Quake3World.com Forums
     Technology & Troubleshooting
        Figuring out which app is responsible for a certain open por
Post new topicReply to topic
Login | Profile | | FAQ | Search | IRC




Print view Previous topic | Next topic 
Topic Starter Topic: Figuring out which app is responsible for a certain open por
tnf
guru
guru

Joined: 13 Mar 2001
Posts: 17968
PostPosted: 08-09-2009 01:30 PM           Profile Send private message  E-mail  Edit post Reply with quote


Just got done working through a friends laptop that had 4 or 5 different trojans and the system security spyware issue that replaced their desktop with a warning and blocked access to msconfig, regedit, cmd, etc.

They were using that LegalSounds downloader and also had FlashGet (which apparently had been used to deliver a trojan to a lot of people.)

Anyhow, that is all taken care of, but when I run netstat I am still getting this at port 1035:

static.91.213.78.46.clients.your-server.de:https CLOSE-WAIT

I just want to know what program is establishing that connection - there isn't anything in the startup in msconfig that does.

Any ideas?
Top
                 
^misantropia^
Mentor
Mentor

Joined: 12 Mar 2005
Posts: 3957
PostPosted: 08-09-2009 01:41 PM           Profile Send private message  E-mail  Edit post Reply with quote


`netstat -o`, then cross-reference the PID in the Task Manager (Processes -> View -> Select columns -> PID to enable it).
Top
                 
tnf
guru
guru

Joined: 13 Mar 2001
Posts: 17968
PostPosted: 08-09-2009 01:46 PM           Profile Send private message  E-mail  Edit post Reply with quote


danke
Top
                 
Fender
Jesus of Suburbia
Jesus of Suburbia

Joined: 14 Jan 2001
Posts: 12703
PostPosted: 08-09-2009 01:50 PM           Profile   Send private message  E-mail  Edit post Reply with quote


semi-related, the sysinternals tools can be quite useful
http://technet.microsoft.com/en-us/sysi ... fault.aspx

And if you need to see the contents of the traffic on a network, wireshark works pretty well.
http://www.wireshark.org/
Top
                 
tnf
guru
guru

Joined: 13 Mar 2001
Posts: 17968
PostPosted: 08-09-2009 07:25 PM           Profile Send private message  E-mail  Edit post Reply with quote


Ok, here's what I run into now. The PID goes back to a copy of svchost that is running. I've cleaned out the startup, but there have to be other issues because it still connects to that IP (the correct address that is showing up in netstat is:

static.91.213.46.78.clients.your-server.de

Found one site that did some research and said it looked like your-server.de might be collecting logs for the RBN (Russian Business Network - which wouldn't surpise me on this machine because they were using that legalsounds.com run by Russians.)

Did a WHOIS on the 91.... IP address and it came back to an orgname of RIPE Network Coordination Centre.

I'm not sure where to go next in terms of figuring out when/what/how this damn connection is being established.

It's a pain in the ass because if you do any searches on this machine, you get redirected to a random shopping website each time you click on a link.
Top
                 
tnf
guru
guru

Joined: 13 Mar 2001
Posts: 17968
PostPosted: 08-09-2009 08:42 PM           Profile Send private message  E-mail  Edit post Reply with quote


Well, I used wireshark and found out, by monitoring the packets, that every time a google search is done on this machine there is info being sent to ip addresses that resolve back to your-server.de, so the machine's activity is definitely being monitored or logged or something.

But I've reached the end of my expertise, so I will distill my question down to the absolute basics:
you turn on a machine, do a netstat and find an open port like I mentioned above. There is nothing in the startup or processes that indicate how the connection is made and the PID for the connection goes back to svchost.exe

What next?
Top
                 
^misantropia^
Mentor
Mentor

Joined: 12 Mar 2005
Posts: 3957
PostPosted: 08-10-2009 03:37 AM           Profile Send private message  E-mail  Edit post Reply with quote


In the Task Manager, right-click the svchost.exe process and select 'Go to services'. Find the offending service and disable/remove it.
Top
                 
^misantropia^
Mentor
Mentor

Joined: 12 Mar 2005
Posts: 3957
PostPosted: 08-10-2009 03:39 AM           Profile Send private message  E-mail  Edit post Reply with quote


Oh, and make sure the service doesn't automagically restart after a system reboot.
Top
                 
Fender
Jesus of Suburbia
Jesus of Suburbia

Joined: 14 Jan 2001
Posts: 12703
PostPosted: 08-10-2009 05:57 AM           Profile   Send private message  E-mail  Edit post Reply with quote


When did "go to services" get added? It isn't in XP. Guessing Vista, but I'm not @ home to check.
Top
                 
^misantropia^
Mentor
Mentor

Joined: 12 Mar 2005
Posts: 3957
PostPosted: 08-10-2009 07:14 AM           Profile Send private message  E-mail  Edit post Reply with quote


Yeah, it's a Vista-only thing. With XP, you'll need to use the Sysinternals tool.
Top
                 
tnf
guru
guru

Joined: 13 Mar 2001
Posts: 17968
PostPosted: 08-10-2009 08:06 AM           Profile Send private message  E-mail  Edit post Reply with quote


it's running XP, so how do I do that using sysinternals?

Ok, figured I'd probably use Procmon.exe to check out the processes, but this fucking thing is now saying that there isn't enough memory to allocate for the thing. 2 gigs on this laptop with only mcafee loaded up. Tried a safemode with networking, but that wouldn't work as it said it couldn't load the device driver for it. Going to try and download a svchost viewer program.
Top
                 
^misantropia^
Mentor
Mentor

Joined: 12 Mar 2005
Posts: 3957
PostPosted: 08-10-2009 11:47 AM           Profile Send private message  E-mail  Edit post Reply with quote


tnf wrote:
it's running XP, so how do I do that using sysinternals?

's Easy as pie: double-click svchost.exe, then go to the Services tab.
Top
                 
tnf
guru
guru

Joined: 13 Mar 2001
Posts: 17968
PostPosted: 08-10-2009 02:31 PM           Profile Send private message  E-mail  Edit post Reply with quote


Ok, this whole thing is getting complicated (for me at least).

Here's where I stand now:

I was able to determine the process in the SVCHOST file that was associated with the PID for the connection to the machine in denmark. The process was DCOMlaunch and something else that started with Term I think. I disabled DCOM in the registry and checked dcomcnfg or whatever and made sure it was off there too, but even with that the connection still gets established and the DCOMLaunch is still there in the svchost file. Did some searching and found that you can't really disable dcomlaunch in XP.

Running a virus scan now (it's 2.5 hours in and still plugging away) thinking maybe I'll get lucky and it will remove the offending code. But if it doesn't, I think I will have to throw in the towel and reformat/reinstall.

they have 15 gigs of mp3s they want me to save though. Some are from iTunes, which leads me to my next question - is there some sort of crazy licensing scheme with files downloaded from iTunes that prevents you from just copying the file to another computer as backup and then copying them back over after reinstalling windows?
Top
                 
Quake3World.com | Forum Index | Technology & Troubleshooting


Post new topic Reply to topic


cron
Quake3World.com
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group