Go Back   Tech Support Forum > Networking Forum > Networking Support

Fake default gateway

This is a discussion on Fake default gateway within the Networking Support forums, part of the Tech Support Forum category. I went ahead and did it on all 3 machines in case that helps. You said earlier that DHCP traffic


Reply
 
Thread Tools Search this Thread
Old 05-20-2009, 12:48 AM   #21
Registered Member
 
Join Date: May 2009
Posts: 224
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

I went ahead and did it on all 3 machines in case that helps. You said earlier that DHCP traffic is UDP on ports 67 / 68 that would mean .2 is the culprit then because of this? " UDP 0.0.0.0:67 *:* 4"

One more comment that may save you some time, .3 was hosting an online video game and about 9 IP addresses should be players, maybe 8. These *should* be on ports 6112-6114 but I've never checked I just know what I have to have open to play the game. Any connections on .2 that aren't backdoors have a good chance of being P2P connections.

.2
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1092
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       2084
  TCP    0.0.0.0:3689           0.0.0.0:0              LISTENING       1120
  TCP    0.0.0.0:9485           0.0.0.0:0              LISTENING       1352
  TCP    0.0.0.0:10001          0.0.0.0:0              LISTENING       1340
  TCP    0.0.0.0:64847          0.0.0.0:0              LISTENING       660
  TCP    0.0.0.0:64872          0.0.0.0:0              LISTENING       660
  TCP    127.0.0.1:1032         127.0.0.1:27015        ESTABLISHED     512
  TCP    127.0.0.1:1037         0.0.0.0:0              LISTENING       3120
  TCP    127.0.0.1:1069         127.0.0.1:5354         ESTABLISHED     1360
  TCP    127.0.0.1:1206         127.0.0.1:5354         ESTABLISHED     660
  TCP    127.0.0.1:1217         127.0.0.1:5354         ESTABLISHED     660
  TCP    127.0.0.1:3838         127.0.0.1:3839         ESTABLISHED     488
  TCP    127.0.0.1:3839         127.0.0.1:3838         ESTABLISHED     488
  TCP    127.0.0.1:3846         127.0.0.1:3847         ESTABLISHED     488
  TCP    127.0.0.1:3847         127.0.0.1:3846         ESTABLISHED     488
  TCP    127.0.0.1:4928         127.0.0.1:27015        ESTABLISHED     1120
  TCP    127.0.0.1:4929         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4930         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4931         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4932         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4933         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4934         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4935         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4936         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING       436
  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING       1928
  TCP    127.0.0.1:5354         127.0.0.1:1069         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1206         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1217         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4929         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4930         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4931         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4932         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4933         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4934         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4935         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4936         ESTABLISHED     1928
  TCP    127.0.0.1:5842         0.0.0.0:0              LISTENING       2908
  TCP    127.0.0.1:27015        0.0.0.0:0              LISTENING       1540
  TCP    127.0.0.1:27015        127.0.0.1:1032         ESTABLISHED     1540
  TCP    127.0.0.1:27015        127.0.0.1:4928         ESTABLISHED     1540
  TCP    192.168.1.2:139        0.0.0.0:0              LISTENING       4
  TCP    192.168.1.2:1841       74.86.61.161:443       ESTABLISHED     660
  TCP    192.168.1.2:2038       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:2040       69.63.176.195:80       LAST_ACK        488
  TCP    192.168.1.2:2041       208.43.208.113:443     TIME_WAIT       0
  TCP    192.168.1.2:2045       208.43.208.113:443     TIME_WAIT       0
  TCP    192.168.1.2:2047       69.63.176.195:80       ESTABLISHED     488
  TCP    192.168.1.2:2048       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:3170       75.126.232.97:443      CLOSE_WAIT      660
  TCP    192.168.1.2:3226       72.247.238.194:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3227       17.251.200.74:80       CLOSE_WAIT      1120
  TCP    192.168.1.2:3228       72.247.238.192:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3229       17.250.237.16:80       CLOSE_WAIT      1120
  TCP    192.168.1.2:4021       75.126.232.97:443      CLOSE_WAIT      660
  UDP    0.0.0.0:67             *:*                                    4
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    864
  UDP    0.0.0.0:1028           *:*                                    1928
  UDP    0.0.0.0:3776           *:*                                    2244
  UDP    0.0.0.0:4500           *:*                                    864
  UDP    0.0.0.0:51010          *:*                                    1360
  UDP    0.0.0.0:62798          *:*                                    1928
  UDP    127.0.0.1:123          *:*                                    1236
  UDP    127.0.0.1:1900         *:*                                    2084
  UDP    127.0.0.1:3027         *:*                                    1236
  UDP    127.0.0.1:4908         *:*                                    2880
  UDP    192.168.1.2:123        *:*                                    1236
  UDP    192.168.1.2:137        *:*                                    4
  UDP    192.168.1.2:138        *:*                                    4
  UDP    192.168.1.2:1900       *:*                                    2084
  UDP    192.168.1.2:2049       *:*                                    660
  UDP    192.168.1.2:5353       *:*                                    1928

C:\Documents and Settings\HP_Administrator>
.3
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

D:\Documents and Settings\Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       984
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       1348
  TCP    0.0.0.0:6113           0.0.0.0:0              LISTENING       1700
  TCP    0.0.0.0:21692          0.0.0.0:0              LISTENING       244
  TCP    127.0.0.1:1035         0.0.0.0:0              LISTENING       2072
  TCP    127.0.0.1:3004         127.0.0.1:3005         ESTABLISHED     3668
  TCP    127.0.0.1:3005         127.0.0.1:3004         ESTABLISHED     3668
  TCP    127.0.0.1:3006         127.0.0.1:3007         ESTABLISHED     3668
  TCP    127.0.0.1:3007         127.0.0.1:3006         ESTABLISHED     3668
  TCP    192.168.1.3:139        0.0.0.0:0              LISTENING       4
  TCP    192.168.1.3:1483       76.177.87.56:25532     ESTABLISHED     244
  TCP    192.168.1.3:2869       192.168.1.1:1078       TIME_WAIT       0
  TCP    192.168.1.3:2869       192.168.1.1:1079       TIME_WAIT       0
  TCP    192.168.1.3:3707       63.240.202.131:6112    ESTABLISHED     1700
  TCP    192.168.1.3:3708       63.241.83.11:6112      ESTABLISHED     1700
  TCP    192.168.1.3:3709       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:3710       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:6113       63.196.199.50:2155     TIME_WAIT       0
  TCP    192.168.1.3:6113       66.75.25.53:4465       TIME_WAIT       0
  TCP    192.168.1.3:6113       66.223.213.28:52105    ESTABLISHED     1700
  TCP    192.168.1.3:6113       67.58.196.210:1037     TIME_WAIT       0
  TCP    192.168.1.3:6113       67.180.99.135:46211    ESTABLISHED     1700
  TCP    192.168.1.3:6113       67.232.156.20:49325    TIME_WAIT       0
  TCP    192.168.1.3:6113       70.73.157.227:63619    TIME_WAIT       0
  TCP    192.168.1.3:6113       70.74.210.254:62253    TIME_WAIT       0
  TCP    192.168.1.3:6113       70.81.8.194:60484      TIME_WAIT       0
  TCP    192.168.1.3:6113       98.234.203.63:1385     ESTABLISHED     1700
  TCP    192.168.1.3:6113       98.246.124.163:54385   TIME_WAIT       0
  TCP    192.168.1.3:6113       99.155.181.50:49656    ESTABLISHED     1700
  TCP    192.168.1.3:6113       99.155.181.50:51115    ESTABLISHED     1700
  UDP    0.0.0.0:443            *:*                                    244
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    748
  UDP    0.0.0.0:3705           *:*                                    1700
  UDP    0.0.0.0:3711           *:*                                    3148
  UDP    0.0.0.0:4500           *:*                                    748
  UDP    0.0.0.0:5868           *:*                                    3148
  UDP    0.0.0.0:6969           *:*                                    1700
  UDP    0.0.0.0:21692          *:*                                    244
  UDP    127.0.0.1:123          *:*                                    1076
  UDP    127.0.0.1:1025         *:*                                    244
  UDP    127.0.0.1:1900         *:*                                    1348
  UDP    127.0.0.1:4577         *:*                                    1076
  UDP    192.168.1.3:123        *:*                                    1076
  UDP    192.168.1.3:137        *:*                                    4
  UDP    192.168.1.3:138        *:*                                    4
  UDP    192.168.1.3:1900       *:*                                    1348

