my today's security problem

Discussion:

(too old to reply)

Mike Scott

2005-03-29 14:42:04 UTC

I've found today that all three of our windows machines connect
ocasionally to machines in the range 82.71.193.xxx, which seems to be
zen internet. I haven't a clue why, and so have set our firewall to
block outbound traffic directed there: I'll wait for something to break!

The connection is always to tcp port 80, but looking there with a
browser gives a message along the lines of 'invalid url, / not found'
(can't check now because of the firewall :-) )

I can't think of anything installed on one, never mind all three
machines that would cause this. Maybe it's actually innocuous: any ideas
please? I've not managed to catch any of the actual traffic, just a
note of the connection being made.

Oh yes, complete list found so far is:
82.71.193.197
82.71.193.198
82.71.193.200
82.71.193.205
82.71.193.206
82.71.193.207
82.71.193.208
82.71.193.214
82.71.193.215
82.71.193.216
82.71.193.221
82.71.193.224
82.71.193.230

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
regards. Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)

Nig

2005-03-29 18:21:39 UTC

Permalink

Post by Mike Scott
I've found today that all three of our windows machines connect
ocasionally to machines in the range 82.71.193.xxx, which seems to be
zen internet. I haven't a clue why, and so have set our firewall to
block outbound traffic directed there: I'll wait for something to break!
The connection is always to tcp port 80, but looking there with a
browser gives a message along the lines of 'invalid url, / not found'
(can't check now because of the firewall :-) )
I can't think of anything installed on one, never mind all three
machines that would cause this. Maybe it's actually innocuous: any ideas
please? I've not managed to catch any of the actual traffic, just a
note of the connection being made.

My first thought was spyware or some form of hijack trying to contact
some zombies, but they'd unlikely just try and connect to some machines
on Zen, there'd be others as well I would've thought. Do you run
anything like Spybot or Adaware? The MS Anti-spyware proggie is pretty
good as well, but then they did buy the best one;-) Be interesting if
they did find anything.

Also, I'd suggest running Hijack This to see what other unwanted stuff
you may have installed.

Another good toy to run is Ethereal so that you can actually look at the
traffic that the connections are sending. This could give some other
clues as to what is going on.

Post by Mike Scott
82.71.193.197

Whilst these show up as Zen, it would appear they're not currently in
use. Have you tried contacting Zen to find out if they know what these
addresses are used for?

Mike Scott

2005-03-29 19:59:31 UTC

Permalink

Post by Nig

...

Post by Nig
My first thought was spyware or some form of hijack trying to contact
some zombies, but they'd unlikely just try and connect to some machines
on Zen, there'd be others as well I would've thought. Do you run
anything like Spybot or Adaware? The MS Anti-spyware proggie is pretty
good as well, but then they did buy the best one;-) Be interesting if
they did find anything.

I do regular sweeps; two of the machines have ad-aware, avg, spybot s&d,
bhodemon (not that I use IE much). The other machine is my son's -
goodness knows what he's got loaded :-)

Haven't seen anything else unaccounted for, at least on my own machines.
I've been logging all outbound tcp connections for a couple of weeks
now in connection with another problem. udp's another matter of course.

Post by Nig
Also, I'd suggest running Hijack This to see what other unwanted stuff
you may have installed.

I've just tried hijack this - which gives an error or two before showing
an apparently clear log file; but I'll check again tomorrow when my
brain is clearer :-)

Post by Nig
Another good toy to run is Ethereal so that you can actually look at the
traffic that the connections are sending. This could give some other
clues as to what is going on.

I'm doing that at present. In spite of what I said earlier, I do have
some packet data of the connections, captured on the freebsd m/c I use
as gateway/firewall. It's only a small m/c, and although I've been
trying this afternoon to analyse the traces with ethereal, it takes
about 10 minutes to run the data through a single filter -- will try a
bigger box tomorrow

Post by Nig

Post by Mike Scott
82.71.193.197

...

Post by Nig
Whilst these show up as Zen, it would appear they're not currently in
use. Have you tried contacting Zen to find out if they know what these
addresses are used for?

Good idea. If I don't get anywhere tomorrow, I'll see what they say.
What makes you think they're not in use though? I know reverse DNS
doesn't work for them, but that seems the norm for some ISPs.

Mike Scott

2005-03-30 10:02:30 UTC

Permalink

Post by Nig

...

Post by Nig
Whilst these show up as Zen, it would appear they're not currently in
use. Have you tried contacting Zen to find out if they know what these
addresses are used for?

Handy tool, ethereal. It appears that these machines mirror avg,
possibly among other things: I've seen reference to realplayer material
as well as avg update downloads. Harmless I guess - but singularly
unexpected, and one might have expected a security-related company like
grisoft to warn that unexpected nets may host their software.

Oh well; exciting while it lasted :-)