Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious TCP Connection


  • Please log in to reply
10 replies to this topic

#1 Entropy2

Entropy2

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 18 December 2009 - 10:32 AM

Dear oracles of Malware,

I have two unrecognized connections when I run Netstat (-b). the connections are as follows:

TCP LAN:3509 63.251.217.192:47611 CLOSING 2892 [System]
[TCP LAN:3692 63.251.217.192:47611 CLOSING 2892 [System]
TCP LAN:1490 cdce-vip.bsn002.internap.com:http TIME_WAIT 0
TCP LAN:1513 cdce-vip.bsn002.internap.com:http TIME_WAIT 0
TCP LAN:1514 cdce-vip.bsn002.internap.com:http TIME_WAIT 0

Specificaly for the URL, the ports change from day to day (other ports include 1348-1352, 4560-4564). The IP address listed does not resolve to the URL and only shows up spuratically. Further, the -b switch does not list a process for the connection.

I've tried to close down as many active processes as possible to isolate the program without success. They are not there when I boot in safe w/networking.

I run Win XP SP3 and use AVG, Zone,Superantispyware, ATF Cleaner and Malwarebytes. I have no known problems.


How can I diagnose these connections? Any thoughts on what they might be?

Thanks for your help

Entropy2

Edited by Entropy2, 18 December 2009 - 10:34 AM.


BC AdBot (Login to Remove)

 


#2 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:05:57 PM

Posted 18 December 2009 - 10:46 AM

Start - > Control Panel ->Software Explorer

Catagory-> Network Connected Programs

Go through each looking for your Connect IP

And there you have the proccess you thought was suspicious
Microsoft Certified Desktop Support Technician

#3 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 18 December 2009 - 10:47 AM

The IP`s resolve to;
IP Address 63.251.217.192
Host 63.251.217.192
Location US US, United States
City Los Angeles, CA 90010
Organization Nexon America
ISP Internap Network Services
AS Number AS26236
Latitude 3406'19" North
Longitude 11830'98" West
Distance 10630.65 km (6605.58 miles)

I did`t dig any further on the organization. I`m guessing it has to do with your ISP.

#4 Entropy2

Entropy2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 18 December 2009 - 11:08 AM

Thank you for your fast replies. MattspcHelp... I hate to appear a newbie, but I have no knowledge of or see no option for 'software explorer' in the control panel or any sub ctagory. A quick google search suggests this is a MS Defender option...but I don't run Defender. Am I missing something??

Also, I have three PC's on my home network and do not have this connection on the other two (which generally run all the same software), so I do not beleive it is associated with my ISP (Comcast).

Thank you again for your help.

Cheers

Edited by Entropy2, 18 December 2009 - 11:10 AM.


#5 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:05:57 PM

Posted 18 December 2009 - 11:36 AM

Download from here , you will then be able to do what i reccomended
Microsoft Certified Desktop Support Technician

#6 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 18 December 2009 - 12:00 PM

Any games installed on the PC in question?

http://www.nexon.net/

#7 Entropy2

Entropy2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 18 December 2009 - 07:35 PM

Thank you Matt..I'll install that right away.

Thunderz... yes, I was afraid it might be game related. My son plays online alot using Steam. Online (hosted) games include:
[indent=1]Combat Arms
[indent=1]Gary's Mod
[indent=1]DOA
[indent=1]Warcraft

He (cough cough... well I) also plays Starwars Battle Front as a local game but through gamespy server online

About two months ago I got a virus called Cryptor...which I swear could only have come from one of teh downloaded games. I was able to successfully remove it.


Cheers

Edited by Entropy2, 18 December 2009 - 07:46 PM.


#8 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 18 December 2009 - 09:06 PM

At least you now know the source.

Nothing wrong with gaming. I have grand-kids but still play Call of Duty and a couple other FPSs once in a while.

#9 Entropy2

Entropy2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 21 December 2009 - 07:23 PM

Hi Matt,

Sorry for the delay in responding. Christmas...Bahhhh Humbug.

I installed Defender and did as suggested. Unfortunetly, the connections in question are NOT listed. Anything else you can suggest??

#10 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:05:57 PM

Posted 21 December 2009 - 07:56 PM

by Zone , do you man zonealarm ? , if so sureley removing all programs from the list should inform you of every program wanting to connect ?

therefor we should in theory be able to see every proccess that wants to connect
Microsoft Certified Desktop Support Technician

#11 Entropy2

Entropy2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 22 December 2009 - 10:32 AM

Matt,

I've narrowed it down to the Network Magic program from Pure Networks (e.g. Cisco). This is a LAN utility that provides GUI management of NID's on your LAN.

I am curious as to why the Defender Connection log (below) shows Network Magic as a connection, but does not reflect the same ports or IP as the Netstat report (also below). I am also courous as to why my other two PC's on the same network, running the same software do not use this URL. Any thoughts on this?

Regardless, this appears to answer my original question and non-problem.


Thank you VERY much for your time and patience as I worked through this.

Merry Christmas

Entropy


Defender Connection report for Network Magic:
Auto Start: No
File Path: C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
File Size: 648504
File Version: 10.0.8093.0
Date Installed: 5/16/2008 6:11:44 AM
Process ID: 2852
User Name: NT AUTHORITY\SYSTEM
Services: Pure Networks Platform Service
Classification: Permitted
Ships with Operating System: No
Protocol Local Address Foreign Address State
UDP 0.0.0.0:1900 *:*
UDP 0.0.0.0:4459 *:*
UDP 0.0.0.0:67 *:*
UDP 0.0.0.0:1196 *:*
UDP 0.0.0.0:68 *:*
UDP 0.0.0.0:138 *:*
TCP 0.0.0.0:1196 0.0.0.0:0 LISTEN


Simultaneous Netstat report:
C:\Documents and Settings\Owner.B-NETGATEWAY>netstat -b

Active Connections

Proto Local Address Foreign Address State PID
TCP B-NetGateway:1339 cdce-vip.bsn002.internap.com:http TIME_WAIT 0
TCP B-NetGateway:1357 cdce-vip.bsn002.internap.com:http TIME_WAIT 0
TCP B-NetGateway:1376 cdce-vip.bsn002.internap.com:http TIME_WAIT 0
TCP B-NetGateway:1398 cdce-vip.bsn002.internap.com:http TIME_WAIT 0

Edited by Entropy2, 22 December 2009 - 03:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users