?
Solved

Unknown Traffic

Posted on 2005-05-12
17
Medium Priority
?
302 Views
Last Modified: 2010-04-11
We were having some firewall issues over the last few days.  In looking over our traffic we noticed that our PC's are trying to access ip address 1.14.2.12 on port 44050.  Does anyone know what that could be?

Thanks
0
Comment
Question by:cusry
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 4

Expert Comment

by:andydis
ID: 13988222
not off hand, have you thought about sniffing the traffic?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13988300
This is a non functioning subnet space: (1.anything.anything.anything is not valid traffic)
whois 1.14.2.12
[Querying whois.arin.net]
[whois.arin.net]

OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   1.0.0.0 - 1.255.255.255
CIDR:       1.0.0.0/8
NetName:    RESERVED-9
NetHandle:  NET-1-0-0-0-1
Parent:
NetType:    IANA Reserved
Comment:
RegDate:
Updated:    2002-09-12
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail:  abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number
OrgTechPhone:  +1-310-301-5820
OrgTechEmail:  abuse@iana.org
# ARIN WHOIS database, last updated 2005-05-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

I'm not sure what this might be, but it's not legit, and certainly not working, I just tried to sniff any responses to ping's to that slash 8, and I get nothing back.
These ip's are the reservations of the First octet in the public Ip space, the first number in the ip address, in this case One
http://www.iana.org/assignments/ipv4-address-space (MIT has 18.x.x.x as their ip space and ford had 19.x.x.x)
http://www.liquifried.com/docs/security/reservednets.html
These are differnet, they are special purpose, but the subnet you describe is reserved and not in use
http://www.rfc-editor.org/rfc/rfc3330.txt

Locate the offending machines and run anti-virus and anti-spyware on them... if they are XP or winME turn off system restore BEFORE removing the pest's
-rich
0
 
LVL 3

Expert Comment

by:yehudi
ID: 13992347
This really doesn't seem to me that it is likely to be an IP.  Is it possible that you misread the firewall logs, and that this is actually a parameter which is part of a URL?  

It seems more like the sort of number that you would find in a group of statistics, or as a number denoting a section of a document, or perhaps a revision of some software or cgi script.

Perhaps you could post a portion of the log to inspect?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 12

Accepted Solution

by:
kneH earned 500 total points
ID: 13994675
Well lets see which app this is then.

Download fport.exe from any of the following websites and run it in DOS.
http://freedom.dicea.unifi.it/ftp/pub/nt/fport.exe 
http://alien.eco.uninsubria.it/kla/pstools/fport.exe 
http://nic.phys.ethz.ch/files/tools/fport.exe 
http://ftp.cyut.edu.tw/patch/security-tool/fport.exe

It'll tell you which executable is running on which port.

If you need more help:
Tell us which executable it is, where it is located etc..





0
 
LVL 7

Expert Comment

by:computerfixins
ID: 14020426
slick program kneH ...nice and simple...

Type in command prompt

C:\>fport.exe > ports.txt

To make a nice notepad viewable file...:)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 14020534
Has this information helped? Have you tracked down the PC's that are trying to send traffic to a subnet that does not route traffic, try a traceroute, rather in the windows world a traceRT
you'll see there is no route to this destination. This traffic will not route on the public internet. It's interesting you've found packets trying to go there, however they'd never get to far.
Let me know if you have anymore questions regarding this traffic.
-rich
0
 
LVL 3

Expert Comment

by:yehudi
ID: 14024537
cusry

We can't help you if you don't respond...

Do you still have a problem?  Is it solved?  What's happening?
0
 
LVL 12

Expert Comment

by:kneH
ID: 14024803
Well in that case... we can assume he sorted it :)

Or it's gotten worse and he is unable to visit :x
0
 
LVL 7

Expert Comment

by:computerfixins
ID: 14028618
lol kneh

Kind of strange, i couldnt find one program that runs on 44050
0
 
LVL 3

Assisted Solution

by:veaceslavz
veaceslavz earned 500 total points
ID: 14066530
I also don't find the program or trojans on this port, but for future the folowing can be usefull for you (applicable for WinXP, 2k, 2003).
Start->Run-> cmd -> netstat -o (or netstat -ao).
In the last field you'll see the PID (Process IDentifier). Then open "Task Manager" (press Ctrl+Alt+Del -> Task Manager) in menu View -> Columns check PID.
So you will be able to see which application (or system component) open this port.
Then you decide to uninstall the applicatin or smth. else.
0
 
LVL 3

Expert Comment

by:yehudi
ID: 14074365
veaceslavz, kneH has already given him info on a much superior tool for this purpose.  This is like telling the user of a car to go back to using a horse!
0
 
LVL 3

Expert Comment

by:veaceslavz
ID: 14075190
yehudi, it's just advice if somebody needs the ad-hoc solution without third party software.
I'm agree that Fport is much supperior, but is not for ad-hoc.
0
 
LVL 12

Expert Comment

by:kneH
ID: 14075616
Just curious how would netstat be ad hoc?
Doesn't show past connections does it?
0
 
LVL 3

Expert Comment

by:veaceslavz
ID: 14075650
Used without parameters, netstat displays active TCP connections.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx
0
 
LVL 12

Expert Comment

by:kneH
ID: 14076062
All semantics... I prolly have another interpretation of ad hoc :)
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question