Solved

Who is "phoning home" from my PC?

Posted on 2004-05-02
17
1,086 Views
Last Modified: 2013-12-04


The guy who built my new PC may have installed a keylogger, probably as a prank.  I am trying to find out who is "phoning home" from my PC?   Here’s some recent dialog from me (and response) at the Computer Cops forum:

I bought IPTicker since it was only $10. (It's also free to try) It finds all kind of traffic into my pc and some traffic out. Netstat gave me similar info, but how the heck do you know what all those numerical addresses are?  Whois gave little info.

I installed a trial version of Smart Whois, which supposedly searches a broad database. They gave me some results, but many numerical IP numbers are only listed in a broad range of IP numbers that major corps have reserved, such as Akamai technologies, Level3.net and many come up as unknown.

I will list a few of the “out” reports:

66.77.165.161 gets out to Akamai Technologies.
66.77.165.201 gets in from same
66.77.165.160 gets in from same all use port 80.
An email address was listed and I sent one asking why I’m getting their traffic. No response.  A phone number was listed for their IT guy. I left a voicemail. No response.

172.16.0.255 gets out most frequently ……..numerous times per day. It’s listed as an ambiguous Internet assigned address in a huge block of numbers.

Many of the incoming traffic reports also have ambiguous IP addresses. Most are listed as TCP and use port 80 or 110. Some are listed as UDP. One was listed in another protocol, but I did not write that down.

With all the processes running on a modern XP computer and “phoning home”, it may be impossible to ID a suspicious internet connection that may be related to key logging.
 
Can any advise of how to tell what those Mysterious IP numbers (listed above) mean even after using a tool like SmartWhoIS?

========================================
Response from Parputt:

66.77.165.161 = [ ]
OrgName: Qwest Cybercenters
OrgID: QCYB
Address: 950 17th Street
Address: Suite 1900
City: Denver
StateProv: CO
PostalCode: 80202
Country: US
NetRange: 66.77.0.0 - 66.77.255.255
CIDR: 66.77.0.0/16
NetName: QWEST-CYBERCENTER-2
NetHandle: NET-66-77-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DCA-ANS-01.INET.QWEST.NET
NameServer: SVL-ANS-01.INET.QWEST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-02-13
Updated: 2003-09-04
TechHandle: DW820-ARIN
TechName: Wysocki David
TechPhone: 1-201-770-4133
TechEmail: ip-admin@qis.qwest.net
OrgAbuseHandle: QIA2-ARIN
OrgAbuseName: Qwest IP Abuse
OrgAbusePhone: 1-877-886-6515
OrgAbuseEmail: abuse@qwest.net
OrgTechHandle: QIA-ARIN
OrgTechName: Qwest IP Admin
OrgTechPhone: 1-877-886-6515
OrgTechEmail: ipadmin@qwest.com
CustName: Akamai Technologies Inc.
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA
PostalCode: 02142
Country: US
RegDate: 2003-04-16
Updated: 2003-04-16
NetRange: 66.77.165.128 - 66.77.165.255
CIDR: 66.77.165.128/25
NetName: QWEST-CEC-AKAMAITINC
NetHandle: NET-66-77-165-128-1
Parent: NET-66-77-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-04-16
Updated: 2003-04-16
TechHandle: DW820-ARIN
TechName: Wysocki David
TechPhone: 1-201-770-4133
TechEmail: ip-admin@qis.qwest.net
OrgAbuseHandle: QIA2-ARIN
OrgAbuseName: Qwest IP Abuse
OrgAbusePhone: 1-877-886-6515
OrgAbuseEmail: abuse@qwest.net
OrgTechHandle: QIA-ARIN
OrgTechName: Qwest IP Admin
OrgTechPhone: 1-877-886-6515
OrgTechEmail: ipadmin@qwest.com

http://www.qwest.com/about/qwest/QwestCyberCenters/

=====================================================
Thanks, parputt

That was good work on the IP address that has been getting in and also “phoning home”. You got even more details than my trial of SmartWhoIS, including the parent company, Quest Communications, which is an ISP and telecom among other things…….. all I got was the apparent “customer”, or maybe more likely a subsidiary or partner:
CustName: Akamai Technologies Inc.
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA.