D:\Documents and Settings\Administrator>
.4
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\HP_Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1016
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING       2616
  TCP    127.0.0.1:1034         0.0.0.0:0              LISTENING       3204
  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING       1804
  TCP    127.0.0.1:5152         127.0.0.1:2728         CLOSE_WAIT      1804
  TCP    192.168.1.4:139        0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    792
  UDP    0.0.0.0:3776           *:*                                    1052
  UDP    0.0.0.0:4500           *:*                                    792
  UDP    127.0.0.1:123          *:*                                    1112
  UDP    127.0.0.1:1900         *:*                                    420
  UDP    192.168.1.4:123        *:*                                    1112
  UDP    192.168.1.4:137        *:*                                    4
  UDP    192.168.1.4:138        *:*                                    4
  UDP    192.168.1.4:1900       *:*                                    420

C:\Documents and Settings\HP_Administrator>

__________________
joe7dust is offline   Reply With Quote
Old 05-20-2009, 01:20 PM   #22
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



Quote:
You said earlier that DHCP traffic is UDP on ports 67 / 68 that would mean .2 is the culprit then because of this? " UDP 0.0.0.0:67 *:* 4"
Yup, that's it. Which in this case is running as pid 4. On an XP box, that is "System", which I don't think it is what it is supposed to be. XP can be a DHCP server if the XP box is set up as an "Internet Connection Host". I don't think machine 1.2 is running as an ICS host, as it's just another PC on your LAN.

Looking at the netstat for machine 1.2, show some interesting things:
Code:
  TCP    0.0.0.0:9485           0.0.0.0:0              LISTENING       1352

  TCP    127.0.0.1:1069         127.0.0.1:5354         ESTABLISHED     1360
  UDP    0.0.0.0:51010          *:*                                    1360

  UDP    0.0.0.0:3776           *:*                                    2244

  TCP    0.0.0.0:64847          0.0.0.0:0              LISTENING       660
  TCP    0.0.0.0:64872          0.0.0.0:0              LISTENING       660
  TCP    127.0.0.1:1206         127.0.0.1:5354         ESTABLISHED     660
  TCP    127.0.0.1:1217         127.0.0.1:5354         ESTABLISHED     660
  TCP    192.168.1.2:1841       74.86.61.161:443       ESTABLISHED     660
  TCP    192.168.1.2:2038       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:2048       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:3170       75.126.232.97:443      CLOSE_WAIT      660
  TCP    192.168.1.2:4021       75.126.232.97:443      CLOSE_WAIT      660
  UDP    192.168.1.2:2049       *:*                                    660

  TCP    0.0.0.0:3689           0.0.0.0:0              LISTENING       1120
  TCP    127.0.0.1:4928         127.0.0.1:27015        ESTABLISHED     1120
  TCP    127.0.0.1:4929         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4930         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4931         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4932         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4933         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4934         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4935         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4936         127.0.0.1:5354         ESTABLISHED     1120
  TCP    192.168.1.2:3226       72.247.238.194:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3227       17.251.200.74:80       CLOSE_WAIT      1120
  TCP    192.168.1.2:3228       72.247.238.192:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3229       17.250.237.16:80       CLOSE_WAIT      1120
this is showing some amount of traffic, thru several Internet accessible ports. More specifically, TCP ports 9485, 64847, 64872, and 3689. UDP ports 51010, 3776, and 2049. One thing that becomes interesting is that 127.0.0.1:5354 is a common connection.

Looking at those:

Code:
  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING       1928
  TCP    127.0.0.1:5354         127.0.0.1:1069         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1206         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1217         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4929         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4930         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4931         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4932         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4933         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4934         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4935         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4936         ESTABLISHED     1928
This looks like it might be some kind of control process. The next question, is what is that process. WinXP tool for that query is a command line tool called "tasklist". Use "tasklist /?" to see the options and syntax, but in this instance, the command to run is:
Code:
tasklist /FI "PID eq 1928"
and see if it is anything recognizeable. The same question can be asked of all those processes.

This does not look good for machine 1.2

On to machine 1.3. Here's your game:
Code:
  TCP    0.0.0.0:6113           0.0.0.0:0              LISTENING       1700
  TCP    192.168.1.3:3707       63.240.202.131:6112    ESTABLISHED     1700
  TCP    192.168.1.3:3708       63.241.83.11:6112      ESTABLISHED     1700
  TCP    192.168.1.3:3709       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:3710       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:6113       66.223.213.28:52105    ESTABLISHED     1700
  TCP    192.168.1.3:6113       67.180.99.135:46211    ESTABLISHED     1700
  TCP    192.168.1.3:6113       98.234.203.63:1385     ESTABLISHED     1700
  TCP    192.168.1.3:6113       99.155.181.50:49656    ESTABLISHED     1700
  TCP    192.168.1.3:6113       99.155.181.50:51115    ESTABLISHED     1700
  UDP    0.0.0.0:3705           *:*                                    1700
  UDP    0.0.0.0:6969           *:*                                    1700
Ports as expected, with players. There are also two open UDP ports: 3705 and 6969. I'm presume the game is as expected.

