How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: George Orwell on 26 Feb 2010 08:12 "ASCII" <me2(a)privacy.net> wrote in message news:4b8559bd.4175609(a)EDCBIC... > at least I have a warmer fuzzier feeling about it. That's only because you pissed your pants again. Il mittente di questo messaggio|The sender address of this non corrisponde ad un utente |message is not related to a real reale ma all'indirizzo fittizio|person but to a fake address of an di un sistema anonimizzatore |anonymous system Per maggiori informazioni |For more info https://www.mixmaster.it
From: RayLopez99 on 27 Feb 2010 05:05 On Feb 21, 8:34 pm, "Ant" <n...(a)home.today> wrote: > > The IP address (124.120.170.40) associated with that generically-named > host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind > of name that gets assigned to home user IPs. > > You should be highly suspicious of it. Find out what process owns the > connection. I think I detect a pattern (I am researching it now). These kind of funny addresses seem to appear when I'm connected to the internet by firing up a browser. So, like you suggested in another post, it could be something "innocent" like a request to the browser to ping this remote site (for marketing purposes). But how they would get a browser to ping is not clear to me, but it's a programming detail that's probably possible. Of course the simpler explanation is that there is a undetectable virus (that escaped my antivirus program) that is alive in my system and attempts to 'dial out', but is blocked by the firewall. Why it springs up at certain times is of course simply due to the way it is programmed, to act irregularly. All of this is new to me--I always assumed that with firewalls you can set them up and forget them, I did not realize you have to monitor them--a lot of work. There should be a better way (set up and forget). RL
From: Ant on 27 Feb 2010 08:53 "RayLopez99" wrote: > I think I detect a pattern (I am researching it now). These kind of > funny addresses seem to appear when I'm connected to the internet by > firing up a browser. Perhaps it's a BHO (Browser Helper OBject). Sysinternals' AutoRuns will show those. > So, like you suggested in another post, it could > be something "innocent" like a request to the browser to ping this > remote site (for marketing purposes). But how they would get a > browser to ping is not clear to me, but it's a programming detail > that's probably possible. It could be a normal HTTP request via script or an HTML element which pointed to the host. The link in the page source might look something like this: http://123.456.789.255:33137/stat.php?id=xyz That's an invalid IP address, by the way, but the port (33137) is unconventional and would be the reason why testing for a web server on that host (at the usual port 80) would fail.
From: Ant on 27 Feb 2010 10:19 "Ant" wrote: >> So, like you suggested in another post, it could >> be something "innocent" like a request to the browser to ping this >> remote site (for marketing purposes). But how they would get a >> browser to ping is not clear to me, but it's a programming detail >> that's probably possible. > > It could be a normal HTTP request via script or an HTML element which > pointed to the host. The link in the page source might look something > like this: > http://123.456.789.255:33137/stat.php?id=xyz > > That's an invalid IP address, by the way, but the port (33137) is > unconventional and would be the reason why testing for a web server > on that host (at the usual port 80) would fail. On second thoughts, that would register as incoming traffic so I may be mistaken about the possibility of affiliate clicks generating unexpected outgoing packets. Anyway, I see you've found the likely culprit - Skype. Their protocol is proprietory so you would have to trust their motives for making these connections. Since you're blocking them and, presumably Skype still works, all should be well.
From: RayLopez99 on 27 Feb 2010 13:56
On Feb 27, 5:19 pm, "Ant" <n...(a)home.today> wrote: > Anyway, I see you've found the likely culprit - Skype. Their protocol > is proprietory so you would have to trust their motives for making > these connections. Since you're blocking them and, presumably Skype > still works, all should be well. Yes, that's the only thing I could think of other than undetected/ undetectable malware, and BHOs (which you say will generate an download UDP, so there should be some symmetry in IP addresses, which there is not in my log). BTW this stuff seems to happen around 7:30 pm and when I fire up the machine, but not in the account that does not have Skype (the Admin account), so that further fingers Skype as the culprit. Since Skype works despite the blocked UDPs, like you say, it's not a big deal but I will continue to monitor it. Thanks Ant you have been a big help. Without you I never would have even thought about the firewall... Now back to my programming project (doing an ASP.NET project now involving a web service). RL |