Virus or Backdoor?

Discussion in 'malware problems & news' started by saxofun, Feb 23, 2004.

Thread Status:
Not open for further replies.
  1. saxofun

    saxofun Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    17
    Hi,

    Since I have installed Kerio Personal Firewall 4.0, I have denied the UDP on port 53 in inbound and outbound.

    Then, while surfing on the net, I am frequently receiving kerio's alerts (often by block of :cool: telling me that Services and Controller App (c:\winnt\system32\services.exe) as been blocked in outbound on various ports (1039, 1799, 1807, 1892, 1926, 1905) but always at the same IP address 207.236.176.28:domain !!!

    If it is just a backdoor, it's ok, I am blocking it.
    But if it is a virus, I could eradicate it by erasing the files and/or keys that run this process. But which virus would it be?

    My AntivirusKitPro12 doesn't detect any virus, but as it is a trial version, i am not sure it is fully reliable and I don't want to change it yet, as I am testing it...

    What do you think of it? Could it be a virus? If so, which one?
    Thanks for your help!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi saxofun,

    Trying whois -h whois.arin.net 207.236.176.28

    Bell Canada BELLGLOBAL-2 (NET-207-236-0-0-1)
    207.236.0.0 - 207.236.255.255
    Firmbuy Inc FIRMBUY-CA (NET-207-236-176-0-1)
    207.236.176.0 - 207.236.176.255

    Your ISP?

    Regards,

    Pieter
     
  3. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    This one got my attention. A while back I got hit by a few downloader trojans and I thought I had cleaned them out after doing a fresh repair of Windows XP. My prolem seems to be that when using my browser, installing any new program, or using any program that connects online; my firewall asks if it can connect to that exact same IP address. I never noticed this behavior before my trojan incident and think there is something piggybacking programs going online. Now bell sympatico is my ISP, but when I called the tech line--she was at a loss as to why I would need to connect to that address.
    One good example is updating spybot, hijack this or adaware--my firewall asks if they can connect to that above address. Should they not connect directly to their respective addies instead?
    Hijack this shows that IP in an 0-17 listing "domain Hijack".
    That IP is located in Toronto and I live 5 hours away from there so I still say something is hinky. Thanks for any help if you may know what could be going on.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi RIFLEMAN,

    I think this has been explained to you before, but for the benefit of saxofun I will try again.
    When a program tries to connect to a URL (f.e. www.javacoolsoftware.com) your computer needs that URL translated into an IP address.
    To do so it looks in different places in a certain following order. The last one it tries is the DNS server you specified in your internet connection (the ones showing up under O17 in a HijackThis log), which are usually the DNS servers of your ISP.

    To reduce this traffic you could use a hosts file as explained here:
    http://www.accs-net.com/hosts/what_is_hosts.html

    HTH,

    Pieter
     
  5. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Pietr --thanks again. I don't really understand what you mean --but get the idea. It just seems to me that the IP should already be worked out in my files and connect direct. I never see that server in netstat. I guess I never noticed this before. I hope Sax has the same proovider as myself. That may be a relief.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Rifleman,

    It would be nice if a programmer could directly implement the IP address in a program, but the comparison I always use is that of a phonebook.
    Your number changes sometimes, but your name won't (at least not that often).
    You can claim domain names, but when moving to another server your IP address changes.
    As I said, you could use a hosts file if you are worried about that traffic with your provider. A hosts file is like having the numbers you use most, stored on your computer, so it does not have to make the query at the DNS server.

    Regards,

    Pieter
     
  7. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Again thanks--while I am making an idiot of my self and taking poor sax's thread--maybe this will help him also---Your lookup of the Ip shows the owner of the address as Firmbuy. Now Bellnexia is the service that supplies firmbuy the address--right? I am going to look up Firmbuy and see what kind of entity they are --but if not mistaken--they are an advertising company. Guess why this seems funny to me. I get what you mean though when you give me the phone book idea. Somettimes thing have to be tapped into my head with a sledgehammer. Recognizing the significant investment and implementation barriers to
    procurement automation for North America's 150,000+ mid-sized companies,
    Firmbuy provides a full-service hosted solution without the capital
    investment, subscription fees or transaction costs. The company acts as an
    aggregator for its clients to obtain competitive pricing while adding
    significant infrastructure value to consolidate and control purchasing in
    their business processes. Firmbuy manages and maintains standardized
    electronic catalogs containing over two million items from more than
    7,500 suppliers and manufacturers.
    Firmbuy's secure Web-based e-purchasing infrastructure was designed and
    developed in conjunction with iPlanet E-Commerce Solutions through a strategic
    relationship between the companies. Firmbuy's solution utilizes the highly
    scaleable iPlanet software along with Sun Microsystems mission critical
    hardware, a combination already successfully deployed in
    Fortune 100 companies. The strategic relationship with iPlanet E-Commerce
    Solutions has enabled Firmbuy to offer mid-sized firms a proven industrial
    strength system built to handle some of the world's largest e-purchasing
    requirements.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I can't find the DNS servers that Bell Canada uses, but while looking I found this:
    http://cable-dsl.home.att.net/dns_cache.htm

