If I attempt to block the destination IP in Peerguardian the traffic
continues with my port number incrementing but with a different
destination IP
eg
66.246.179.201:80
Any idea what is causing this and how to cure it? and is it risky to
allow this to continue, I can use the other PC on the network ok and
don't see the same sort of activity from that one.
> Any idea what is causing this and how to cure it?
As you already wrote: PeerGuardian2. It might be that it's simply telling
you fictitious facts, it might block expected replys related to your very
own requests, it might provoke repeated traffic due to missing TCP Reject
packets.
> and is it risky to allow this to continue,
Risky? Since you're running an application which is supposed to fuck up your
network, it can't be a productive machine anyway.
Re: unknown outgoing tcp traffic - should I be worried?
On Fri, 09 Nov 2007 01:16:02 +0100, "Sebastian G." <seppi@seppig.de>
wrote:
>> Any idea what is causing this and how to cure it?
>
>
>As you already wrote: PeerGuardian2. It might be that it's simply telling
>you fictitious facts, it might block expected replys related to your very
>own requests, it might provoke repeated traffic due to missing TCP Reject
>packets.
At the time I first noticed the continuous traffic on the router PG2
was not installed.
>> and is it risky to allow this to continue,
>
>
>Risky? Since you're running an application which is supposed to fuck up your
>network, it can't be a productive machine anyway.
Well is a home machine so has never been very productive ,
>Any idea what is causing this and how to cure it?
Can be almost anything. But it's only harmless once proven to be
harmless :-)
First: define which PC is causing this traffic.
(My way: pull the plug, one by one. See when the traffic stops
:-)
Then, on the offending PC, find out what processes are running.
Shut them down, one by one, and decide which process is
responsible.
Here also, pulling the plug may be a fast one. If you watch CPU
demand while pulling the network plug, you may well observe that
one process increases or decreases it's CPU load.
That can be your OS, noticing that the network connection fails,
or the culprit, detecting it can no longer phone home :-)
Re: unknown outgoing tcp traffic - should I be worried?
On Thu, 08 Nov 2007, in the Usenet newsgroup alt.computer.security, in article
<6tv6j3pk8c142ql71oor71qqnsl37aanc9@4ax.com>, abc@abc.com wrote:
>I noticed recently almost continuous activity on my Belkin router for
>one of the two Pc's connected to it.
>
>I am running Peerguardian2 and it shows tcp traffic originating from
>the PC to various destinations
And what did you install on that PC that wants to talk to the net?
>eg
>60.246.179.201:80
>
>each entry on the log shows an increment on the port of my PC
If that address is valid, it's a business service in Sydney, Oz. The
incrementing means that a process is accessing a web site, then another
process is started up and accesses the site - lather, rinse, repeat.
>If I attempt to block the destination IP in Peerguardian the traffic
>continues with my port number incrementing but with a different
>destination IP
>
>eg
>66.246.179.201:80
Is that the actual IP address, or is that merely some set of numbers
you made up? The address is another ISP - just North of Miami Florida.
That the mal-ware would be using addresses that differ by one digit
despite being located half-way around the world is highly unusual.
>Any idea what is causing this and how to cure it?
You'd have to ask the person who installed this. It's not a piece of
standard windoze crap. Contrary to the beliefs of many, there really
isn't a Mal-ware Fairy who flitters about and when you are not looking,
waves her Magic Wand and installs stuff.
>is it risky to allow this to continue
You'll have to wait until you get your credit-card bill next month to
find out. Presumably it's not violating laws, as the police haven't
stopped by to arrest you.
>I can use the other PC on the network ok and don't see the same sort
>of activity from that one.
Re: unknown outgoing tcp traffic - should I be worried?
On Fri, 09 Nov 2007 13:36:05 GMT, bok118@zonnet.nl (Gerard Bok) wrote:
Thanks for all your suggestions, I am getting nearer but could do with
a little more help....
>First: define which PC is causing this traffic.
>(My way: pull the plug, one by one. See when the traffic stops
>:-)
the router has separate activity leds for each ethernet connection
and knowing the IP for the PC I had this already.
>Then, on the offending PC, find out what processes are running.
>Shut them down, one by one, and decide which process is
>responsible.
In the Task Manager I have four svchost.exe entries, one of them is
continually in use and killing this process stops the outgoing
traffic.
I then get an NT System Authority error and a countdown timer of 60
secs before the PC shutsdown.
(Some digging on Google and found I can disable the timer in a command
prompt with "shutdown -a")
I think my problem is to identify what program is using the errant
svchost.
From a cmd prompt if I enter "tasklist /svc" I get a list of what is
running in each svchost instance.
I'm not 100% but I think the one causing the trouble has only one
entry "rpcss" because after suspending the svchost.exe process in Task
Manager I can no longer use the "tasklist" command and get an "rpc
server not available" error.
>I think my problem is to identify what program is using the errant
>svchost.
>
>From a cmd prompt if I enter "tasklist /svc" I get a list of what is
>running in each svchost instance.
>
>I'm not 100% but I think the one causing the trouble has only one
>entry "rpcss" because after suspending the svchost.exe process in Task
>Manager I can no longer use the "tasklist" command and get an "rpc
>server not available" error.
>Any suggestions as to what to look for next??