Code:
  TCP    0.0.0.0:21692          0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       244
  TCP    192.168.1.3:1483       76.177.87.56:25532     ESTABLISHED     244
  UDP    0.0.0.0:21692          *:*                                    244
  UDP    0.0.0.0:443            *:*                                    244
  UDP    127.0.0.1:1025         *:*                                    244
There's the mystery port 21692. And a web server, TCP ports 80 and 443. And an unexpected UDP port 443. So what is process 244, as this doesn't seem right.

Code:
  UDP    0.0.0.0:3711           *:*                                    3148
  UDP    0.0.0.0:5868           *:*                                    3148
And two more Internet accessible ports. Same question about pid 3148.

That's it for machine 1.3.

By comparison, machine 1.4 looks like an almost fresh out-of-the-box install. The only thing that looks like it might be out of place, is this:
Code:
 UDP    0.0.0.0:3776           *:*                                    1052
Based on what I'm seeing in the netstat reports, I'm going to go back over the packet captures. I had filtered out all web traffic while trying to locate the DHCP thing. If machine 1.3 is running a web server, then I want to check that inbound traffic, if any, to see what might be going on.

__________________
grue155 is offline   Reply With Quote
Old 05-20-2009, 01:58 PM   #23
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



I did a check on the capture files, and didn't see any web traffic, or inbound UDP traffic for any port except that 21692. I'll take that much as a good sign, so far.
__________________
grue155 is offline   Reply With Quote
Old 05-20-2009, 08:22 PM   #24
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



Too late to edit my last post, so I'll add this:

The tasklist output will give an "image name", but I can't find a way for tasklist to give a full pathname.

So, a two step process: run tasklist to get the image name, and then an old fashioned dir command to get the pathname. Here is an example:
Code:
C:\WINDOWS\system32>tasklist /FI "PID eq 3040"

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
firefox.exe                 3040 Console                 0     49,016 K

C:\WINDOWS\system32>dir c:\firefox.exe /s /b

c:\Program Files\Mozilla Firefox\firefox.exe
For those pid's in question, the full pathname is going to be needed to have any real chance of saying if the application is good, or not.

The alternative, is to download Process Explorer from Microsoft Sysinternals. Then you would right-click on the process with the pid number, select Properties, and you'll know more about that process than you probably want to know.

If you do try Process Explorer, and find you can't download it, or it won't run, then that's an indication of a problem.

If you don't recognize the pathname or the application, then post that pathname here, and I can do some digging to find out what it is, or isn't.
__________________
grue155 is offline   Reply With Quote
Old 05-21-2009, 12:53 AM   #25
Registered Member
 
Join Date: May 2009
Posts: 224
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Thanks again for the mounds of effort you've put into this. You were definitely right about process explorer showing me more than I ever wanted to know. There is so much that it shows, I'm not sure what I'm looking for exactly. But for now I'll look at the path since you mentioned that.

1.2

PID 4: you were right it is system. It says path not available so I'm not sure if I can do anything about it. You mentioned XP can be set up as an Internet Connection Host, how would I double check if it is? I know when you run the Internet Connection Wizard it asks you whether or not the computers on your network connect to the internet via a residential gateway or THIS computer provides internet to the rest. I am pretty sure I ran the wizard on all 3 computers and selected the option to get internet access from a residential gateway. I guess it is always possible that malware is controlling that system process.

PID 1928: C:\Program Files\Bonjour\mDNSResponder.exe This is the service that iTunes uses for the network sharing of music files. I can probably just disable this now that I have copied all of his music directly. (streaming over the network was adversely affecting performance in my online gaming) Actually I take back what I said about disabling it, because I think he streams music from his iPhone to his computer sometimes. Do you think it's causing a problem? One thing that does seem odd, is "current directory" is set to system32.

PID 1352: C:\Program Files\DISC\DiscStreamHub.exe Comes with HP Media PCs, it's for downloading/trying games. I'll recommend he remove this if he doesn't intend to use it.

PID 660: C:\Program Files\Simplify Media\SimplifyMedia.exe Not sure, but he says he uses it regularly and it presents itself on the system tray which makes me feel better than if it was trying to hide.

PID 1120: C:\Program Files\iTunes\iTunes.exe I think we all know what this is. What I didn't know is that it should have nearly a dozen established connections on various ports.

That's all the TCP ones you mentioned, now I have to ask did you separate TCP from UDP for a practical reason or just to be neat and tidy? From what I see, UDP is more difficult to analyze because there is this *.* instead of information.

PID 1360: C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe He uses this to control his PC with his iPhone; I'll assume its fine.

*PID 2244: C:\WINDOWS\ehome\mcrdsvc.exe Something related to Media Center PCs, I'll recommend he disable it since he no longer uses his PC to stream to the TV. On a side note, why the heck would a MC-related process need to listen on an internet port?

*: On machine 1.4 PID 1052 is listening on the same UDP port as the above process (3776). Could be a coincidence but caught my eye... I do not have access to 1.4 right now, but I will check tomorrow.

