Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several connections to dubious address shown in TCPView


  • Please log in to reply
17 replies to this topic

#1 user1000000

user1000000

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 August 2010 - 07:28 PM

Hello there! I've been monitoring my internet connection in my computers using TCPView and ProcessMonitor when in doubt of a process number shown in TCPView. There is one thing that's bugging me, though: As I browse the internet, several connections are established by my browsers to an address that shows no information as I look it up in the usual DNS - Whois websites, also, when I google it, nothing definitive shows up. The address that bugs me is this one:

customer-189-254-81-16-sta.uninet-ide.com.mx

The actual line shown in TCPView goes something like this:

Process PID Protocol Local Address Local Port Remote Address Remote Port State
chrome.exe 5608 TCP roberto1.lan 58220 customer-189-254-81-81-sta.uninet-ide.com.mx http ESTABLISHED

Normally several of these will appear. The numbers after the word customer change sometimes, what remains constant is the word customer and the ending, which would be sta.uninet-ide.com.mx

The system I'm using has Windows Vista Home Premium 32-bit and this happens with both browsers I use, which are Firefox 3.6 and Chrome 5.0

If the address should be a malicious address, what steps could I take to find out what malware is doing this and remove it? :thumbsup:

Thanks a lot in advance for your help!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 PM

Posted 18 August 2010 - 07:34 AM

Start Chrome in safe mode using these instructions:

http://googlesystem.blogspot.com/2010/02/g...-safe-mode.html

When started in safe mode, do these connections appear?

#3 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 18 August 2010 - 01:01 PM

Hi Grinler! Thanks for your reply. I created a Google Chrome shortcut using the added parameter --incognito as per your instructions. As expected, as I open this shortcut, Chrome tells you you are browsing incognito. Immediately I went to bleepingcomputer.com but the connections keep appearing to that address I'm suspicious about.

Can you explain to me what you were trying to find out by going into incognito mode, please? I have to mention this: Even if I go into incognito mode, the "Extensions" option in the tools drop down menu does NOT appear greyed out as in the article you directed me to. But the thing is in Google Chrome I don't have any extensions installed at all.

Thanks again for your help, will be looking forward to your answer!

#4 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 18 August 2010 - 01:10 PM

Hey Grinler! One new development happened shortly after I posted my reply. As I went to other sites, I looked at TCPView and it showed these two lines, but not in the chrome.exe process, but in the svchost.exe section, which worries me a little bit more. Here are the lines:

svchost.exe 1456 TCP roberto1.lan 49413 customer-189-254-81-96-sta.uninet-ide.com.mx http ESTABLISHED 2 350 2 574
svchost.exe 1456 TCP roberto1.lan 49414 65.55.184.155 https ESTABLISHED 7 6,676 6 4,750

Unfortunately, the lines disappeared before I could look at the Process Explorer to see which process has the 1456 PID and find out more. Please help me find out what's causing this address to pop up in my connections. Thanks again!!

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 PM

Posted 18 August 2010 - 01:19 PM

Yes, I wanted to make sure it was not an extension causing the issue.

What I suggest is that you install wireshark and sniff the traffic while it connects to that site. You can then see what information is being sent and retrieved. Should help us in determining what is wrong.

You can also use this guide to determine what services are running under that particular svchost.exe process:

http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchost.exe-process/

Have you run any av scanners or roottkit scanners to see if anything shows? This could just be a malware issue.

#6 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 18 August 2010 - 01:29 PM

Hi Grinler, thanks a lot for your prompt help, I really appreciate it! Well, I found the process in ProcessExplorer and it is an svchost.exe instance that has two taskeng.exe instances running under it. The line looks like this in ProcessExplorer:

svchost.exe 1456
taskeng.exe 2216
taskeng.exe 2264

As security software, I have Avira Antivir Free and Comodo Firewall. I usually run Malwarebytes Anti Malware, Superantispyware and Emsisoft Anti-Malware, but something tells me this can circumvent these programs.

I will read about Wireshark and install it so I can give you more info when this address shows up. I don't think it's a valid address, otherwise I would have found out already what it is, but as I google it, nothing comes up, there is one page that says it's listed under content stealers, but the page itself that reports it doesn't look quite good either, here it is: http://badip.4rev.net/

Again, I can't thank you enough, will post back as I get info from Wireshark. Talk to you soon!