I did get the same listed name: David Wysocki and he didn’t return phone or email, probably because mine was a nuisance call, given whatever business they do.

That’s a lot of data……….. much of it mysterious, and I’m still wondering what it all means and if there is any way to tell why they are getting in AND out of this PC, even though I use ZAPRO and Pest Patrol?

0
Comment
Question by:Cohokeith
  • 6
  • 6
  • 4
  • +1
17 Comments
 
LVL 7

Expert Comment

by:IceRaven
ID: 10970705
Hi Cohokeith,

You could use the trace route command and see who the closet hop that you can identify is, then contact them.

Cheers,
IceRaven
0
 

Author Comment

by:Cohokeith
ID: 10971214
Hi IceRaven

Can you explain how to do that?  Did you mean closest hop?

Cohokeith
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10971291


Click Start, then click Run, then type cmd, then click ok

Type tracert followed by the ip address you want.

eg

tracert 66.77.165.161

the second last line of the result for me is...

18   321 ms   323 ms   323 ms  msfc-03.cec.qwest.net [66.77.112.42]

Which is the "closest hop" to the target that isn't the target.

So you know the network, qwest.net and you then talk to them about the target IP address 66.77.165.161

Cheers,
IceRaven
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10971675
Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 14

Expert Comment

by:JohnK813
ID: 10980783
Qwest looks like an ISP - is that how you connect to the Internet?

Akamai Technologies (www.akamai.com) does web hosting for large companies, including Microsoft.  Basically, if a company does not want to use its own computers as web servers, Akamai rents out computers to be used as web servers.  When you type in www.microsoft.com, you (usually) get redirected to an Akamai computer.  I panicked at first when I saw akamai coming up in my netstats, but it's nothing to fear.  You're still getting microsoft.com (or whatever) just like you should, only you're not using a web server that belongs to Microsoft to view it.  It's also possible that Qwest uses Akamai to serve their web site.

Port 80 is http.  So, when you see an open connection on Port 80, all that means is you have a web page open right now.  That's also why Zone Alarm isn't blocking these port 80 requests - if you told ZA that Internet Explorer is allowed to access the Internet, then ZA allows these port 80 requests in IE (but shouldn't for other programs, unless you say so).

Port 110 is POP3.  POP3 is email.  Do you use a program like Outlook/Outlook Express or Eudora to access your email?  If so, that's probably all this is.

Here's a list of port numbers matched with their service: http://www.iana.org/assignments/port-numbers  Use this to check your netstat and IPTicker results.  If you're suspicious of any ports that are in use on your system, post them here and I'll try to help explain (or find out) what they are and what they do.

I'm not sure what 172.16.0.255 is, so right now that's one to be worried about.  Check for spyware/adware, and run a virus scan.  For more information, check here: http:Q_20975384.html
0
 

Author Comment

by:Cohokeith
ID: 10982407
To:  Trywaredk
I have already used a whole suite of anti-spy tools:  Adaware, Spybot S&D, Bullet Proof software, Keylogger detector, Pest Patrol, X-cleaner and Spy Sweeper.  All they found were a bunch of spyware cookies and some false positives.  

To:  IceRaven
Good tip on how to use Tracert.  However getting to the right person at Quest or Akamai would be difficult and most likely unproductive.  

To:  JohnK813
Great tips.  I use Comcast HSI, Outlook Express, Zapro, a router, NAV, and all are kept up to date.  I was concerned about Akamai because it appears in many of the HiJack This logs that people post at Computer Cops.  However it may be so prevalent because it is a benign item that appears with popular software, even Windows processes.  

Some keyloggers are said to use email to send occasional packets from their log file, so I can't dismiss port 80 yet.

