sunhux
asked on
What's the suspicious public Internet site 216.166.16.105 ?
Security guys scanned & found that 3 of our users' PCs are
making connections to 216.166.16.105
Q1:
What's this site? What malicious activity this will create?
Q2:
Which Tcp/Udp port the PCs would attempt to connect to
this site on?
Q3:
How do I go addressing this? do "netstat -ano" to find
if there's an "Established" connection to this IP & find
the process pid & terminate this process? Or is there
an AV scan to be run (but my customer only endorse
Symantec AV) ?
making connections to 216.166.16.105
Q1:
What's this site? What malicious activity this will create?
Q2:
Which Tcp/Udp port the PCs would attempt to connect to
this site on?
Q3:
How do I go addressing this? do "netstat -ano" to find
if there's an "Established" connection to this IP & find
the process pid & terminate this process? Or is there
an AV scan to be run (but my customer only endorse
Symantec AV) ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok once, I've traced the app/service that's connecting to that
IP, what do I do next? Kill the app? How to clean it (or uninstall it?)
think 'netstat -ab' gives the local PC's listening apps. What if the
'infected' PC is a client app that connects to that foundry IP, it
won't show in 'netstat -ab', right?
Think 'netstat -ano | find "216.166.16.105" would be better, right?
IP, what do I do next? Kill the app? How to clean it (or uninstall it?)
think 'netstat -ab' gives the local PC's listening apps. What if the
'infected' PC is a client app that connects to that foundry IP, it
won't show in 'netstat -ab', right?
Think 'netstat -ano | find "216.166.16.105" would be better, right?
There are MANY legit reasons to be connecting to that IP. FIRST you need to identify what it is.
ASKER
Pls refer to attached screens:
Attachmt 1: shows the connection to the remote suspicious IP
Attachmt 2: shows the 5 files being used by this suspicious process
This process uses little CPU; the RAM it uses appear to be on high
side (but this could be normal).
What does anyone think of my following action plan:
a) in Safe Mode (of this Win XP touchscreen), backup &
move away the 5 files
b) copy from a good PC (that doesn't have this issue)
the 5 files
c) start the Social Security barcode scanner app & test again
to see if there's still attempts to connect to this remote IP
This is to effectively isolate this malware (if any).
any other suggestions?
Attachmt 1: shows the connection to the remote suspicious IP
Attachmt 2: shows the 5 files being used by this suspicious process
This process uses little CPU; the RAM it uses appear to be on high
side (but this could be normal).
What does anyone think of my following action plan:
a) in Safe Mode (of this Win XP touchscreen), backup &
move away the 5 files
b) copy from a good PC (that doesn't have this issue)
the 5 files
c) start the Social Security barcode scanner app & test again
to see if there's still attempts to connect to this remote IP
This is to effectively isolate this malware (if any).
any other suggestions?
ASKER
Sorry, attached the screens this time (which was missed earlier).
I thought of using Malwarebytes & SuperAntispyware to scan
as this customer's Symantec AV scan reveals nothing
RemoteIPcnx.jpg
filesUsed.jpg
I thought of using Malwarebytes & SuperAntispyware to scan
as this customer's Symantec AV scan reveals nothing
RemoteIPcnx.jpg
filesUsed.jpg
Can we see the proper full output foe the netstat command without the pipe to find please. You are not showing all the info available
ASKER
The 2 attachments earlier are snapped using a camera, so did not quite get
everything but most of the things listed by 'netstat -ab' & 'netstat -ano | find
"remote_IP" '
Just provide me your views:
If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?
everything but most of the things listed by 'netstat -ab' & 'netstat -ano | find
"remote_IP" '
Just provide me your views:
If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Like i said right at the begining there are Lots of perfectly valid sites hosted on that ip.
If you cant post the full output of nbstat Without filtering then we cant see everything we need to see,
If you cant post the full output of nbstat Without filtering then we cant see everything we need to see,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> ... cannot ...
some people believe it ;-)
some people believe it ;-)
What will you get from nbtstat? NBTSTAT is for NetBIOS and won't show you details for connections via other protocols.
Typo.... As i said earlier, netstat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I'll check if I can uninstall pdfcomplete from that workstation first.
My apps colleague told me pdfcomplete is not required by the apps
on those workstations
My apps colleague told me pdfcomplete is not required by the apps
on those workstations
Make sure the processes are not running and uninstalled. .. Sometimes startup folder may still contain remanences but I assumed the uninstalled is doing diligence in housekeeping.
ASKER
Some sort of pdfcomplete is there in the kiosks
See http://webipaddress.net/isp/YHC_Corporation
and
the specific IP is in use it seems by datafoundry.com