So in conclusion for 1.2 I don't see any malicious malware based on the path of the files (although the one set to current directory: system32 did seem odd). This machine does seem to have some malware on it though. I noticed some of my clicks were being redirected while searching for process information, but not all of them. Probably just a benign malware that is trying to generate advertising clicks, it all went to what seemed like search engine sites. Here are the URLs below: *note most of these were redirects, all of these resulted from a total of about 6 or 7 actual clicks. The only time I've ever seen his computer do this is via the context menu in Process Explorer "Search Online" but all it seemed to was a google search in firefox for the process name. The bottom left that shows where it will take you did not show any of these sites, it looked like it would go to the page with more information on the process.
Code:
http://75.102.7.224/click.php?c=f05036f7022f3329abb6f3bfea00
http://64.111.208.122/click.php?c=46ccdadcde6007de74cbe4a42400&d=
http://64.111.208.122/click.php?c=f05440200070f5de74cbe4a4f100&d=
http://www.missngpage.com/search1.php?qq=publishers
http://bridge2.admarketplace.net/xtrk.php?version=1.0.0&enURL=eMzq/KDaykIA3LR0JtzzLGyqZMFsvr2gGYK3XprBpa6XLfDbgeeCZHyh20sVWc+bbWH7N46tBod9ZwW2m5YBIhQKTX1uqFqrlXtEdgnNNXr8W7f7kJB74Iq5FC5gYh6Cvpv710Y+FgR7cIQLUFMUyQQ/k2qgEfr3YU3Sut0H3c4Z7d8zvvmZbm2zhpVBO0Mkq2h9PL+3wbWL7h7ZLgLULtY3VzAYcPI/XAvpmINpxN/M3D2sppSM31Jy0Mp1izt8CB5tC4H41sfh34qG9cmNnKGwp/Ug5TvPQasETgglmT9MzlVqkE/g8JJloY3Du9/Jq65ByYLKoLVDpcdfKZfATI+Qh9YMvEV9D0W8hDyJHv3pKIhCvD38WEDia8Otdv4bbNoiji35kGOeWbBQtYtp9bhxSP0SSLdTCWC5ukVDMoHLZ7ZM8fSW9maDK1L8qUHWRJZn+JWRG7jCe5tuxC3AWkfXz8Hv2x3K++AMTVgFlaMMlxZ5Jtz6I3sKjvOsif3z5u+CV0TL4stYcdceg/2AqivxNLsTsnU1LbuDnGUPF6vOib40ocA7iX3mRdDlLsVyaMZVcV2Ztp3eZqVbkO9qUcG0wXEfl0+q2BITiyRM+Yi2GjfvESgNOfYYDbJQBUZCfIaRVpJO9aFbMvyHO7TNU8isiz8i0LYwFSyLMHhDmKGctJY6EsIC0swmuWIzV/2JHxkY0ts7Udb3lw0hqcaZ9nZXJuHAoQqR/gJsWODiE4tkCNWsnCdpVAwlJHRcWwOaYpYQNCAIKO1mVfCQswPHykG71X4MvWnZJFf/PbaKioamHsIuSecLEnnqftee8PlDYGpt3rOiO0+GoqLlS3iMaDUNJj/vvUnnngUdx2p4Tfq2XUA0gq/ISsLHdZslrFJ8ODjse6xePpGSsLtsRRlcUnsAkfuk7Y/JOWIPSc1kpoA88eZi4XChIHfv1uirSeCvBWo+FU60TAViR+kSDv4qi0WtGqZ+RJDdyTTIcj/oINwdbnTomVvLSx8T3a5mhf51bZve8Dv8/I1SZfoPtZFqJInHKhgIdOE6FDpZm5ZqkE1JQ+W9vs2ML8eRk8j5vKjFLgtEw9dd7ovPapxtmQGN9IU8Nf/FMzcJjy8GoHcqkXJS5ewjhaxV3A==&queryid=19254365350&adid=19254365991&fs=w-app-01&pb=510.0&advn=www.virtuaseeker.com&cp=0.015,1204886867,1919852023,0,pub_crssvalue-2648,publishers,backfill_conducive/l=COND
http://waysteps.com/?2b642b676d7b76726f757b6d53
http://67.210.12.190/in.php?q=publishers
http://main.exoclick.com/click.php?data=Y25ldHN8OHwxLjh8aHR0cDovL3d3dy5hYmNqbXAuY29tL2p1bXAxLz9hZmZpbGlhdGU9ZXhvY2xpY2smc3ViaWQ9Mjc5NDMmdGVybXM9c2ltcGxpZnltZWRpYS5leGUmc2lkPVo2ODEwNDQzMTclNDAlNDBRTWZkak54VXpOM0V6WDNRVE16ODFOaDlGT3o4Rk55SWpONGdqTTBJVE0mYT1ya2JweXZweCZtcj0xJnJjPTB8MTV8c2ltcGxpZnltZWRpYS5leGV8MjYzNnw2MHwxMjQyODg2MjI0fGluZm8tZmVlZC5jb218NzYuMTg3LjEyNC43MHwjRUNQTSN8MHxlZWFjYjM3NTAwMTUyODMxNGMzMzg1NTlmODI3OWE0NQ%3D%3D
http://www.google.com/url?sa=t&source=web&ct=res&cd=3&url=http%3A%2F%2Fforum.wegotserved.com%2Findex.php%3Fshowtopic%3D558&ei=TPAUSqeJJ8aMtgfalOD6DA&usg=AFQjCNHbkOkuE1QfJX5n2P0-LbTtRwOAqw&sig2=uGS-s6NJ8DNc5aAMUpgmVw
http://forum.wegotserved.com/index.php?showtopic=558
http://75.102.7.224/click.php?c=f042973a05584e36b4a9eca0f500
http://216.133.243.28/3.php
http://www.searchgypsy.com/index.php?pub=&q=simplifymedia.exe
http://216.133.243.28/bidclick.php?bid_id=11264488&bid=0.012&site_id=1566&adv_sid=19078&adv_id=7398&said=1936_2636&ron_unique=0&redirect_url=&type=ron&kw=simplifymedia.exe&url=http%3A%2F%2Fwww.searchgypsy.com%2Findex.php%3Fpub%3D%26q%3Dsimplifymedia.exe&timestamp=1242886214&sig=acc75e6420a1879b863893734f498c53&a=1&pid=p_rs01&ip=76.187.124.70
http://216.133.243.28/2.php?sid=1566&keyword=SimplifyMedia.exe&goto=32c3f873779c2027354526bcf3615dbf-wsksuuUswf%094U.wu4.wsk.4f%09%09R_aNfw%09wSUU%09NqQRiqO0QIoqj.IbI%09OqLotitz0atNI%092vvR%3A%2F%2Fnnn.OqLotitz0.EtQ%2FAqoEiqEH.R2R%3FAqo_qo%3DwwsUkkuu%26Wai%3D2vvR%25Fj%25sO%25sOnnn%25sINIjaE2z0RN0%25sIEtQ%25sOqLoIb%25sIR2R%25FORWA%25Fo%25sUM%25FoNqQRiqO0QIoqj%25sIIbI%26joY_Nqo%3Dw3f4u%26joY_qo%3D4F3u%26v0RI%3DatL%26ovN%3Dsff3_fS_sf_sF_wf_wf%26i2L%3DQIvjsU-If%26atL_WLqMWI%3Df%26aIoqaIEv_Wai%3D%26AitEH_joWiv%3Dw%09f.fws%09w3f4u%09w%09w3FU_sUFU%09%09s%09GLqvIo+rvjvIN%09Gr%09nnn.NIjaE2z0RN0.EtQ&objTimStr=0.56168500+1242886210