Well, personally I would install a sniffer (e.g. Wireshark) and
find out, what is actually insite the traffic on port 80 to
60.246.179.201
These may be rather harmless http-get requests to a server that
is no longer available. (Indicating: originally bad traffic, but
now harmless because a bad server was taken of the air.)
Or you might see, that your PC is actually sending (your) data
over to 60.246.179.201. Which would be unacceptable.
Another way to go could be, examining your startup items,
disabling them one by one untill you get the one, responsible for
this traffic.
Or --if it is not an automatic process-- find out at which point
after reboot, the traffic starts.
Re: unknown outgoing tcp traffic - should I be worried?
On Sat, 10 Nov 2007 16:04:03 GMT, bok118@zonnet.nl (Gerard Bok) wrote:
>
>Well, personally I would install a sniffer (e.g. Wireshark) and
>find out, what is actually insite the traffic on port 80 to
>60.246.179.201
Interesting, thanks for the pointer to Wireshark.
I'm still finding my way around the program, (never used anything like
this before so bear with me), assuming I'm doing this right, selecting
one of the outgoing packets in the capture list and the 'follow tcp
stream' builds several webpages and most have the following header
-----------------------------------
GET /cat.asp?CategId=2&SubCategId=1014 HTTP/1.1
Accept: */*
Accept-Language: en
User-Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)
Host: www.editora-central.com.br
Connection: close
------------------------------------------
subsequent code under this header block appear to be webpage html.
I checked out Majestic12 and it's some kind of distributed search
engine, is it likely I have this on my system and this is doing
searches and creating the traffic?
My name is Alex Chudnovsky and I am the founder of the Majestic-12 project referenced above.
In the last couple of weeks we were getting reports of fake MJ12bot user-agent coming from various IPs, the main flag showing that it is a fake was very old version v1.0.8 of the user-agent just like above.
This is NOT us who do it - we are effectively a victim here as whoever does this fakes user-agent in the same way spammers fake From: email address :-(
I am very keen to get to the bottom of exactly what happens - if you look at our bots page here : Majestic-12 : DSearch : MJ12bot you will see message about fake bot and lots of IP addresses from all over the world. I was thinking for some time that some botnet with compromised PCs were being used to crawl the web (probably for spamming purposes) using fake user-agents.
Do you have any of the firewalls installed like Kerio or ZoneAlarm? These should have prompted for network traffic coming out asking for approval.
it gives much greater detail about which processes do what, and it allows to look at network stats for applications as well. I hope this will allow to locate exact application that is doing this stuff. It sure isn't ours (MJ12node.exe) :/
abc,
I haven't found it either but I removed the vulnerability that made it work (I guess). Now I no longer experience this unwanted traffic. Do this:
1. Get ProcessExplorer from Microsoft. It's free. It doesn't need installation, just unzip and run.
2. When the traffic starts (be sure it's not your own traffic), run procexp.exe
3. Notice that one of the srvhost.exe entries incurs in an unusually high CPU utilization. The trojan started this instance. Hover over the entry to popup a tooltip. It should say: DCOM service process launcher.
4. Now, observe the child node (actually is the parent node) that emanates from this entry. It will give you the path to the program that has the vulnerability.
5. Do a search to identify which software this program belongs to. I can't help you in this.
6. Replace/upgrade/patch your software so that the vulnerability is removed. The trojan will still be there but it won't be able to exploit nothing.
7. Reboot
Re: unknown outgoing tcp traffic - should I be worried?
My svchost responsible for the traffic does not have any nodes under
it in process explorer.
With OllyDbg I have been able to find the area in memory it is doing
it's work but I'm not able to find the owner for the memory. OllyDbg
does not show who it belongs to. When I see a breakpoint to it OllyDbg
crash's when it is hit.
survivor wrote:
> abc,
> I haven't found it either but I removed the vulnerability that made it
> work (I guess). Now I no longer experience this unwanted traffic. Do
> this:
> 1. Get ProcessExplorer from Microsoft. It's free. It doesn't need
> installation, just unzip and run.
> 2. When the traffic starts (be sure it's not your own traffic), run
> procexp.exe
> 3. Notice that one of the srvhost.exe entries incurs in an unusually
> high CPU utilization. The trojan started this instance. Hover over the
> entry to popup a tooltip. It should say: DCOM service process launcher.
> 4. Now, observe the child node (actually is the parent node) that
> emanates from this entry. It will give you the path to the program that
> has the vulnerability.
> 5. Do a search to identify which software this program belongs to. I
> can't help you in this.
> 6. Replace/upgrade/patch your software so that the vulnerability is
> removed. The trojan will still be there but it won't be able to exploit
> nothing.
> 7. Reboot
>
> Let me know how you did.
>
>
> ------------------------------------------------------------------------
> View this thread: http://www.wirelessforums.org/alt-computer-security/unknown-outgoing-tcp-traffic-should-i-worried-31663.html
> http://www.wirelessforums.org
I found a suspicious file named mqperf32.dll in the system32 directory. When I tried to check it AVG (antivirus) kept showing an alarm so I opted to clean it. There's little info on the net about it but is not an OS file (the OS's file is named mqperf.dll). If you find this is the case for you could you send me a copy of it before you clean it up? (I would like to analyze such clever piece of program)
unknown outgoing tcp traffic - should I be worried? 
Linear Mode
