    Last edited: Feb 20, 2006
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Do your logs show what other connections were occurring around the same time?
    Have you checked them to make sure they are legitimate processes?

    Regards,

    CrazyM
     
  4. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Have you re-checked the email accounts on your computer to make sure they are still disabled?

    Just guessing but maybe the McAfee process got fooled into checking something that wasn't a valid email. Perhaps this could be caused by accessing a web page where the address 82.173.58.141 :110 was embedded in the code or as a link you clicked on...then McAfee intercepted it thinking it was an email. Do you remember what you were doing at the time?
     
  5. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    Some sites use lower ports such as pop3 or even dns to get around restrictions set by the either the ISP or administrator of their network at school as an example.
    They disguise the P2P traffic by using reserved service ports. Mcafee and AVG run as proxies so any communication on the "email" ports causes them to try to handshake. Set your rules for the P2P application to block anything under 1025.
     
  6. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hi, CrazyM,

    At that time I was getting the usual blocked incoming connections that were either dropped or failed bit torrent connections. Type medium. The only other strange thing occurring at that time was Vsmon.exe started to go a bit made making and dropping connections, as i was watching it in TCPVIEW.
    Zone Alarm log>

    PE,2006/02/20,03:18:26 +0:00 GMT,McAfee VirusScan E-mail Scan Module,82.173.58.141:110,N/A
    ACCESS,2006/02/20,03:18:32 +0:00 GMT,McAfee VirusScan E-mail Scan Module was temporarily blocked from connecting to the Internet (82.173.58.141: POP3).,N/A,N/A
    'PE,2006/02/20,03:16:04 +0:00 GMT,McAfee VirusScan E-mail Scan Module,82.173.58.141:110,N/A


    I think the ones with the long PIDS, were from I think a bad start up, as they were legit programs such as taskmanager and mcmnhdlr.exe. I have scanned my system with KAS online, McAfee, Ewido and A-Squared, and they show no trojan or any type of malware! I also used a program called 'program checker' that checks the MD5 checksum of running programs/EXE's and they were legit.
     
    Last edited: Feb 22, 2006
  7. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hi, Noway,

    Outlook has always been blocked from access to the internet and to be honest I just dont use it, I did check to see if there was any accounts >None.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Do you have any e-mail clients configured that would use outbound POP3?

    Regards,

    CrazyM
     
  9. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hey,

    I just wanted to thank you guys for your help/advice. FirePost, you were right for some reason I still dont get McAfee was mistaking the traffic from this >ip141-58-173-82.dyndsl.versatel.nl:pop3, due to the fact that they were using a lower port. I stopped McAfee e-mail module connecting and my bittorrent program then established the connection with out any probelms.
     
  10. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    Don't be too hard on Mcafee. Traffic on port 110 is supposed to be email ;)
     
Loading...
Thread Status:
Not open for further replies.