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 PM

Posted 18 August 2010 - 01:41 PM

In the TCPView options, uncheck resolve addresses. This will show the real ip that it is trying to connect to.

#8 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 18 August 2010 - 02:02 PM

Thanks for that tip! As I unchecked the option, there were a couple of instances of the dubious address, here are the two ip addresses it showed instead of the uninet-ide.com.mx stuff:

187.141.2.59 and
187.141.2.106

I went to DNS Stuff and it says:

IP Information - 187.141.2.59

IP address: 187.141.2.59
Reverse DNS: customer-187-141-2-59-sta.uninet-ide.com.mx.
Reverse DNS authenticity: [Could be forged: hostname customer-187-141-2-59-sta.uninet-ide.com.mx. does not exist]
ASN: 8151
ASN Name: LACNIC-8151
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): MX [Mexico]
Country Currency: MXN [Mexico Pesos]
Country IP Range: 187.128.0.0 to 187.255.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): -- []
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 187.141.2.59


IP Information - 187.141.2.106

IP address: 187.141.2.106
Reverse DNS: customer-187-141-2-106-sta.uninet-ide.com.mx.
Reverse DNS authenticity: [Could be forged: hostname customer-187-141-2-106-sta.uninet-ide.com.mx. does not exist]
ASN: 8151
ASN Name: LACNIC-8151
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): MX [Mexico]
Country Currency: MXN [Mexico Pesos]
Country IP Range: 187.128.0.0 to 187.255.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): -- []
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 187.141.2.106

I've downloaded Wireshark and installed it. Right now I'm reading the guide to see how it works. Thank you very much for the help and if you think of anything else I can do, let me know! :thumbsup:

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 PM

Posted 18 August 2010 - 02:31 PM

You are on the right track. These IPs are indeed hosting web servers.

#10 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 19 August 2010 - 03:46 PM

Hi Grinler! I wanted to ask you for your help in analyzing the packets I captured live with Wireshark. I usually learn gladly, but the learning curve to master net sniffing is kind of steep. I will keep reading, but in the meantime, would it be too much to ask if you could take a look at the file I saved? The only problem is that it's 4.7 MB and here I can only upload 512K. Can I send it to an email address? The file is what I gathered from a few minutes of web browsing, making sure the dubious address showed up. this time, the ip shown as I unchecked resolve address was 189.254.81.89 which shows up, in my opinion, not good at all. From what I suspect, it takes screenshots because there appear references to jpg files and some reference to thumbs. I'll be looking forward to your answer. If the analysis is not possible for you because of time or some reason, could you point me towards sources that can help me analyze this live capture and block the malicious activities should there exist some?

Thanks a lot for your help in advance, have a great day! :thumbsup:

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 PM

Posted 19 August 2010 - 06:51 PM

You can submit it http://www.bleepingcomputer.com/submit-malware.php?channel=3

#12 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 20 August 2010 - 10:40 AM

Great! Thanks a lot Grinler, file is uploading as we speak! Hopefully the bleepingcomputer team will be able to help me out here. Will be looking forward to the response, will definitely post the result so anyone who encounters this situation can benefit from the information. :thumbsup:

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 PM

Posted 21 August 2010 - 09:37 AM

I never received the file. Did it upload successfully?

#14 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 22 August 2010 - 09:40 AM

Hi Grinler! I resubmitted it again, I think this time it did go through. Thanks again! Have a great weekend.

Attached Files



#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 PM

Posted 24 August 2010 - 02:23 PM

I looked at the firewall logs and figured it out and they lhese look legit. They appear to be akamai services which offer geographic content delivery services.

For example one of the requests was to connect to:

Non-authoritative answer:
cdn.stumble-upon.com canonical name = cdn.stumble-upon.com.edgesuite.net.
cdn.stumble-upon.com.edgesuite.net canonical name = a1001.c.akamai.net.
Name: a1001.c.akamai.net
Address: 189.254.81.89
Name: a1001.c.akamai.net
Address: 189.254.81.106

When you reverse lookup the ip address 189.254.81.106 you get customer-189-254-81-106-sta.uninet-ide.com.mx.

The reason they are coming back with these strange addresses (customer-189-254-81-106-sta.uninet-ide.com.mx), is because the reverse dns is not set correctly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users