CmmTch
join:2002-08-10
High Ridge, MO
| computer trying to send to dslreports?
ZAP5 alert showing my pc is trying to send a TCP packet to dslreports/com. I saw the alert icon flashing, double clicked the ZA icon to check the alert. About every three minutes, something in my computer is trying to send packets to dslreports.com. Any idea's or suggestions?
W2K Pro OS, Cayman 3220-H, V6.3 R7, ZAP 5.0.590, NAV2000 subscribe for updated definitions, use Adaware, and have Spyware Blaster installed. |
|
Drunkula
Premium
join:2000-06-12
Denton, TX | It looks like you got ZA buttoned up too tight! There is no mystery there. That is only an outbound http connection to BBR but ZA is complaining about it for some reason.
--
I just love scanning for lifeforms! |
|
army dude
Premium,MVM
join:2002-12-17
The Internet | Also, it says it blocked the connection...how were you able to post here if the connection was blocked (I wonder)... |
|
Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
clubs:
 ·MTA Online
1 edit | reply to CmmTch
It would be nice to see the whole IP # and the name that appears in the Source DNS column in ZAP Alerts. I don't disbelieve you per se, but more evidence is warranted.
PS. I see the whole IP # at the bottom of your screenshot. I guess I could do an NS Lookup of that number, so nevermind me. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
1 edit | reply to CmmTch
Seems to be going around.
»ZA Logging attempts to reach DSLR??
None of the logs show a program, maybe if you run netstat or one of the other port program it will give the program. Anything look familiar in the running processes posted in the other thread?
--
Dog and Butterfly |
|
CmmTch
join:2002-08-10
High Ridge, MO
| reply to CmmTch
The only thing that has changed is the update of ZAP to ver 5. I have no problem surfing, and no problems with this site either. Before this started on Wed. at 20:52, the only firewall occurrences were ICMP packets on 5-5-04. |
|
CmmTch
join:2002-08-10
High Ridge, MO
| reply to TheWiseGuy
Thanks for link to the other thread, it apppears to be the exact same problem. This is going on while I'm not even at home, no browsers open, the pc is on all the time. Here is a screen shot of netstat and netstat -a, and running processes. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY | If you can try running
netstat -ano
right after the alert
--
Dog and Butterfly |
|
quazimoto
join:2003-05-27
Longwood, FL
| reply to CmmTch
The exact same thing happened to me about a week and a half ago, never really got a good explanation as to why. I also run ZA Pro 5.0 along with NAV2004, Spybot, AdAware, Trojan Hunter and a Netgear router. It was like i was running a security scan, only i my computer was the one trying to do the scanning, if that makes any sense, they were all originating from my 'puter trying to contact dslreports, checked my Netstat and there was nothing unusual. |
|
CmmTch
join:2002-08-10
High Ridge, MO
| reply to TheWiseGuy
Here is the shot right after an alert. I had to use -an without the "o", it was not recognized as a switch.
I believe this is caused by the new version of ZA, since it hadn't happened until that was installed. I wonder why dslreports is the one it try's to send (is it a ping attempt?) to.
Thanks for all replies  |
|
CmmTch
join:2002-08-10
High Ridge, MO
| reply to quazimoto
Same thing here quazimoto, it appears I (my computer) is doing a scan every 3 mins. This is all the time, whether I am at the computer or not. With my limited knowledge on such things, netstat doesn't look unusual. The link to another post from TheWiseGuy shows pretty much the same problem from that poster too. It hasn't affected browsing, but I don't like that it fills up my log with those attempts. Before this there were very few entries in it. Much easier to keep an eye on anything that way. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to CmmTch
Ping wouldn't be using Ports. It seems to be a normal outbound HTTP connection attempt. The Netstat shows syn sent which is what the ZAP log shows. The problem is ZAP doesn't show/know what program is doing it. I hoped Netstat with the -0 would show the program.
How about trying openports
»www.diamondcs.com.au/openports/
What browser are you using?
--
Dog and Butterfly |
|
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
| reply to CmmTch
This netstat indicates a SYN request was sent. The SYN is the first part of the "three way" handshake for a TCP connection.
SYN(you to them) --> ACK(them to you) -- SYN ACK(you to them).
This happens within microseconds and is usually not seen in a netstat. Seems, for some reason, you are "hanging" on the SYN and waiting for a reply(ACK) which never comes (and then probably times out). Perhaps something is wrong with the SYN packet or perhaps ZA is doing something funky? I really don't know, but I thought I would post this little bit of info for you. Good luck. |
|
CmmTch
join:2002-08-10
High Ridge, MO
| reply to TheWiseGuy
I use IE6 SP1. This shot of openports is right after an alert. The one before the alert didn't have the top line showing "connecting" |
|
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
2 edits | That does look kind of strange running under PID 0 (System Idle Process). There shouldn't be anything running there. I don't have ZA so I can't be of much help, but have you tried shutdown/close then reopen ZA? Also a reboot?
-
Good luck.
