IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New What's going on here? Attempted outgoing connections...
In the log for my Buffalo WBR2-G54S WAP, I'm seeing things like this:

2010/05/01 00:30:18 FILTER TCP connection denied from 192.168.0.3:2869 to 92.242.144.2:445 (br0)
2010/05/01 00:30:16 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.144.2:137 (br0)
2010/05/01 00:30:15 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.144.2:137 (br0)
2010/05/01 00:30:13 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.144.2:137 (br0)
2010/05/01 00:30:11 FILTER TCP connection denied from 192.168.0.3:2869 to 92.242.144.2:445 (br0)
2010/05/01 00:30:08 FILTER TCP connection denied from 192.168.0.3:2869 to 92.242.144.2:445 (br0)
2010/04/30 23:58:05 FILTER TCP connection denied from 192.168.0.3:2821 to 92.242.144.2:445 (br0)
2010/04/30 23:58:03 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.144.2:137 (br0)
2010/04/30 23:58:02 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.144.2:137 (br0)
2010/04/30 23:58:00 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.144.2:137 (br0)
2010/04/30 23:57:58 FILTER TCP connection denied from 192.168.0.3:2821 to 92.242.144.2:445 (br0)
2010/04/30 23:57:55 FILTER TCP connection denied from 192.168.0.3:2821 to 92.242.144.2:445 (br0)

[...]

2010/04/29 21:48:39 FILTER TCP connection denied from 192.168.0.3:4628 to 92.242.140.13:445 (br0)
2010/04/29 21:48:37 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.140.13:137 (br0)
2010/04/29 21:48:36 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.140.13:137 (br0)
2010/04/29 21:48:34 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.140.13:137 (br0)
2010/04/29 21:48:32 FILTER TCP connection denied from 192.168.0.3:4628 to 92.242.140.13:445 (br0)
2010/04/29 21:48:29 FILTER TCP connection denied from 192.168.0.3:4628 to 92.242.140.13:445 (br0)
2010/04/29 21:16:26 FILTER TCP connection denied from 192.168.0.3:4579 to 92.242.140.13:445 (br0)
2010/04/29 21:16:24 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.140.13:137 (br0)
2010/04/29 21:16:23 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.140.13:137 (br0)
2010/04/29 21:16:21 FILTER UDP connection denied from 192.168.0.3:137 to 92.242.140.13:137 (br0)
2010/04/29 21:16:19 FILTER TCP connection denied from 192.168.0.3:4579 to 92.242.140.13:445 (br0)
2010/04/29 21:16:16 FILTER TCP connection denied from 192.168.0.3:4579 to 92.242.140.13:445 (br0)

[...]


192.168.0.3 is a Windows 2000 machine. I occasionally see another IP address listed, but it's mainly that one.

I just ran SBS&D on it and it sees nothing amiss.

IPtrace says the first destination machine is somewhere in Belfast. :-/

What's going on? How do I find out what software is attempting the outgoing connection?

I'm not using a software firewall (at least partially because when the Windows Firewall gets turned on I lose all of my internal networking - I haven't bothered with trying to figure that out). Should I be using a software firewall as well? If so, any recommendations for Winders?

Thanks very much.

Cheers,
Scott.
New That's wierd.
It's definitely NBT traffic; the port numbers give it away. Somehow, the Windows file sharing thinks it needs to talk to 92.242.144.2. (And there are a lot of connection attempts because NBT is chatty.)

Wade.

Q:Is it proper to eat cheeseburgers with your fingers?
A:No, the fingers should be eaten separately.
New That IP block belongs to Barefruit, Ltd
They seem to be some kind of search-hijacking interweb noo economi redirector thing.

http://www.barefruit.com/
New Run Ad-Aware and MS' anti-malware program too
When I got hit with that virus last month it took these two in addition for AVG Anti-Virus for me to find and remove it.