I was thinking about shutting down all running apps except ZoneAlarm (for security) and also shutting down all Windows services and then watch the IPTicker results overnight.  If there is no traffic out, then perhaps that would rule out a keylogger.  Then I could gradually start adding processes and watch to see what traffic begins to appear.   Are there any processes or services that I should not shut down for the test?  Is it safe to turn off NAV as long as ZA is running?




0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10984832
AS long as you are not using your computer and your computer is firewalled, then I believe you are farely safe in disableing your anti-virus software.

Cheers,
IceRaven.
0
 

Author Comment

by:Cohokeith
ID: 10985295
FWIW, here’s some IPTicker Data.  Ran all night with open apps off except for ZA.   172.16.0.255 got “out” 54 times through the night.

Here’s the IPTicker after 1 hour at 10:45pm:

Direction      IP addr                  Host                  Total      Protoc      Port
In      208.185.174.52            Update.zonelabs.com       546      TCP      80
In      172.16.0.163                                    503      UDP      53
Out      172.16.0.255                                    1398      UDP      138

Can you folks help interpret the “dump”?

“Dump” log after 1 hour:

Packet 172.16.0.2 --> 172.16.0.255, port 138
.......................!.......... FAEFEOFEEJFFENDECACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%..............................)...................).V.........:.\MAILSLOT\BROWSE....'..JOHNSON.................PENTIUM4.
Packet 172.16.0.163 --> 172.16.0.2, port 53
..15.........5.....w.............255.0.16.172.in-addr.arpa.............:..K.xbru.br.ns.els-gms.att.net..rm-hostmaster.ems.att.com...............:...:.
Packet 172.16.0.163 --> 172.16.0.2, port 53
..12.........5....X..............163.0.16.172.in-addr.arpa.............(..K.xbru.br.ns.els-gms.att.net..rm-hostmaster.ems.att.com...............:...:.
Packet 172.16.0.163 --> 172.16.0.2, port 53
..1~.........5...=.V.............update.zonelabs.com.............~......4
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...$.!d.p."8.......d....
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...%.!e.P...x...
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...%.!fKP..`....HTTP/1.1 200 OK..Date: Tue, 04 May 2004 02:14:12 GMT..Server: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c..Content-Length: 157..Connection: close..Content-Type: text/html....UpdateAvailable=no.UpdateURL=http://update.zonelabs.com/downloadrequest?updtConfId=44&updtReqId=732614134.UpdateNotice=Your Internet Security is up to date..
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...w.!fKP..`u>..
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...x.!fLP..`u=..
Packet 172.16.0.163 --> 172.16.0.2, port 53
..1b.........5...V...............52.174.185.208.in-addr.arpa..................update.zonelabs.com.
Packet 172.16.0.2 --> 172.16.0.255, port 138
...................a...%.......... FAEFEOFEEJFFENDECACACACACACACACA. FCEPFDEFEOEEEBEIEMCACACACACACABO..SMB%..............................!...................!.V.........2.\MAILSLOT\BROWSE.......PENTIUM4................U..
Packet 172.16.0.2 --> 172.16.0.255, port 138
..................Iz...'.......... FAEFEOFEEJFFENDECACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%..............................)...................).V.........:.\MAILSLOT\BROWSE.......JOHNSON.................PENTIUM4.
Packet 172.16.0.2 --> 172.16.0.255, port 138
...................h...(.......... FAEFEOFEEJFFENDECACACACACACACACA. FCEPFDEFEOEEEBEIEMCACACACACACABO..SMB%..............................!...................!.V.........2.\MAILSLOT\BROWSE.......PENTIUM4.. ...C.........U..
Packet 172.16.0.2 --> 172.16.0.255, port 138
..................%w...*.......... FAEFEOFEEJFFENDECACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%..............................)...................).V.........:.\MAILSLOT\BROWSE.......JOHNSON.................PENTIUM4.
Packet 172.16.0.2 --> 172.16.0.255, port 138
...................i...+.......... FAEFEOFEEJFFENDECACACACACACACACA. FCEPFDEFEOEEEBEIEMCACACACACACABO..SMB%..............................!...................!.V.........2.\MAILSLOT\BROWSE.......PENTIUM4..$.............U..
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 7

Expert Comment

by:IceRaven
ID: 10985413
I can't see anything in ther that is nastie...