-
edit: maybe try recycle modem/router too.
edit2: I am assuming that SYSTEM[0] = PID 0 . Also, have you looked into the openports.txt (as shown on your screenshot)? |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to CmmTch
CmmTch -
I'm wondering if this may relate to one of the Tools in BBR.
- Does re-booting affect or end the behavior?
- Have you run any tests using DSLReports/BBR lately?
- Which version of Windows do you have?
- Do you use Sun's Java or Windows Java?
- Keith
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
quazimoto
join:2003-05-27
Longwood, FL
| reply to CmmTch
I just checked for an update to ZA via the "Check for Updates" option in ZA. When it was attempting to connect to see if there were any updates there was a bit of a lag, which enabled me to see what it was connecting to to search for any updates, it read something like this, "checkingwebupdates/dslreports" what would it be connecting to dslreports in order to check for an update? |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to CmmTch
Quazimoto, do you know which IP address it checked for those updates on?
Also, does someone with NAV and this issue have an NAT router, and could they check the outgoing log to see where the LiveUpdate checks are going.
CmmTch's computer is going after 209.123.109.175 whose registry entry doesn't reveal anything to do with Symantec or Norton (see below).
But maybe you are onto something. Would you check the version of the Norton anti-virus signature files on your PC, and compare those with what they should be according to Symantec. Here is the link to what they should be:
»securityresponse.symantec.com/av···oad.html
quote:
Intelligent Updater:
Virus Definitions created June 4
Virus Definitions released June 4
Norton AntiVirus Corp. Edition:
Defs Version: 60604p
Sequence Number: 31674
Extended Version: 6/4/2004 rev. 16
Total Viruses Detected: 67620
LiveUpdate:
Virus Definitions created June 2
Virus Definitions released June 2
Norton AntiVirus Corp. Edition:
Defs Version: 60602q
Sequence Number: 31588
Extended Version: 6/2/2004 rev. 17
Total Viruses Detected: 67606
ARIN entry for 209.123.109.175:
quote:
OrgName: Net Access Corporation
OrgID: NAC
Address: 1719 STE RT 10E
Address: Suite 111
City: Parsippany
StateProv: NJ
PostalCode: 07054
Country: US
ReferralServer: rwhois://rwhois.nac.net:43
NetRange: 209.123.0.0 - 209.123.255.255
CIDR: 209.123.0.0/16
NetName: NAC-NETBLK02
NetHandle: NET-209-123-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.NAC.NET
NameServer: NS2.NAC.NET
NameServer: NS5.NAC.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: * Reassignment information for this network is available
Comment: * available at whois.nac.net 43
RegDate: 1997-08-06
Updated: 2001-08-22
TechHandle: ZN77-ARIN
TechName: Net Access Corporation
TechPhone: +1-800-638-6336
TechEmail: legal@nac.net
OrgAbuseHandle: ABUSE156-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-800-638-6336
OrgAbuseEmail: abuse@nac.net
OrgNOCHandle: NOC270-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-973-590-5050
OrgNOCEmail: network@nac.net
OrgTechHandle: AR97-ARIN
OrgTechName: Rubenstein, Alex
OrgTechPhone: +1-973-590-5101
OrgTechEmail: alex@nac.net
OrgTechHandle: ZN77-ARIN
OrgTechName: Net Access Corporation
OrgTechPhone: +1-800-638-6336
OrgTechEmail: legal@nac.net
# ARIN WHOIS database, last updated 2004-06-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
DNS records
name class type data time to live
www.dslreports.com IN CNAME dslreports.com 43200s (12:00:00)
dslreports.com IN SOA server: ns0.easydns.com
email: admin.easydns.com
serial: 1080758464
refresh: 43200
retry: 43200
expire: 604800
minimum ttl: 43200
43200s (12:00:00)
dslreports.com IN NS remote2.easydns.com 43200s (12:00:00)
dslreports.com IN NS ns1.easydns.com 43200s (12:00:00)
dslreports.com IN NS ns2.easydns.com 43200s (12:00:00)
dslreports.com IN NS remote1.easydns.com 43200s (12:00:00)
dslreports.com IN A 209.123.109.175 43200s (12:00:00)
dslreports.com IN MX preference: 5
exchange: mail.dslreports.com
43200s (12:00:00)
dslreports.com IN TXT v=spf1 mx -all 43200s (12:00:00)
175.109.123.209.in-addr.arpa IN PTR www.dslreports.com 3600s (01:00:00)
-- end --
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to CmmTch
Hmmm, System, that is weird.
Strange, Vsmon is listening on the same port, local 3560. Almost seems as if ZAP might be sending it.
Well I'm out of ideas for now. Maybe one of Team Z members will come along and have some insight.
--
Dog and Butterfly |
|
TerryMiller
Premium
join:2003-10-23 | reply to keith2468
I know this sounds obvious, but do you have a dynamic dns client for line monitoring here? 3 minutes is the default interval for my dyndns client. |
|
