Virus or Backdoor?

Hi,

Since I have installed Kerio Personal Firewall 4.0, I have denied the UDP on port 53 in inbound and outbound.

Then, while surfing on the net, I am frequently receiving kerio's alerts (often by block of telling me that Services and Controller App (c:\winnt\system32\services.exe) as been blocked in outbound on various ports (1039, 1799, 1807, 1892, 1926, 1905) but always at the same IP address 207.236.176.28:domain !!!

If it is just a backdoor, it's ok, I am blocking it.
But if it is a virus, I could eradicate it by erasing the files and/or keys that run this process. But which virus would it be?

My AntivirusKitPro12 doesn't detect any virus, but as it is a trial version, i am not sure it is fully reliable and I don't want to change it yet, as I am testing it...

What do you think of it? Could it be a virus? If so, which one?
Thanks for your help!

 

Hi saxofun,

Trying whois -h whois.arin.net 207.236.176.28

Bell Canada BELLGLOBAL-2 (NET-207-236-0-0-1)
207.236.0.0 - 207.236.255.255
Firmbuy Inc FIRMBUY-CA (NET-207-236-176-0-1)
207.236.176.0 - 207.236.176.255

Your ISP?

Regards,

Pieter

 

This one got my attention. A while back I got hit by a few downloader trojans and I thought I had cleaned them out after doing a fresh repair of Windows XP. My prolem seems to be that when using my browser, installing any new program, or using any program that connects online; my firewall asks if it can connect to that exact same IP address. I never noticed this behavior before my trojan incident and think there is something piggybacking programs going online. Now bell sympatico is my ISP, but when I called the tech line--she was at a loss as to why I would need to connect to that address.
One good example is updating spybot, hijack this or adaware--my firewall asks if they can connect to that above address. Should they not connect directly to their respective addies instead?
Hijack this shows that IP in an 0-17 listing "domain Hijack".
That IP is located in Toronto and I live 5 hours away from there so I still say something is hinky. Thanks for any help if you may know what could be going on.

 

Hi RIFLEMAN,

I think this has been explained to you before, but for the benefit of saxofun I will try again.
When a program tries to connect to a URL (f.e. www.javacoolsoftware.com) your computer needs that URL translated into an IP address.
To do so it looks in different places in a certain following order. The last one it tries is the DNS server you specified in your internet connection (the ones showing up under O17 in a HijackThis log), which are usually the DNS servers of your ISP.

To reduce this traffic you could use a hosts file as explained here:
http://www.accs-net.com/hosts/what_is_hosts.html

HTH,

Pieter

 

Pietr --thanks again. I don't really understand what you mean --but get the idea. It just seems to me that the IP should already be worked out in my files and connect direct. I never see that server in netstat. I guess I never noticed this before. I hope Sax has the same proovider as myself. That may be a relief.

 

Hi Rifleman,

It would be nice if a programmer could directly implement the IP address in a program, but the comparison I always use is that of a phonebook.
Your number changes sometimes, but your name won't (at least not that often).
You can claim domain names, but when moving to another server your IP address changes.
As I said, you could use a hosts file if you are worried about that traffic with your provider. A hosts file is like having the numbers you use most, stored on your computer, so it does not have to make the query at the DNS server.

Regards,

Pieter

 

Again thanks--while I am making an idiot of my self and taking poor sax's thread--maybe this will help him also---Your lookup of the Ip shows the owner of the address as Firmbuy. Now Bellnexia is the service that supplies firmbuy the address--right? I am going to look up Firmbuy and see what kind of entity they are --but if not mistaken--they are an advertising company. Guess why this seems funny to me. I get what you mean though when you give me the phone book idea. Somettimes thing have to be tapped into my head with a sledgehammer. Recognizing the significant investment and implementation barriers to
procurement automation for North America's 150,000+ mid-sized companies,
Firmbuy provides a full-service hosted solution without the capital
investment, subscription fees or transaction costs. The company acts as an
aggregator for its clients to obtain competitive pricing while adding
significant infrastructure value to consolidate and control purchasing in
their business processes. Firmbuy manages and maintains standardized
electronic catalogs containing over two million items from more than
7,500 suppliers and manufacturers.
Firmbuy's secure Web-based e-purchasing infrastructure was designed and
developed in conjunction with iPlanet E-Commerce Solutions through a strategic
relationship between the companies. Firmbuy's solution utilizes the highly
scaleable iPlanet software along with Sun Microsystems mission critical
hardware, a combination already successfully deployed in
Fortune 100 companies. The strategic relationship with iPlanet E-Commerce
Solutions has enabled Firmbuy to offer mid-sized firms a proven industrial
strength system built to handle some of the world's largest e-purchasing
requirements.