A Few DNS Requests...
Zone Alarms checking for updates....
.255 is a broadcast address, which means it is broadcasting on that neetowrk.  It is broadcasting the \mailslot\browse
Which is just NetBIOS doing it's thing as far as I know.  

Cheers,
IceRaven.
0
 
LVL 14

Expert Comment

by:JohnK813
ID: 10988102
I have a few questions on the dump.  This is mainly out of my own curiousity, so Cohokeith, IceRaven, and anyone else can answer them.

1. Is it safe to assume 172.16.0.x is associated with the ISP?
2. If so (or even if not), what are these lines for (if nothing is running besides ZA):

Packet 172.16.0.163 --> 172.16.0.2, port 53
..15.........5.....w.............255.0.16.172.in-addr.arpa.............:..K.xbru.br.ns.els-gms.att.net..rm-hostmaster.ems.att.com...............:...:.
Packet 172.16.0.163 --> 172.16.0.2, port 53
..12.........5....X..............163.0.16.172.in-addr.arpa.............(..K.xbru.br.ns.els-gms.att.net..rm-hostmaster.ems.att.com...............:...:.

I understand they're DNS, but I don't see why they would be requested at that time.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10988258
In my understanding they are requested at that time because zonealarm was doing at update. (update.zonelabs.com)

Cheers,
IceRaven.
0
 
LVL 14

Expert Comment

by:JohnK813
ID: 10988855
OK.  I saw the ZoneAlarm update, but didn't realize those two lines were part of it.
0
 

Author Comment

by:Cohokeith
ID: 10991282
Folks

My apologies:  I should have explained that as soon as I started IPTicker, ZA requested permission for 172.16.0.163 to access the internet.  It may be merely allowing IPTicker to do its job.
Also, I did not try shutting down all running processes and services last night.  I just turned off all Apps except ZA.
IceRaven:  if you are correct about .255 merely broadcasting as is intended, that's great news.  Tonight I will shut down all open apps and all wdos processes and see what IP ticker finds.

Thanks again
Cohokeith  
0
 

Author Comment

by:Cohokeith
ID: 10991393
I tried one more thing:

Key Loggers – I tried KL-Detector 10 – Please Help w/ Results Log:

This is a small free program which records all computer activities as you do several operations:
You are instructed to start the program and do several operations:
Before starting, shut down all running apps, including NAV   (scary, but I did)
Start the program and Open Notepad and type random text
Open Wordpad and type.
Open Word and type.
Open Word and insert a graphic file.
Open calculator and perform an operation.
Open Acrobat and view a graphic file.
Open a photo viewer and view a picture.
Open Wdos Media Player and view a video.
DO NOT save any files.
Access a web page on the Internet  (I kept my modem OFF...... too scary with NAV and ZA turned off)
Just in case KL-Detector-10 is nefarious, I did a system restore immediately after using it.

RESULTS Log:   (I re-sorted alphabetically)  (number strings randomly changed for my anonymity.)
===================================
Below are some file operations that were done during the monitoring process. Review them carefully and check for suspicious files.

C:\DOCUME~1\Keith\LOCALS~1\Temp was modified.
C:\DOCUME~1\Keith\LOCALS~1\Temp\Acr10.tmp was created.
C:\DOCUME~1\Keith\LOCALS~1\Temp\Acr10.tmp was modified.
C:\DOCUME~1\Keith\LOCALS~1\Temp\Acr10.tmp was removed.
C:\DOCUME~1\Keith\LOCALS~1\Temp\Acr2.tmp was created.
C:\DOCUME~1\Keith\LOCALS~1\Temp\Acr2.tmp was modified.
C:\DOCUME~1\Keith\LOCALS~1\Temp\Acr6.tmp was created.
C:\DOCUME~1\Keith\LOCALS~1\Temp\Acr6.tmp was removed.
C:\DOCUME~1\Keith\LOCALS~1\Temp\AcrA.tmp was modified.
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Calculator.lnk was modified.

