Solved

What's the suspicious public Internet site 216.166.16.105 ?

Posted on 2013-01-22
21
492 Views
Last Modified: 2013-01-29
Security guys scanned & found that 3 of our users' PCs are
making connections to 216.166.16.105

Q1:
What's this site?  What malicious activity this will create?

Q2:
Which Tcp/Udp port the PCs would attempt to connect to
this site on?

Q3:
How do I go addressing this?  do "netstat -ano" to find
if there's an "Established" connection to this IP & find
the process pid & terminate this process?   Or is there
an AV scan to be run (but my customer only endorse
Symantec AV) ?
0
Comment
Question by:sunhux
  • 6
  • 6
  • 2
  • +3
21 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38805018
It belongs to YHC Corporation in Texas, USA.
See http://webipaddress.net/isp/YHC_Corporation
and
the specific IP is in use it seems by datafoundry.com
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 80 total points
ID: 38805029
run a  Netstat -ab  on a machine that connects and it wil tell you what application has the connection open.
0
 

Author Comment

by:sunhux
ID: 38805854
Ok once, I've traced the app/service that's connecting to that
IP, what do I do next?  Kill the app?  How to clean it (or uninstall it?)

think 'netstat -ab' gives the local PC's listening apps.  What if the
'infected' PC is a client app that connects to that foundry IP, it
won't show in 'netstat -ab', right?

Think 'netstat -ano | find "216.166.16.105" would be better, right?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38810192
There are MANY legit reasons to be connecting to that IP. FIRST you need to identify what it is.
0
 

Author Comment

by:sunhux
ID: 38811127
Pls refer to attached screens:

Attachmt 1: shows the connection to the remote suspicious IP
Attachmt 2: shows the 5 files being used by this suspicious process

This process uses little CPU; the RAM it uses appear to be on high
side (but this could be normal).

What does anyone think of my following action plan:
a) in Safe Mode (of this Win XP touchscreen), backup &
    move away the 5 files
b) copy from a good PC (that doesn't have this issue)
     the 5 files
c) start the Social Security barcode scanner app & test again
    to see if there's still attempts to connect to this remote IP

This is to effectively isolate this malware (if any).

any other suggestions?
0
 

Author Comment

by:sunhux
ID: 38811148
Sorry, attached the screens this time (which was missed earlier).

I thought of using Malwarebytes & SuperAntispyware to scan
as this customer's Symantec AV scan reveals nothing
RemoteIPcnx.jpg
filesUsed.jpg
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38811316
Can we see the proper full output foe the netstat command without the pipe to find please. You are not showing all the info available
0
 

Author Comment

by:sunhux
ID: 38822185
The 2 attachments earlier are snapped using  a camera, so did not quite get
everything but most of the things listed by 'netstat -ab' & 'netstat -ano | find
"remote_IP" '

Just provide me your views:
If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 160 total points
ID: 38824158
The process you showed is a service host process, and the DLLs it uses are for time service. The port shown for netstat -ano however is HTTP. So the service host process runs several services, like LanmanWorkstation, the Event System, and many more.

If you want to get a more sophisticated view, you can use CurrPorts (http://www.nirsoft.net/utils/cports.html). This tool allows for filtering, displays the associated services for svchost.exe, and more.

If I enter the IP into a Web browser, the site displayed is http://www.pdfcomplete.com/cms/default.aspx, so I assume the connection is caused by an update service for that product.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 90 total points
ID: 38824192
This is the website at that IP...

http://www.pdfcomplete.com/cms/default.aspx

Seems to be a legitimate company.  Maybe the users have installed software from this company which calls home for licencing perhaps?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 38824241
Like i said right at the begining there are Lots of perfectly valid sites hosted on that ip.
If you cant post the full output of nbstat Without filtering then we cant see everything we need to see,
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 70 total points
ID: 38824252
> If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?

no harm
but what/how should this help?
If you assume that the system is infected, somehow, then the only reliable way to get rid of any infection is to setup the system from your 101% clean media (wether your backup or a install media)
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 160 total points
ID: 38824259
Those system files are, btw, protected by SFC, and cannot be exchanged easily. XP will detect changes, and replace the files with those from its local DLL storage folder.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38824389
> ... cannot ...
some people believe it ;-)
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38824472
What will you get from nbtstat?  NBTSTAT is for NetBIOS and won't show you details for connections via other protocols.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38824566
Typo.... As i said earlier, netstat
0
 
LVL 62

Accepted Solution

by:
btan earned 100 total points
ID: 38825525
Q1> As mentioned, doesnt seem malicious, not in any blacklist. From the name, more like a upgrade process running in background for latest update to the s/w. And probably to check your licence..
http://ip.robtex.com/216.166.16.105.html
 http://host.robtex.com/update.pdfcomplete.com.html#records

Q2:> You can use capsa or process explorer. netstat -ab should give us the path to the exe with that PID. Note that you need admin right to run that. Another means is to have the combination of tools to track it down.
http://www.packetech.com/showthread.php?985-Find-out-which-process-application-is-using-which-TCP-UDP-port-on-Windows

Q3:> As mentioned in Q2 link above. The AV onboard the PC should be tracking this already. You may even want to have it (exe or its hash, MD5, SHA1,SHA256) submit to virustotal to scan (paranoid though). The dependency or file related to this exe can be surfaced using dependency walker

https://www.virustotal.com/
http://www.dependencywalker.com/ 

Also those associated 5 files are kernel system files, i doubt they are changed ...you cna check the timestamp - and of course if there is some rootkit already in the system it is hard to tell but there are means ...that is going to down into forensic (finding if there are more of the associated processes...and artefact). Maybe I was thinking for the pdfcomplete, you may want to clarify with them your concern or even "hand-on" to capture the packet and see any leakage ...if the appl encrypt those callback payload , then we will missed out the "leaks"

http://www.netresec.com/?page=NetworkMiner
http://taosecurity.blogspot.sg/2006/08/network-forensics-with-netwitness.html
0
 

Author Comment

by:sunhux
ID: 38827286
Ok, I'll check if I can uninstall pdfcomplete from that workstation first.

My apps colleague told me pdfcomplete is not required by the apps
on those workstations
0
 
LVL 62

Expert Comment

by:btan
ID: 38829361
Make sure the processes are not running and uninstalled. .. Sometimes startup folder may still contain remanences but I assumed the uninstalled is doing diligence in housekeeping.
0
 

Author Closing Comment

by:sunhux
ID: 38831308
Some sort of pdfcomplete is there in the kiosks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port Forwarding on Juniper SSG 140 Firewall 13 70
internet access from windows servers 4 65
How to implement SSO? 22 80
Cisco 5508 controller parsing error 4 20
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now