"Chicago to my mind was the only place to be. ... I above all liked the city because it was filled with people all a-bustle, and the clatter of hooves and carriages, and with delivery wagons and drays and peddlers and the boom and clank of freight trains. And when those black clouds came sailing in from the west, pouring thunderstorms upon us so that you couldn't hear the cries or curses of humankind, I liked that best of all. Chicago could stand up to the worst God had to offer. I understood why it was built--a place for trade, of course, with railroads and ships and so on, but mostly to give all of us a magnitude of defiance that is not provided by one house on the plains. And the plains is where those storms come from."

-- E.L. Doctorow
New My standard tools are . . .
ComboFix (which is sometimes updated several times a day) and Malwarebytes.

ComboFix will run in safe mode (some infections disable safe mode and running executables which makes things a bit more tricky) so that's were I usually start. After that I'll reboot in standard mode and run Malwarebytes. That usually does the job, though I usually run ComboFix again in standard mode just to be sure.

ComboFix is good at detecting root kits, which are now often installed to keep you from being able to remove the infection. ComboFix will bleep about it, jimmy the root kit, restart the machine and go about its work.

One thing about ComboFix, you have to get it from their site or from Bleeping Computer. It is much feared by malware writers so they have seeded the Internet with fake versions.
New Got a link to it?
I'd like to add it to my defense package.




"Chicago to my mind was the only place to be. ... I above all liked the city because it was filled with people all a-bustle, and the clatter of hooves and carriages, and with delivery wagons and drays and peddlers and the boom and clank of freight trains. And when those black clouds came sailing in from the west, pouring thunderstorms upon us so that you couldn't hear the cries or curses of humankind, I liked that best of all. Chicago could stand up to the worst God had to offer. I understood why it was built--a place for trade, of course, with railroads and ships and so on, but mostly to give all of us a magnitude of defiance that is not provided by one house on the plains. And the plains is where those storms come from."

-- E.L. Doctorow
New Re: Got a link to it?
http://www.bleepingc...w-to-use-combofix

Except its experiencing a DDoS right now.
New The ComboFix site is still working.
http://www.combofixdownload.com

New thanks




"Chicago to my mind was the only place to be. ... I above all liked the city because it was filled with people all a-bustle, and the clatter of hooves and carriages, and with delivery wagons and drays and peddlers and the boom and clank of freight trains. And when those black clouds came sailing in from the west, pouring thunderstorms upon us so that you couldn't hear the cries or curses of humankind, I liked that best of all. Chicago could stand up to the worst God had to offer. I understood why it was built--a place for trade, of course, with railroads and ships and so on, but mostly to give all of us a magnitude of defiance that is not provided by one house on the plains. And the plains is where those storms come from."

-- E.L. Doctorow
New With 2000 you'll need tcpview
http://technet.micro...nals/default.aspx

Part of the SysInternals tools that were borged by MS a while back. If it is still working and useful, you may want to keep a copy. MS tries to sabotage the tools so they stop working on EOL Windows versions.
New XKCD has the answer.
http://xkcd.com/742/

(Thanks for all the replies. I haven't had a chance to try those tools and investigate further yet. I hope to this weekend.)

Cheers,
Scott.
New lol...

Q:Is it proper to eat cheeseburgers with your fingers?
A:No, the fingers should be eaten separately.
     What's going on here? Attempted outgoing connections... - (Another Scott) - (11)
         That's wierd. - (static)
         That IP block belongs to Barefruit, Ltd - (pwhysall)
         Run Ad-Aware and MS' anti-malware program too - (lincoln) - (5)
             My standard tools are . . . - (Andrew Grygus) - (4)
                 Got a link to it? - (lincoln) - (3)
                     Re: Got a link to it? - (folkert) - (2)
                         The ComboFix site is still working. - (Andrew Grygus)
                         thanks -NT - (lincoln)
         With 2000 you'll need tcpview - (scoenye)
         XKCD has the answer. - (Another Scott) - (1)
             lol... -NT - (static)

We've got a whole bag of *tsht* with your name on it!
62 ms