    Worth a read, especially since they use the phonebook analogy. ;)

    Regards,

    Pieter
     
  9. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    i'll read that one too. I have been searching Firmbuy and it seems to be a company that has a service linking customers for various supplies. I emailed them and asked if they supply DNS servers for Bell but I have my doubts. I will also post at the Sympatico forum and ask if they know who supplies it. I still think something is fishy here but you know your stuff so I am not going to worry overmuch about it. Like I said before the service tech at Bell had no idea what that IP would be for but they were out of their depth I think. Can I post what I find here or start a new thread? Thanks for your patience.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Well, since saxofun has the same IP he is worried about, let's keep it all in one thread as long as we feel it's related.

    Regards,

    Pieter
     
  11. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Well--i have spent 4 hours trying to find out a straight answer but have gotten nowhere after emailing Firmbuy and asking at DSL reports forum.
    I don't know if there is even a possibility of this being a trojan or type of hijack. I will call my tech again when I am cooled down. If anyone knows for sure what this may be I would greatly appreciate it and want to thank Pieter for his time so far.
     
  12. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    If you feel that you may have a trojan on your system; you may want to try downloading TDS trial version from our downloads section, updating the radius files and running a full system scan.
     
  13. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    netsky.b virus is a possibility, more probably those reasons above..
     
  14. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Well--I am no closer to figuring out if this is supposed to be Bells DNS server. I have my doubts, but my machine tests squeay clean with various antivirus and antitrojan programs. I have had TDS for awhile now but it has never found anything fishy--except that I have ports 135,137 and 5000 open. I think this is inside the firewall though. If Sax would come back to check his post maybe that would give more information. I do find it a long shot that 2 of us have the same doubts about the IP. What are the odds?
     
  15. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Perfectly normal for a default windows system, there are ways to shut it down.

    Maybe?
     
  16. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Thanks for the reply Jay---is this supposed to be sarcastic?
    I found out at DSL Reports that setting up bell sympatico--the DNS is 198.xxx.xx.xxx ---can't remember exactly but not close to the DNS in question. I am going to set it back the way it is supposed to be and se what happens.
     
  17. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Ontario (Bell)

    Primary &Secondary DNS
    Domain
    Name
    POP (incoming mail) Server
    SMTP (outgoing mail) Server
    NNTP (news)
    Server

    Disable DNS -
    no address required
    sympatico.ca
    pop1.sympatico.ca*
    pop2.sympatico.ca*
    pop6.sympatico.ca*
    pop8.sympatico.ca*
    smtp1.sympatico.ca*
    smtp8.sympatico.ca*
    news1.on.sympatico.ca
     
  18. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    What part of the reply? In any case I seriously don't think anything malicious is going on really.
     
  19. ShotgunGirl

    ShotgunGirl Guest

    By chance is the rule "OTHER DNS"?
    If so, then it should be nothing more than your own IP dns (a udp datagram). To know for certain you will need to know the dns address of you ip.....which should have been inserted when the rule was made.
     
  20. ShotgunGirl

    ShotgunGirl Guest

    Opps! My bad. The rule "Other DNS" should be set to "any address". Not the DNS of your ip. Mama said I was a dumb redhead an at times like this I agree.
     
  21. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Hi Shotgungirl. Redheads aren't dumb--from my experience. Ok I am dumb when it comes to computers but here goes. Right now--checking the status of my connection--my server's IP is 64.230.254.24 Client Ip is 67.xxx.xxx--so on. Now all my programs ask to connect to the IP mentioned before---even when the provider server is different. I posted above the set up rules for the modem in my area. The DNS IP is not even close. My machine seems to work fine--just that I noticed this after being compromised and not before. Thanks for the help folks.
     
  22. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Something else I just noticed. I ran Hijack this and asked to fix the O-17 warning containing the IP in question. I can still surf without problems. My Email still functions. Now---if I disconnect from the net and reconnect---that same warning reappears. Hope this helps come to an answer.
     
  23. ShotgunGirl

    ShotgunGirl Guest

    Rifleman

    Was just peeking at my rules. An there are nine rules particular to dns only one of which is a server address and three of which relate to port 53. At one point I to received the alert you are receiving and re-did my rules. The alert stopped.
    Depending on my activities my rules are ever changing. Port 53 is often hit by hackers.
    Also its a mail port as you know.
    Hopefully you are not compromised. My very best to you on this problem. Sorry I was not able to help.
     
Loading...
Thread Status:
Not open for further replies.