http://66.250.74.152/click_second_new3.php?go=aHR0cDovLzIxNi4xMzMuMjQzLjI4LzIucGhwP3NpZD0xNTY2JmtleXdvcmQ9U2ltcGxpZnlNZWRpYS5leGUmZ290bz0zMmMzZjg3Mzc3OWMyMDI3MzU0NTI2YmNmMzYxNWRiZi13c2tzdXVVc3dmJTA5NFUud3U0Lndzay40ZiUwOSUwOVJfYU5mdyUwOXdTVVUlMDlOcVFSaXFPMFFJb3FqLkliSSUwOU9xTG90aXR6MGF0TkklMDkydnZSJTNBJTJGJTJGbm5uLk9xTG90aXR6MC5FdFElMkZBcW9FaXFFSC5SMlIlM0ZBcW9fcW8lM0R3d3NVa2t1dSUyNldhaSUzRDJ2dlIlMjVGaiUyNXNPJTI1c09ubm4lMjVzSU5JamFFMnowUk4wJTI1c0lFdFElMjVzT3FMb0liJTI1c0lSMlIlMjVGT1JXQSUyNUZvJTI1c1VNJTI1Rm9OcVFSaXFPMFFJb3FqJTI1c0lJYkklMjZqb1lfTnFvJTNEdzNmNHUlMjZqb1lfcW8lM0Q0RjN1JTI2djBSSSUzRGF0TCUyNm92TiUzRHNmZjNfZlNfc2Zfc0Zfd2Zfd2YlMjZpMkwlM0RRSXZqc1UtSWYlMjZhdExfV0xxTVdJJTNEZiUyNmFJb3FhSUV2X1dhaSUzRCUyNkFpdEVIX2pvV2l2JTNEdyUwOWYuZndzJTA5dzNmNHUlMDl3JTA5dzNGVV9zVUZVJTA5JTA5cyUwOUdMcXZJbytydmp2SU4lMDlHciUwOW5ubi5OSWphRTJ6MFJOMC5FdFEmb2JqVGltU3RyPTAuNTYxNjg1MDArMTI0Mjg4NjIxMA==&b=MC4wMDc=&aff=1936&subaff=2636&time=1242886210&searcher_ip=76.187.124.70&cnt=21843&qq=SimplifyMedia.exe&mode=&seid=eDsYicU70Hs5RZjo8ne7yLK61EYH+B3Rl+8wRgG0&se=ZmluZG9sb2d5&sid=33&pos=3&country=US
http://66.250.74.152/click.php?go=aHR0cDovLzIxNi4xMzMuMjQzLjI4LzIucGhwP3NpZD0xNTY2JmtleXdvcmQ9U2ltcGxpZnlNZWRpYS5leGUmZ290bz0zMmMzZjg3Mzc3OWMyMDI3MzU0NTI2YmNmMzYxNWRiZi13c2tzdXVVc3dmJTA5NFUud3U0Lndzay40ZiUwOSUwOVJfYU5mdyUwOXdTVVUlMDlOcVFSaXFPMFFJb3FqLkliSSUwOU9xTG90aXR6MGF0TkklMDkydnZSJTNBJTJGJTJGbm5uLk9xTG90aXR6MC5FdFElMkZBcW9FaXFFSC5SMlIlM0ZBcW9fcW8lM0R3d3NVa2t1dSUyNldhaSUzRDJ2dlIlMjVGaiUyNXNPJTI1c09ubm4lMjVzSU5JamFFMnowUk4wJTI1c0lFdFElMjVzT3FMb0liJTI1c0lSMlIlMjVGT1JXQSUyNUZvJTI1c1VNJTI1Rm9OcVFSaXFPMFFJb3FqJTI1c0lJYkklMjZqb1lfTnFvJTNEdzNmNHUlMjZqb1lfcW8lM0Q0RjN1JTI2djBSSSUzRGF0TCUyNm92TiUzRHNmZjNfZlNfc2Zfc0Zfd2Zfd2YlMjZpMkwlM0RRSXZqc1UtSWYlMjZhdExfV0xxTVdJJTNEZiUyNmFJb3FhSUV2X1dhaSUzRCUyNkFpdEVIX2pvV2l2JTNEdyUwOWYuZndzJTA5dzNmNHUlMDl3JTA5dzNGVV9zVUZVJTA5JTA5cyUwOUdMcXZJbytydmp2SU4lMDlHciUwOW5ubi5OSWphRTJ6MFJOMC5FdFEmb2JqVGltU3RyPTAuNTYxNjg1MDArMTI0Mjg4NjIxMA==&b=MC4wMDc=&aff=1936&subaff=2636&time=1242886210&searcher_ip=76.187.124.70&cnt=21843&qq=SimplifyMedia.exe&mode=&seid=eDsYicU70Hs5RZjo8ne7yLK61EYH+B3Rl+8wRgG0&se=ZmluZG9sb2d5&sid=33&pos=3
http://www.google.com/url?sa=t&source=web&ct=res&cd=2&url=http%3A%2F%2Fwww.prevx.com%2Ffilenames%2F1142514204590858508-X1%2FSIMPLIFYMEDIA.EXE.html&ei=P_AUSsrvA5_ItgfVnLz9DA&usg=AFQjCNEa2xA5Vgwr7_eCBv6YBgpxuEWMmQ&sig2=frcwISMLJ3XcJSjhXjeb8A
http://www.prevx.com/filenames/1142514204590858508-X1/SIMPLIFYMEDIA.EXE.html
http://75.102.7.224/click.php?c=f030eb4a0d53d28c0e13561a4f00
http://search.look.com/?tpid=10209&ttid=100&st=simplifymedia.exe&6771-2636
http://216.133.243.28/bidclick.php?bid_id=11401352&bid=0.013&site_id=6771&adv_sid=21162&adv_id=7183&said=2636&ron_unique=0&redirect_url=&type=ron&kw=simplifymedia.exe&url=http%3A%2F%2Fsearch.look.com%2F%3Ftpid%3D10209%26ttid%3D100%26st%3Dsimplifymedia.exe%266771-2636&timestamp=1242886197&sig=5e98d8072a3cafaa08657684232c8e59&a=1&pid=p_rs01&ip=76.187.124.70
http://216.133.243.28/2.php?sid=6771&keyword=SimplifyMedia.exe&goto=2affb8b27b39ddc5d35c9f7f852a2c48-wsksuuUw3s%094U.wu4.wsk.4f%09%09R_aNfw%09U44w%09NqQRiqO0QIoqj.IbI%09OqLotitz0atNI%092vvR%3A%2F%2Fnnn.OqLotitz0.EtQ%2FAqoEiqEH.R2R%3FAqo_qo%3DwwkfwFSs%26Wai%3D2vvR%25Fj%25sO%25sONIjaE2%25sIittH%25sIEtQ%25sO%25FOvRqo%25Fowfsf3%25sUvvqo%25Fowff%25sUNv%25FoNqQRiqO0QIoqj%25sIIbI%25sUU44w%25sosUFU%26joY_Nqo%3DswwUs%26joY_qo%3D4wuF%26v0RI%3DatL%26ovN%3Dsff3_fS_sf_sF_f3_SF%26i2L%3DQIvjkU%26atL_WLqMWI%3Df%26aIoqaIEv_Wai%3D%26AitEH_joWiv%3Df%09f.fwF%09swwUs%09w%09sUFU%09%09w%09GLqvIo+rvjvIN%09Gr%09nnn.VttH.EtQ&objTimStr=0.09410200+1242886193
http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fwakoopa.com%2Fexecutables%2Fsimplifymedia-exe&ei=lO8USpePCIOGtgf4ydTbDA&usg=AFQjCNFlr4GeKwjBoEFi8X9cuwl645YMgg&sig2=bUcovuw5O8bwCcNa2NS3oA
http://wakoopa.com/executables/simplifymedia-exe