 

I can't find the DNS servers that Bell Canada uses, but while looking I found this:
http://cable-dsl.home.att.net/dns_cache.htm

Worth a read, especially since they use the phonebook analogy.

Regards,

Pieter

 

i'll read that one too. I have been searching Firmbuy and it seems to be a company that has a service linking customers for various supplies. I emailed them and asked if they supply DNS servers for Bell but I have my doubts. I will also post at the Sympatico forum and ask if they know who supplies it. I still think something is fishy here but you know your stuff so I am not going to worry overmuch about it. Like I said before the service tech at Bell had no idea what that IP would be for but they were out of their depth I think. Can I post what I find here or start a new thread? Thanks for your patience.

 

Well, since saxofun has the same IP he is worried about, let's keep it all in one thread as long as we feel it's related.

Regards,

Pieter

 

Well--i have spent 4 hours trying to find out a straight answer but have gotten nowhere after emailing Firmbuy and asking at DSL reports forum.
I don't know if there is even a possibility of this being a trojan or type of hijack. I will call my tech again when I am cooled down. If anyone knows for sure what this may be I would greatly appreciate it and want to thank Pieter for his time so far.

 

If you feel that you may have a trojan on your system; you may want to try downloading TDS trial version from our downloads section, updating the radius files and running a full system scan.

 

netsky.b virus is a possibility, more probably those reasons above..

 

Well--I am no closer to figuring out if this is supposed to be Bells DNS server. I have my doubts, but my machine tests squeay clean with various antivirus and antitrojan programs. I have had TDS for awhile now but it has never found anything fishy--except that I have ports 135,137 and 5000 open. I think this is inside the firewall though. If Sax would come back to check his post maybe that would give more information. I do find it a long shot that 2 of us have the same doubts about the IP. What are the odds?

 

Perfectly normal for a default windows system, there are ways to shut it down.

Maybe?

 

Thanks for the reply Jay---is this supposed to be sarcastic?
I found out at DSL Reports that setting up bell sympatico--the DNS is 198.xxx.xx.xxx ---can't remember exactly but not close to the DNS in question. I am going to set it back the way it is supposed to be and se what happens.

 

Ontario (Bell)

Primary &Secondary DNS
Domain
Name
POP (incoming mail) Server
SMTP (outgoing mail) Server
NNTP (news)
Server

Disable DNS -
no address required
sympatico.ca
pop1.sympatico.ca*
pop2.sympatico.ca*
pop6.sympatico.ca*
pop8.sympatico.ca*
smtp1.sympatico.ca*
smtp8.sympatico.ca*
news1.on.sympatico.ca

 

What part of the reply? In any case I seriously don't think anything malicious is going on really.

 

By chance is the rule "OTHER DNS"?
If so, then it should be nothing more than your own IP dns (a udp datagram). To know for certain you will need to know the dns address of you ip.....which should have been inserted when the rule was made.

 

Opps! My bad. The rule "Other DNS" should be set to "any address". Not the DNS of your ip. Mama said I was a dumb redhead an at times like this I agree.

 

Hi Shotgungirl. Redheads aren't dumb--from my experience. Ok I am dumb when it comes to computers but here goes. Right now--checking the status of my connection--my server's IP is 64.230.254.24 Client Ip is 67.xxx.xxx--so on. Now all my programs ask to connect to the IP mentioned before---even when the provider server is different. I posted above the set up rules for the modem in my area. The DNS IP is not even close. My machine seems to work fine--just that I noticed this after being compromised and not before. Thanks for the help folks.

 

Something else I just noticed. I ran Hijack this and asked to fix the O-17 warning containing the IP in question. I can still surf without problems. My Email still functions. Now---if I disconnect from the net and reconnect---that same warning reappears. Hope this helps come to an answer.

 

Rifleman

Was just peeking at my rules. An there are nine rules particular to dns only one of which is a server address and three of which relate to port 53. At one point I to received the alert you are receiving and re-did my rules. The alert stopped.
Depending on my activities my rules are ever changing. Port 53 is often hit by hackers.
Also its a mail port as you know.
Hopefully you are not compromised. My very best to you on this problem. Sorry I was not able to help.