Solved

What's the suspicious public Internet site 216.166.16.105 ?

Posted on 2013-01-22
21
490 Views
Last Modified: 2013-01-29
Security guys scanned & found that 3 of our users' PCs are
making connections to 216.166.16.105

Q1:
What's this site?  What malicious activity this will create?

Q2:
Which Tcp/Udp port the PCs would attempt to connect to
this site on?

Q3:
How do I go addressing this?  do "netstat -ano" to find
if there's an "Established" connection to this IP & find
the process pid & terminate this process?   Or is there
an AV scan to be run (but my customer only endorse
Symantec AV) ?
0
Comment
Question by:sunhux
  • 6
  • 6
  • 2
  • +3
21 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38805018
It belongs to YHC Corporation in Texas, USA.
See http://webipaddress.net/isp/YHC_Corporation
and
the specific IP is in use it seems by datafoundry.com
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 80 total points
ID: 38805029
run a  Netstat -ab  on a machine that connects and it wil tell you what application has the connection open.
0
 

Author Comment

by:sunhux
ID: 38805854
Ok once, I've traced the app/service that's connecting to that
IP, what do I do next?  Kill the app?  How to clean it (or uninstall it?)

think 'netstat -ab' gives the local PC's listening apps.  What if the
'infected' PC is a client app that connects to that foundry IP, it
won't show in 'netstat -ab', right?

Think 'netstat -ano | find "216.166.16.105" would be better, right?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38810192
There are MANY legit reasons to be connecting to that IP. FIRST you need to identify what it is.
0
 

Author Comment

by:sunhux
ID: 38811127
Pls refer to attached screens:

Attachmt 1: shows the connection to the remote suspicious IP
Attachmt 2: shows the 5 files being used by this suspicious process

This process uses little CPU; the RAM it uses appear to be on high
side (but this could be normal).

What does anyone think of my following action plan:
a) in Safe Mode (of this Win XP touchscreen), backup &
    move away the 5 files
b) copy from a good PC (that doesn't have this issue)
     the 5 files
c) start the Social Security barcode scanner app & test again
    to see if there's still attempts to connect to this remote IP

This is to effectively isolate this malware (if any).

any other suggestions?
0
 

Author Comment

by:sunhux
ID: 38811148
Sorry, attached the screens this time (which was missed earlier).

I thought of using Malwarebytes & SuperAntispyware to scan
as this customer's Symantec AV scan reveals nothing
RemoteIPcnx.jpg
filesUsed.jpg
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38811316
Can we see the proper full output foe the netstat command without the pipe to find please. You are not showing all the info available
0
 

Author Comment

by:sunhux
ID: 38822185
The 2 attachments earlier are snapped using  a camera, so did not quite get
everything but most of the things listed by 'netstat -ab' & 'netstat -ano | find
"remote_IP" '

Just provide me your views:
If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 160 total points
ID: 38824158
The process you showed is a service host process, and the DLLs it uses are for time service. The port shown for netstat -ano however is HTTP. So the service host process runs several services, like LanmanWorkstation, the Event System, and many more.

If you want to get a more sophisticated view, you can use CurrPorts (http://www.nirsoft.net/utils/cports.html). This tool allows for filtering, displays the associated services for svchost.exe, and more.

If I enter the IP into a Web browser, the site displayed is http://www.pdfcomplete.com/cms/default.aspx, so I assume the connection is caused by an update service for that product.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 90 total points
ID: 38824192
This is the website at that IP...

http://www.pdfcomplete.com/cms/default.aspx

Seems to be a legitimate company.  Maybe the users have installed software from this company which calls home for licencing perhaps?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 37

Expert Comment

by:Neil Russell
ID: 38824241
Like i said right at the begining there are Lots of perfectly valid sites hosted on that ip.
If you cant post the full output of nbstat Without filtering then we cant see everything we need to see,
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 70 total points
ID: 38824252
> If I move away/isolate the 5 files & copy from a good PC (actually a touchscreen
kiosk) the 5 files to replace them, any harm in doing so?

no harm
but what/how should this help?
If you assume that the system is infected, somehow, then the only reliable way to get rid of any infection is to setup the system from your 101% clean media (wether your backup or a install media)
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 160 total points
ID: 38824259
Those system files are, btw, protected by SFC, and cannot be exchanged easily. XP will detect changes, and replace the files with those from its local DLL storage folder.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38824389
> ... cannot ...
some people believe it ;-)
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38824472
What will you get from nbtstat?  NBTSTAT is for NetBIOS and won't show you details for connections via other protocols.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38824566
Typo.... As i said earlier, netstat
0
 
LVL 61

Accepted Solution

by:
btan earned 100 total points
ID: 38825525
Q1> As mentioned, doesnt seem malicious, not in any blacklist. From the name, more like a upgrade process running in background for latest update to the s/w. And probably to check your licence..
http://ip.robtex.com/216.166.16.105.html
 http://host.robtex.com/update.pdfcomplete.com.html#records

Q2:> You can use capsa or process explorer. netstat -ab should give us the path to the exe with that PID. Note that you need admin right to run that. Another means is to have the combination of tools to track it down.
http://www.packetech.com/showthread.php?985-Find-out-which-process-application-is-using-which-TCP-UDP-port-on-Windows

Q3:> As mentioned in Q2 link above. The AV onboard the PC should be tracking this already. You may even want to have it (exe or its hash, MD5, SHA1,SHA256) submit to virustotal to scan (paranoid though). The dependency or file related to this exe can be surfaced using dependency walker

https://www.virustotal.com/
http://www.dependencywalker.com/

Also those associated 5 files are kernel system files, i doubt they are changed ...you cna check the timestamp - and of course if there is some rootkit already in the system it is hard to tell but there are means ...that is going to down into forensic (finding if there are more of the associated processes...and artefact). Maybe I was thinking for the pdfcomplete, you may want to clarify with them your concern or even "hand-on" to capture the packet and see any leakage ...if the appl encrypt those callback payload , then we will missed out the "leaks"

http://www.netresec.com/?page=NetworkMiner
http://taosecurity.blogspot.sg/2006/08/network-forensics-with-netwitness.html
0
 

Author Comment

by:sunhux
ID: 38827286
Ok, I'll check if I can uninstall pdfcomplete from that workstation first.

My apps colleague told me pdfcomplete is not required by the apps
on those workstations
0
 
LVL 61

Expert Comment

by:btan
ID: 38829361
Make sure the processes are not running and uninstalled. .. Sometimes startup folder may still contain remanences but I assumed the uninstalled is doing diligence in housekeeping.
0
 

Author Closing Comment

by:sunhux
ID: 38831308
Some sort of pdfcomplete is there in the kiosks
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now