http://www.google.com/url?sa=t&source=web&ct=res&cd=4&url=http%3A%2F%2Fwww.processlibrary.com%2Fdirectory%2Ffiles%2Fdiscstreamhub%2F&ei=wOwUSuHxCsOltgel1dz-DA&usg=AFQjCNGy4f3QDIE52cMcuUNhcY1-UMy9cA&sig2=2WQV-mhHI4RAZCmGlqI1HQ
http://www.processlibrary.com/directory/files/discstreamhub/
http://75.102.7.224/click.php?c=ecad147c0853cdf5776a2f633600
http://r.looksmart.com/og/pr=Psr;ro=1;rc=2;digest=4a6d7b8c8d91677918fb6944a0883920;kid=4d46befb82a012b6eedfacc6ad910089;t=1242885293;v=6;data=74d2c39d8d2d0ed644e765538db0cf831d9dde1743abc33d7f5b78e0a03088fa83d7c392e8268f89c9f6d25307d56fbac7e9f393668c654122e6182f1662ee6085e22fc29e90467a8192298038f2deaf34e55dd1e5918474a8b662ef0f63daf567d95120279c6874819c5afa25b22c1cbd52fec9ab292f144a16f6f933221a64;la=888241;lm=1175182;ad=695103030;ag=695103030;kw=728617316;qt=discstreamhub%20exe;vr=17;lt=BM;ip=76.187.124.70;pt=;st=184.14.167.0.0.0.0;os=2.0.1.0.70.67.2.5;sy=keyword;my=ROC;geo=894417;vid=0;subid=;ii=8c0.2462.4a14ecad.229f;pn=;to=;tc=2;po=1;pc=2;pi=adks1;ts=;rm=|http://roia.biz/im/n/gb5lvq1BAAGLzEMAAAY1QgAATBJmMQA-A/
http://www.realtor.com/?source=a22149
http://roia.biz/im/n/gb5lvq1BAAGLzEMAAAY1QgAATBJmMQA-A/
http://oneclickresolution.com/c/MOx7R84hyE0sK5Tf8OfGjfS0-90RwxwKOLs-bjPJJCyaEACnasxdotC0onqxvYZN8Sm5JWHYdhVwL29iM3MC9YlyQg2GkCm7tXRqghUNt4ufrE2mPQo-NdEtILvKe_wuYwal7oVlMNCqgNa5AG2Jlk3LiWFNRmw7bajquMBgrrDc44SbBsQjinZwEQmoKNl0xQri_6DRefb_bMg-WV63fUMEd4w2Cm4GE1hF_Dx4iYfeTVMpxMIOzDoSSXJzF5udRvWZSfgyAx4VmHQ7Sg1A5vfvlylNxiEkbjjczD9iGEWiE0r4t8xdrfQPWcC41P_o-JPBfYAjLKHil6_Zs43NTjg6qzzn38Q7Cz2lx4RVRayytdDsvhZK-6M5punPRqp1N116wxYz4ITntMCnuKI2lHkAyXjSDitafH0Y3FQGXd-ADT91FnTHNj4mmXg0wzyubL8Z_Efa45dvdKVmDcLRCG8twgxRJ6P3Qw7yG_KiJTKN07eY1xOxTeuBqznbM4s-jFVJjO4vMYVMaz0r1gU7y69ODhudM4qT3X5bah9lyqz_9LdMmvMUc5xd2qPc76V90GPYDguUta19kxrBe52sG_fSTpB7JOt_aOsk_Xcrs7As3m4cyGTKECFbiOBq3wNpgUA8kbOTfhCZMOgpVHQr_Q7p8tsjCl7tDL4TQ7xi2STVjlJ5IW3g0nfgeV-pLMbExuXV_Vda97joVptEa5QL_FS0Bx5TYQmyu9gISc0YYAPSEHCzAvrc8oqs8YXW3OSJg0Ufsh4e50Tr2xz7DRYvKpfPIdYvoTY3XbrIdF7wBbAwjJk3uDK5Bu0U_nBlzxS5t84vKhMTrBbJIDSNl5b4kaaOjVRpkQE0GpCFnwIBkgWtqAoxiYKi9bzOdMRNiXkDvyy8IEQ90KDu5D-qQBAGeWfWLfAx6en8zfMDhOlS5UlcCA
http://www.google.com/url?sa=t&source=web&ct=res&cd=2&url=http%3A%2F%2Fwww.file.net%2Fprocess%2Fdiscstreamhub.exe.html&ei=quwUSvuAPZultgeQ_OH1DA&usg=AFQjCNE5syXhncyaCOZNLNDBegf0Czk-Ow&sig2=h59LgEiNnlaWrtkI7JjNbQ
http://bridge1.admarketplace.net/bounce?click_id=414595001&m_width=1024&m_height=768&b_width=1002&b_height=617&b_top=0&b_left=14
http://159_48629.mydealhero.com/search.php?keyword=discstreamhub%20exe
http://clicks.smartbizsearch.com/xtr3_new?sid=2331450568&sa=7&p=1&q=DiscStreamHub+exe&rf=http%3A%2F%2Fwww.missngpage.com%2Fsearch1.php%3Fqq%3DDiscStreamHub.exe&enc=WwKy7i4uirj14VgvmO2kXlgl6JRPPrITgRgfdrd84Q%3D%3D&enk=
http://75.102.7.224/click.php?c=3202348fda0a3f6fedf0b5f9e100
http://www.missngpage.com/search1.php?qq=DiscStreamHub.exe
http://www.gottchaonline.com/search.php?keyword=discstreamhub%20exe&source=AMPron%PUB%_%SUB%
http://bridge1.admarketplace.net/xtrk.php?ctcookie_value=1242885279619.04E70263D646EF21F4C626B82939B68C&version=1.0.0&enURL=HNHu+81MXlHRGdGKHIlXsRP7/MVTChClurNeW/1kNlhwRVnC9onhJyGPQsf/IXdK4q9HmXJIZBbMpPUMQ7AcPekQBjweedaGbyZFtL8bze/FJLZSTLaERe/rs7XCpi9h6HkecIGMaAfTDyWdAyFcfVPRs3Nb5Fnq4DLPstne6+Q=&queryid=5538324144&adid=5538324151&fs=e-xml-14&pb=420.0&cp=0.040,2412,955388,0,pub_hostwaypremium-104,discstreamhub%20exe,backfill_conducive/l=COND
http://bridge1.admarketplace.net/xtrk.php?version=1.0.0&enURL=HNHu+81MXlHRGdGKHIlXsRP7/MVTChClurNeW/1kNlhwRVnC9onhJyGPQsf/IXdK4q9HmXJIZBbMpPUMQ7AcPekQBjweedaGbyZFtL8bze/FJLZSTLaERe/rs7XCpi9h6HkecIGMaAfTDyWdAyFcfVPRs3Nb5Fnq4DLPstne6+Q=&queryid=5538324144&adid=5538324151&fs=e-xml-14&pb=420.0&cp=0.040,2412,955388,0,pub_hostwaypremium-104,discstreamhub%20exe,backfill_conducive/l=COND
http://clicks.smartbizsearch.com/xtr_new?q=DiscStreamHub+exe&enc=WwKy7i4uirj14VgvmO2kXlgl6JRPPrITgRgfdrd84Q==
http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fanswers.yahoo.com%2Fquestion%2Findex%3Fqid%3D20060625201703AAodd5Y&ei=k-wUStedN9TJtgfp8b3fDA&usg=AFQjCNENHntsaJRVWtCa9ahJotblsR9-Qw&sig2=YZzM_r_FQ34AErnptGfG_A
I will continue replying from my PC in another post. (1.3)
__________________
joe7dust is offline   Reply With Quote
Old 05-21-2009, 01:30 AM   #26
Registered Member
 
