[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

What's the suspicious public Internet site 216.166.16.105 ?

Posted on 2013-01-22
21
Medium Priority
?
513 Views
Last Modified: 2013-01-29
Security guys scanned & found that 3 of our users' PCs are
making connections to 216.166.16.105

Q1:
What's this site?  What malicious activity this will create?

Q2:
Which Tcp/Udp port the PCs would attempt to connect to
this site on?

Q3:
How do I go addressing this?  do "netstat -ano" to find
if there's an "Established" connection to this IP & find
the process pid & terminate this process?   Or is there
an AV scan to be run (but my customer only endorse
Symantec AV) ?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +3
21 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38805018
It belongs to YHC Corporation in Texas, USA.
See http://webipaddress.net/isp/YHC_Corporation
and
the specific IP is in use it seems by datafoundry.com
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 320 total points
ID: 38805029
run a  Netstat -ab  on a machine that connects and it wil tell you what application has the connection open.
0
 

Author Comment

by:sunhux
ID: 38805854
Ok once, I've traced the app/service that's connecting to that
IP, what do I do next?  Kill the app?  How to clean it (or uninstall it?)

think 'netstat -ab' gives the local PC's listening apps.  What if the
'infected' PC is a client app that connects to that foundry IP, it
won't show in 'netstat -ab', right?

Think 'netstat -ano | find "216.166.16.105" would be better, right?
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 38810192
There are MANY legit reasons to be connecting to that IP. FIRST you need to identify what it is.
0
 

Author Comment

by:sunhux
ID: 38811127
Pls refer to attached screens:

Attachmt 1: shows the connection to the remote suspicious IP
Attachmt 2: shows the 5 files being used by this suspicious process

This process uses little CPU; the RAM it uses appear to be on high
side (but this could be normal).

What does anyone think of my following action plan:
a) in Safe Mode (of this Win XP touchscreen), backup &
    move away the 5 files
b) copy from a good PC (that doesn't have this issue)
     the 5 files
c) start the Social Security barcode scanner app & test again
    to see if there's still attempts to connect to this remote IP

This is to effectively isolate this malware (if any).

any other suggestions?
0
 

Author Comment

by:sunhux
ID: 38811148
Sorry, attached the screens this time (which was missed earlier).

I thought of using Malwarebytes & SuperAntispyware to scan
as this customer's Symantec AV scan reveals nothing
RemoteIPcnx.jpg
filesUsed.jpg
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38811316
Can we see the proper full output foe the netstat command without the pipe to find please. You are not showing all the info available
0
 

Author Comment

by:sunhux
ID: 38822185
The 2 attachments earlier are snapped using  a camera, so did not quite get
everything but most of the things listed by 'netstat -ab' & 'netstat -ano | find
"remote_IP" '

Just provide me your views:
If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?
0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 640 total points
ID: 38824158
The process you showed is a service host process, and the DLLs it uses are for time service. The port shown for netstat -ano however is HTTP. So the service host process runs several services, like LanmanWorkstation, the Event System, and many more.

If you want to get a more sophisticated view, you can use CurrPorts (http://www.nirsoft.net/utils/cports.html). This tool allows for filtering, displays the associated services for svchost.exe, and more.

If I enter the IP into a Web browser, the site displayed is http://www.pdfcomplete.com/cms/default.aspx, so I assume the connection is caused by an update service for that product.
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 360 total points
ID: 38824192
This is the website at that IP...

http://www.pdfcomplete.com/cms/default.aspx

Seems to be a legitimate company.  Maybe the users have installed software from this company which calls home for licencing perhaps?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38824241
Like i said right at the begining there are Lots of perfectly valid sites hosted on that ip.
If you cant post the full output of nbstat Without filtering then we cant see everything we need to see,
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 280 total points
ID: 38824252
> If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?

no harm
but what/how should this help?
If you assume that the system is infected, somehow, then the only reliable way to get rid of any infection is to setup the system from your 101% clean media (wether your backup or a install media)
0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 640 total points
ID: 38824259
Those system files are, btw, protected by SFC, and cannot be exchanged easily. XP will detect changes, and replace the files with those from its local DLL storage folder.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38824389
> ... cannot ...
some people believe it ;-)
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 38824472
What will you get from nbtstat?  NBTSTAT is for NetBIOS and won't show you details for connections via other protocols.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38824566
Typo.... As i said earlier, netstat
0
 
LVL 65

Accepted Solution

by:
btan earned 400 total points
ID: 38825525
Q1> As mentioned, doesnt seem malicious, not in any blacklist. From the name, more like a upgrade process running in background for latest update to the s/w. And probably to check your licence..
http://ip.robtex.com/216.166.16.105.html
 http://host.robtex.com/update.pdfcomplete.com.html#records

Q2:> You can use capsa or process explorer. netstat -ab should give us the path to the exe with that PID. Note that you need admin right to run that. Another means is to have the combination of tools to track it down.
http://www.packetech.com/showthread.php?985-Find-out-which-process-application-is-using-which-TCP-UDP-port-on-Windows

Q3:> As mentioned in Q2 link above. The AV onboard the PC should be tracking this already. You may even want to have it (exe or its hash, MD5, SHA1,SHA256) submit to virustotal to scan (paranoid though). The dependency or file related to this exe can be surfaced using dependency walker

https://www.virustotal.com/
http://www.dependencywalker.com/ 

Also those associated 5 files are kernel system files, i doubt they are changed ...you cna check the timestamp - and of course if there is some rootkit already in the system it is hard to tell but there are means ...that is going to down into forensic (finding if there are more of the associated processes...and artefact). Maybe I was thinking for the pdfcomplete, you may want to clarify with them your concern or even "hand-on" to capture the packet and see any leakage ...if the appl encrypt those callback payload , then we will missed out the "leaks"

http://www.netresec.com/?page=NetworkMiner
http://taosecurity.blogspot.sg/2006/08/network-forensics-with-netwitness.html
0
 

Author Comment

by:sunhux
ID: 38827286
Ok, I'll check if I can uninstall pdfcomplete from that workstation first.

My apps colleague told me pdfcomplete is not required by the apps
on those workstations
0
 
LVL 65

Expert Comment

by:btan
ID: 38829361
Make sure the processes are not running and uninstalled. .. Sometimes startup folder may still contain remanences but I assumed the uninstalled is doing diligence in housekeeping.
0
 

Author Closing Comment

by:sunhux
ID: 38831308
Some sort of pdfcomplete is there in the kiosks
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question