Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic & unwanted internet access by programs


  • Please log in to reply
5 replies to this topic

#1 duffsparky

duffsparky

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 24 February 2012 - 09:48 AM

Can any one advise on the better products to view, track, trace and identify unwanted/unnecessary outgoing internet access on my XP Pc's.

I'm using TCPview which shows a whole load of stuff, however, it does not show which programs are creating the connections or attempted connections. One of the problems with TCPview is that some connections or attemps only appear on the screen for a few seconds then are gone, thus not giving sufficient time to record anything or use the 'Whois' function. Frequently the info provided by the 'Whois' function is insufficient or shows an error.

Malwarebytes protection module frequently pops up that it has blocked various outgoing connections to various IP addresses.

My machines have recently been hit bad by something (possible me). TCPview shows a whole load of automatic access that is possible not wanted and or troublesome and I want to be able to identify which/what and be able to get rid of it if appropriate. Because of my recent problems I'm loathed to start downloading all and sundry trying to find a suitable product(s) only to find I've made the situation worse. A program that would list/log fleeting connection attempts is a must I feel.

There are several sites that will examine security scan logs and hijack logs (a good one being Bleeping Computer :thumbup2: ), are there any sites that will review lists/logs of automatic outgoing connection attempts and connections (internet or otherwise) like can be produced from programs such as TCPview?

Any help would be much appreciated.

Cheers

BC AdBot (Login to Remove)

 


#2 FlannelBack

FlannelBack

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 25 February 2012 - 01:45 AM

Might take a look at the free CurrPorts: http://www.nirsoft.net/utils/cports.html.

It shows the owning process of any active ports, plus a wealth of other info and options. Under the "View" tab menu is the option "HTML Report - All Items". When selected it will, very quickly, display an html report in your browser of what ever is displayed in the CurrPorts window.

Edit:
What about viewing logs from the firewall?

Edited by FlannelBack, 25 February 2012 - 01:50 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 AM

Posted 25 February 2012 - 08:44 AM

These are some how to articles which may help with using TCPView.

There are other third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote IP addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity.

Some legitimate programs on your computer have access to the Internet and that action can trigger an alert but your firewall should be able to give you a list of such programs so you can confirm if they are legitimate. If your firewall provides an alert which indicates it has blocked access to a port or detected an intrusion attempt that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer. Alerts are often classified by the network port they arrive on, and they allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. It is not unusual for a firewall and some anti-virus programs to provide numerous alerts regarding probing and intrustion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion.

Malwarebytes Anti-Malware IP Protection (malicious website blocking) is part of the Protection Module and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert. Some legitimate programs on your computer have access to the Internet and that action can also trigger an IP alert. These events are stored in the "protection-log". Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate. IP Protection is also designed to block incoming connections it determines to be malicious. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Malwarebytes is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts.

More information about IP Protection can be found in the Malwarebytes Anti-Malware IP Protection FAQs.

What does IP Protection do?
IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges...

What does this notification mean?
This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address...

Other FAQs about IP Protection
How does it do this?
How does it inform you?
I got an alert and I wasn't even surfing, how's that happen?
I received a notification on a safe site, why?
How do I disable this?
I got an alert for an IP or website I think is safe, how can I report it?
Does the IP Protection replace my firewall?
Where do I find the IP Protection logs?
How can I add an IP so it won't be detected and can access a site I need to?[/b]


If you are using peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BitLord, BitLord, BearShare, Azureus/Vuze, etc) or an Instant messaging (IM) client, be aware they can trigger IP Protection alerts. Why? Because these kind of programs are a security risk which can make your system susceptible to a smörgåsbord of malware infections and remote attacks. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 25 February 2012 - 09:39 AM

Use procmon from Sysinternals in stead of TCPview.

Start procmon when you start your PC and configure the filter to log all TCP and UDP operations.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 25 February 2012 - 12:27 PM

Thanks for all the assistance.

duffsparky.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 AM

Posted 25 February 2012 - 05:31 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users