Join Date: May 2009
Posts: 224
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Hmm, PID 244 and 3148 are no longer running on my system... not sure what to make of this. Perhaps there is a way via PE or something similar to have a visual or audio alarm go off next time this process activates? Or perhaps there is info in the registry on what the process is? I say this because all the PID seem to be the same each time so that info should be on my harddrive somewhere, otherwise PIDs would be getting mixed around between reboots wouldn't they? If not, I'll just keep checking for them periodically.

Back to the 2nd pcap file... shouldn't I have captured something that points to exactly what gave out the bogus DHCP info to the iPhone?

Oh and about the * in the above post, I bet that is the same process because they are both HP Pavilions (although I hadn't realized 1.4 is also a Media Center PC.. and it may or may not be I can't check right now)

And lets not lose sight of the fact that the bogus gateway is in the HP address space... that has to be significant since some of these are HP processes.
__________________
joe7dust is offline   Reply With Quote
Old 05-21-2009, 12:03 PM   #27
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



Thank you! That answers a whole bunch of questions about what all that stuff is, and is it real.

C:\WINDOWS\ehome\mcrdsvc.exe: seems to be associated with something called a media extender, which seems to be some other LAN device (like a TV or player of some kind). That would explain why the port is open. It's not intended to be Internet accessible, but LAN accessible. So it depends on the firewalls to keep it safe.

mDNSResponder.exe: running from system32. It's running from the directory where it is installed: c:\windows\system32. That's quite common for things that run as machine services.

Quote:
now I have to ask did you separate TCP from UDP for a practical reason or just to be neat and tidy?
Not intentional on my part, but a side effect of the sort tools I used to rearrange the netstat report to show what goes with who. Doing that kind of sort by hand gets tedious quickly. Better to let a program do the work.

The URLs that you listed have a couple of known hostile sites, and having a DHCP redirector is typical of the malware, as described in those SANS articles I mentioned a few postings back.

Quote:
Back to the 2nd pcap file... shouldn't I have captured something that points to exactly what gave out the bogus DHCP info to the iPhone?
Yes, and no. Wireshark running on machine 1.3 can't tell what process on machine 1.2 is sending stuff. But it did capture all the details that got sent. In the second capture file, in frame 53, is all that detail. And Wireshark is nice enough toreformat it into something readable.

To see that detail in Wireshark, on the toolbar View, and then select Packet Details. It'll have a checkmark by it, and a window will open on the bottom half of the Wireshark screen.

Click on frame 53 to highlight it, and the details will show up in that Detail window. In the Detail window, you can expand different parts (the plus sign in the box). Expand the line at the very bottom, Bootstrap Protocol. Here you'll see the options that are being set when the iPhone was trying to get an IP address.

The iPhone was being given the IP address 15.14.56.119, and being told to use the router gatway 15.14.56.1. The DNS servers that were intended to be used are the 69.42.88.x entries.

In the rest of the capture file, you'll the iPhone dutifully trying to do stuff, using the 15.14.56.119 address.

The thing is, the 15.x.x.x is the hp.com corporate IP address space. It isn't routable by anybody outside that company. And I really doubt their firewalls will allow any packets in that claim to be from the interior address space. That's a standard security practice to avoid spoofing.

I've been reminded also, that XP Internet Connection Host settings are pretty well hardcoded, to use only the 192.168.0.x address space. The ICH host is always 192.168.0.1, and that is also the gateway address given to LAN machines so they can get to the Internet thru the ICH host.

So this DHCP server that is running on machine 1.2 is definitely not a normal XP ICH setup.

So machine 1.2 defintely has some kind of malware: rougue DHCP server, and search redirection.

On machine 1.3:

Does netstat still show the PID numbers? From machine 1.2, can you connect to the web server running on 1.3? (hxxp://192.168.1.3/ - make the obvious substitition, so the forum won't have a live link here). If Process Explorer doesn't show the PID, and tasklist won't give results either, then machine 1.3 has a problem with a process masking itself.

If you can get the PID to get a pathname, then post it back here. If not, then I'm going to point you to a probable malware cleanup.
__________________
grue155 is offline   Reply With Quote
Old 05-21-2009, 01:46 PM   #28
Registered Member
 
Join Date: May 2009
Posts: 224
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

PID 244 & 3148 aren't showing in netstat on 1.3 either. Can you confirm that the PID will always remain the same for the same process between reboots?

Also you said 1.3 has a problem with the process masking itself, but it was showing up before so I'd be more inclined to say it's not running anymore. The only change that I am aware of is I downgraded my Skype from 4.0 to 3.8 due to performance issues.

I typed 192.168.1.3 into firefox from machine 1.2 and it seemed to load a blank web page and just sit there. I tested the same putting in 1.5 and it said "connecting to...." so yea it looks like the answer to your question is yes. I have no idea what this means though.

You said that you think 1.2 is giving out the bogus DHCP info, why then would 1.2 also have had problems before? It seems odd that it could give a DHCP address to itself. Should I run wireshack from 1.2 and force the error again? Maybe that will show more.
__________________
joe7dust is offline   Reply With Quote
Old 05-21-2009, 02:30 PM   #29
TSF Enthusiast
 
Join Date: Aug 2006
Posts: 1,098
OS: OS2 Warp



Can you ping the default gateway (15.xxx.1)? Can you ping it offline and online? how fast does it reply, if its under 5-10ms its on your lan.

Mostlikely its some device on the network handing out dhcp ips.

When that happens again i would download dhcpfind.

Run that on your lan, you should get packets from 15.xxxx

Unplug your wan, if you keep getting dhcp packets, unplug another device ... and continue untill everything is unpluged.

When you no longer get those dhcp packets you will know what device it is.
__________________
bilbus is offline   Reply With Quote
Old 05-21-2009, 04:03 PM   #30
Registered Member
 
Join Date: May 2009
Posts: 224
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

PID 244 & 3148 still aren't showing up but I just ran netstat -ano and there is a process listening on TCP port 21692 again, this time its PID 5260 which is Skype. The PID likely changed because I downgraded Skype versions. Makes me feel good I was right about Skype possibly looking like a server/backdoor to you. :) I am not completely clueless it seems haha.

