• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 515
  • Last Modified:

What's the suspicious public Internet site 216.166.16.105 ?

Security guys scanned & found that 3 of our users' PCs are
making connections to 216.166.16.105

Q1:
What's this site?  What malicious activity this will create?

Q2:
Which Tcp/Udp port the PCs would attempt to connect to
this site on?

Q3:
How do I go addressing this?  do "netstat -ano" to find
if there's an "Established" connection to this IP & find
the process pid & terminate this process?   Or is there
an AV scan to be run (but my customer only endorse
Symantec AV) ?
0
sunhux
Asked:
sunhux
  • 6
  • 6
  • 2
  • +3
6 Solutions
 
Neil RussellTechnical Development LeadCommented:
It belongs to YHC Corporation in Texas, USA.
See http://webipaddress.net/isp/YHC_Corporation
and
the specific IP is in use it seems by datafoundry.com
0
 
Neil RussellTechnical Development LeadCommented:
run a  Netstat -ab  on a machine that connects and it wil tell you what application has the connection open.
0
 
sunhuxAuthor Commented:
Ok once, I've traced the app/service that's connecting to that
IP, what do I do next?  Kill the app?  How to clean it (or uninstall it?)

think 'netstat -ab' gives the local PC's listening apps.  What if the
'infected' PC is a client app that connects to that foundry IP, it
won't show in 'netstat -ab', right?

Think 'netstat -ano | find "216.166.16.105" would be better, right?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Neil RussellTechnical Development LeadCommented:
There are MANY legit reasons to be connecting to that IP. FIRST you need to identify what it is.
0
 
sunhuxAuthor Commented:
Pls refer to attached screens:

Attachmt 1: shows the connection to the remote suspicious IP
Attachmt 2: shows the 5 files being used by this suspicious process

This process uses little CPU; the RAM it uses appear to be on high
side (but this could be normal).

What does anyone think of my following action plan:
a) in Safe Mode (of this Win XP touchscreen), backup &
    move away the 5 files
b) copy from a good PC (that doesn't have this issue)
     the 5 files
c) start the Social Security barcode scanner app & test again
    to see if there's still attempts to connect to this remote IP

This is to effectively isolate this malware (if any).

any other suggestions?
0
 
sunhuxAuthor Commented:
Sorry, attached the screens this time (which was missed earlier).

I thought of using Malwarebytes & SuperAntispyware to scan
as this customer's Symantec AV scan reveals nothing
RemoteIPcnx.jpg
filesUsed.jpg
0
 
Neil RussellTechnical Development LeadCommented:
Can we see the proper full output foe the netstat command without the pipe to find please. You are not showing all the info available
0
 
sunhuxAuthor Commented:
The 2 attachments earlier are snapped using  a camera, so did not quite get
everything but most of the things listed by 'netstat -ab' & 'netstat -ano | find
"remote_IP" '

Just provide me your views:
If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?
0
 
QlemoC++ DeveloperCommented:
The process you showed is a service host process, and the DLLs it uses are for time service. The port shown for netstat -ano however is HTTP. So the service host process runs several services, like LanmanWorkstation, the Event System, and many more.

If you want to get a more sophisticated view, you can use CurrPorts (http://www.nirsoft.net/utils/cports.html). This tool allows for filtering, displays the associated services for svchost.exe, and more.

If I enter the IP into a Web browser, the site displayed is http://www.pdfcomplete.com/cms/default.aspx, so I assume the connection is caused by an update service for that product.
0
 
Craig BeckCommented:
This is the website at that IP...

http://www.pdfcomplete.com/cms/default.aspx

Seems to be a legitimate company.  Maybe the users have installed software from this company which calls home for licencing perhaps?
0
 
Neil RussellTechnical Development LeadCommented:
Like i said right at the begining there are Lots of perfectly valid sites hosted on that ip.
If you cant post the full output of nbstat Without filtering then we cant see everything we need to see,
0
 
ahoffmannCommented:
> If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?

no harm
but what/how should this help?
If you assume that the system is infected, somehow, then the only reliable way to get rid of any infection is to setup the system from your 101% clean media (wether your backup or a install media)
0
 
QlemoC++ DeveloperCommented:
Those system files are, btw, protected by SFC, and cannot be exchanged easily. XP will detect changes, and replace the files with those from its local DLL storage folder.
0
 
ahoffmannCommented:
> ... cannot ...
some people believe it ;-)
0
 
Craig BeckCommented:
What will you get from nbtstat?  NBTSTAT is for NetBIOS and won't show you details for connections via other protocols.
0
 
Neil RussellTechnical Development LeadCommented:
Typo.... As i said earlier, netstat
0
 
btanExec ConsultantCommented:
Q1> As mentioned, doesnt seem malicious, not in any blacklist. From the name, more like a upgrade process running in background for latest update to the s/w. And probably to check your licence..
http://ip.robtex.com/216.166.16.105.html
 http://host.robtex.com/update.pdfcomplete.com.html#records

Q2:> You can use capsa or process explorer. netstat -ab should give us the path to the exe with that PID. Note that you need admin right to run that. Another means is to have the combination of tools to track it down.
http://www.packetech.com/showthread.php?985-Find-out-which-process-application-is-using-which-TCP-UDP-port-on-Windows

Q3:> As mentioned in Q2 link above. The AV onboard the PC should be tracking this already. You may even want to have it (exe or its hash, MD5, SHA1,SHA256) submit to virustotal to scan (paranoid though). The dependency or file related to this exe can be surfaced using dependency walker

https://www.virustotal.com/
http://www.dependencywalker.com/ 

Also those associated 5 files are kernel system files, i doubt they are changed ...you cna check the timestamp - and of course if there is some rootkit already in the system it is hard to tell but there are means ...that is going to down into forensic (finding if there are more of the associated processes...and artefact). Maybe I was thinking for the pdfcomplete, you may want to clarify with them your concern or even "hand-on" to capture the packet and see any leakage ...if the appl encrypt those callback payload , then we will missed out the "leaks"

http://www.netresec.com/?page=NetworkMiner
http://taosecurity.blogspot.sg/2006/08/network-forensics-with-netwitness.html
0
 
sunhuxAuthor Commented:
Ok, I'll check if I can uninstall pdfcomplete from that workstation first.

My apps colleague told me pdfcomplete is not required by the apps
on those workstations
0
 
btanExec ConsultantCommented:
Make sure the processes are not running and uninstalled. .. Sometimes startup folder may still contain remanences but I assumed the uninstalled is doing diligence in housekeeping.
0
 
sunhuxAuthor Commented:
Some sort of pdfcomplete is there in the kiosks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 6
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now