C:\Documents and Settings\Keith\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList was modified.
C:\Documents and Settings\Keith\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList was modified.
C:\Documents and Settings\Keith\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js was modified.
C:\Documents and Settings\Keith\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js was modified.
C:\Documents and Settings\Keith\Application Data\Adobe\Acrobat\6.0\Preferences\defaultHeuristics.dat was modified.
C:\Documents and Settings\Keith\Application Data\Microsoft\Media Player\01060905.wpl was removed.
C:\Documents and Settings\Keith\Application Data\Microsoft\Media Player\01060905.wpl was modified.
C:\Documents and Settings\Keith\Application Data\Microsoft\Media Player was modified.
C:\Documents and Settings\Keith\Cookies\index.dat was modified.
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Media Player\wmpfolders.wmdb was modified.
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb was modified.
C:\Documents and Settings\Keith\Local Settings\History\History.IE5\index.dat was modified.
C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\index.dat was modified.
C:\Documents and Settings\Keith\ntuser.dat.LOG was modified.
C:\Documents and Settings\Keith\Recent was modified.
C:\Documents and Settings\Keith\Recent\Vermont Winter Scene.jpg.lnk was created.

C:\Documents and Settings\Keith\Recent\DecemberSales-312.pdf.lnk was created.
C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\Savrt was modified.
C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\Savrt\0000NAV~.TMP was created.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\Savrt was modified.

C:\Program Files\ULeadPhoto\ulead32.ini was modified.
C:\Recycler\NProtect was modified.
C:\System Volume Information\_restore{3F551908-7D3C-463D-9DE1-CB19ABA0A32CA}\RP37\change.log was modified.
C:\System Volume Information\_restore{3F551908-7D3C-463D-9DE1-CB19ABA0A32CA}\RP37 was modified.
C:\WINDOWS\Prefetch was modified.
C:\WINDOWS\Prefetch\ACRORD32.EXE-20D453C1.pf was modified.
C:\WINDOWS\Prefetch\ACRORD32.EXE-20D453C1.pf was modified.
C:\WINDOWS\Prefetch\CALC.EXE-02CD773A.pf was created.
C:\WINDOWS\Prefetch\NOTEPAD.EXE-332351A9.pf was modified.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-322A2984.pf was created.
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDDEFA2.pf was created.
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDDEFA5.pf was modified.
C:\WINDOWS\Prefetch\WORDPAD.EXE-24533381.pf was modified.
C:\WINDOWS\system32\config\software.LOG was modified.

Comment:  I think it’s mostly benign.  I notice that some NAV function was still running and I’m surprised that a VirusDefs change occured.  I’m also surprised that cookies files changed even w/o connection to internet.   I assume that Wdos XP system restore was recorded?  What’s Prefetch?  
0
 
LVL 14

Assisted Solution

by:JohnK813
JohnK813 earned 175 total points
ID: 10995380
I agree that nothing really looks out of the ordinary here.  That does look like a system restore point was created, but I'm not familiar, so I don't know for sure.

Prefetch, if I remember correctly, has to do with sending low-level instructions to the processor.
http://dictionary.reference.com/search?q=instruction%20prefetch
I'm assuming that this is a normal thing Windows does when opening a program and loading it into memory.
0
 
LVL 7

Accepted Solution

by:
IceRaven earned 175 total points
ID: 10996207
I believe prefetch is used to preload files from the hard drive so they are quicker to access.  It is done when the computer is in an idle state.

Here is a full explaination:

http://techrepublic.com.com/5100-6270-5165773.html

Cheers,
IceRaven.
0
 

Author Comment

by:Cohokeith
ID: 11004452
Good work.  I'm pretty sure my PC is clean now and I learned a lot in this investigation.  Thanks for all the help guys.

Cohokeith
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now