@bilbus There are no devices only the 3 computers. It seems that some malware is on one of the computers give out the DHCP info. There is a link in this thread to a documented malware that does this we just haven't found it yet on my network.
__________________
joe7dust is offline   Reply With Quote
Old 05-21-2009, 04:27 PM   #31
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



Quote:
PID 244 & 3148 aren't showing in netstat on 1.3 either. Can you confirm that the PID will always remain the same for the same process between reboots?
Nope. The PID numbers will change from the reboot. A new netstat will give the current PID numbers. If Process Explore can see the current PID, and you recognize it as Skype, then all is good. Now as to why there would be a live web server, I have no clue. It could be there is, or was at some time, a configuration interface, and the server port just got left over.

Quote:
You said that you think 1.2 is giving out the bogus DHCP info, why then would 1.2 also have had problems before? It seems odd that it could give a DHCP address to itself. Should I run wireshack from 1.2 and force the error again? Maybe that will show more.
If the DHCP server was a proper server, it wouldn't do that to itself. In this case, the DHCP server is answering anything that shows up. Running Wireshark on machine 1.2 will likely show a near zero time difference from DHCP request until answer. But the DHCP protocols have some safeguards builtin to avoid loop conditions, and that is likely allowing machine 1.2 to get the 1.2 address, and not get 15.x.x.x address. Otherwise machine 1.2 would have gone offline when the DHCP server went active.

@bilbus. Wireshark capture confirms that machine 1.2 is the source of the DHCP traffic. If it hadn't been coded with a bad gateway address, there would have been a very invisible DNS redirection, putting the entire LAN at risk. Classic man-in-the-middle malware tactics.
__________________
grue155 is offline   Reply With Quote
Old 05-21-2009, 06:36 PM   #32
TSF Enthusiast
 
Join Date: Aug 2006
Posts: 1,098
OS: OS2 Warp



alright, so if its that pc, turn it off to confirm.

if its that computer you have an app running or some malware ... but i don't see what a malware program could get from the user that would make giving out fake ips worthwhile.
__________________
bilbus is offline   Reply With Quote
Old 05-27-2009, 09:20 PM   #33
Registered Member
 
Join Date: May 2009
Posts: 224
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Sorry for the delay, have been busy. I just did a capture from 1.2 you can probably ignore all before packet 1075 because that was me release/renewing on 1.2 to try and get the bad gateway unsuccessfully. I had to bring in the iPhone again to finally get it.

http://uploading.com/files/8ZD0F07I/pcap1-2.pcap.html
__________________
joe7dust is offline   Reply With Quote
Old 05-27-2009, 10:25 PM   #34
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



Got it. Thank you. It's late in my day here, so I'll pick this up tomorrow if I have the chance.
__________________
grue155 is offline   Reply With Quote
Old 05-28-2009, 11:30 AM   #35
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



I got some time to go thru the new capture file. First thing I checked was the DHCP traffic.

There's a normal DHCP exchange between the router 1.1 and machine 1.2 at frames 6-11, again at frames 503-510, and again at 1612-1624. These are much easier to see with a Wireshark filter in place:
Code:
eth.addr == 00:18f3:e7:8d:25
which is the MAC address of machine 1.2.

Compare that normal DHCP exchange with the DHCP traffic at frames 1460-1476, where machine 1.2 is acting as a DHCP server and giving out a bad address. At frame 1477, you'll see the router saying "No, do't use that address", but the timestamp is showing that to be about 4.5 milliseconds late. So the iPhone got the bad address.

Now for the bad news.

With the Wireshark filter in place, at the very end of the displayed capture, at frame 1802, is a TCP SYN packet outbound to 94.247.2.107.

I've seen that address before, and not in a good way. A google search refreshed my memory, and turned up this ThreatExpert report. At the very bottom of that report is that IP address.

Doing another Wireshark filter:
Code:
ip.addr == 94.247.2.107
shows a bunch of outbound TCP SYN packets, with no replies. This is, in effect, a TCP ping. Something's calling home, and saying "I'm here". I'm taking this as confirmation that machine 1.2 has active malware.

I don't know that this is what the malware is, but Trojan.TDSServ is a known dangerous rootkit. I'll strongly recommend taking machine 1.2 offline, and getting it cleaned up.

All of the malware cleanup forums have heavy traffic. And each have their own "supplicant ritual" as to how to make a posting, and what reports to provide. It works best to follow things exactly, as even report failures tell the helpers something about what they're up against.

These are the forums where I occasionally watch things from the gallery.

The TSF cleanup forum is good, and presently seems to have a response time of 3 days to a week. Spywarehammer are the folks from castlecops.com. They're not so heavily loaded right now, so turnaround is a couple of days. Bleeping Computer is heavily loaded right now, and looks to have a response time of about a week.

At this point, I've taken things as far as I can regarding the mysterious gateway address. It looks like active malware on machine 1.2.
__________________
grue155 is offline   Reply With Quote
Old 05-28-2009, 09:30 PM   #36
Registered Member
 
Join Date: May 2009
Posts: 224
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Thanks for all the help!

*edit* That is an understatement by the way. You did a remarkable job and taught me a lot of things. Noone has ever helped me so throughly on a forum before.
__________________
joe7dust is offline   Reply With Quote
Old 05-29-2009, 10:45 AM   #37
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



Glad to have been of help
__________________
grue155 is offline   Reply With Quote
Old 05-30-2009, 12:57 PM   #38
Microsoft MVP
 
johnwill's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2002
Location: S.E. Pennsylvania, US
Posts: 50,845
OS: Windows 7, XP-Pro, Vista, Linux

My System


BTW, I was reviewing this thread and noticed that the DNS server address you were getting, 85.255.112.174, is a known malware exploit, so among other things, that machine has malware.
__________________
If TSF has helped you, Tell us about it! or Donate to help keep the site up!

Microsoft MVP - Windows Desktop Experience
johnwill is offline   Reply With Quote
Old 05-30-2009, 03:17 PM   #39
Registered Member
 
Join Date: May 2008
Posts: 240
OS: LAN Herder



Good catch, I missed that earlier from focusing on the gateway problem. The 85.255.x.x DNS has been on my radar for a couple of years now. With the focus on the bad gateway, I just didn't see it. Fortunately (maybe), the bad gateway address would block the DNS addresses from being used.

That was for machine 1.4, which is the cleanest of the machines on the LAN, judging from the netstat reports. The bad DNS was likely being provided by the rogue DHCP server on machine 1.2. Still, it'd be a good idea to scan all of the machines on the LAN, just to be sure.
__________________
grue155 is offline   Reply With Quote
Old 05-31-2009, 06:07 PM   #40
Microsoft MVP
 
johnwill's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2002
Location: S.E. Pennsylvania, US
Posts: 50,845
OS: Windows 7, XP-Pro, Vista, Linux

My System


Yep, that one is a nasty little bugger, I've seen it on a few machines that come to me for repair.

__________________
If TSF has helped you, Tell us about it! or Donate to help keep the site up!

Microsoft MVP - Windows Desktop Experience
johnwill is offline   Reply With Quote
Reply
Gear in this thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question

Gear in this thread


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 08:04 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts