Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries



Links

Issociate
Impressum

#1: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-23 17:27:40 by pam

Can you help me understand what this SYN_SENT means from a security standpoint
on a home PC?

WINDOWSXP_SP2> netstat -a -n -b

Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\System32\WINHTTP.dll
-- unknown component(s) --
[svchost.exe]

Here is what I tried ineffectively to debug so far.
Can you help me debug more?

Upon bootup, with no web browsers running, I ran netstat -a -n -b and saw this
SYN_SENT issue hanging at the SYN_SENT line. After a minute or two the netstat
completed as shown above.
..... I first looked up 63.236.111.222 on http://www.dnsstuff.com/ but it
didn't know who that was.
..... I then looked it up on http://ws.arin.net/whois/ which gave me THREE
owners for the same IP address, none of which I recognize and certainly none I
purposefully communicated with.
..... I looked up tcp/ip port 1058 and found it was registered to "nim" but
there is not much information about this port anywhere I could find.
..... Wikipedia has almost nothing on this special nim port 1058
http://en.wikipedia.org/wiki/Talk:TCP_and_UDP_port_numbers#n im_.281058.29_and_ni
mreg_.281059.29
..... The Microsoft Windows XP netstat doesn't even -list- a command called
SYN_SENT (it lists SYN_SEND)
http://www.microsoft.com/resources/documentation/windows/xp/ all/proddocs/en-us/n
etstat.mspx
..... However, other netstat manpages say " The socket is actively attempting
to establish a connection. " but what does THAT tell me?
http://dc.qut.edu.au/cgi-bin/man/man2html?netstat
..... A search for winhttp.dll & WS2_32.DLL is wierd. I couldn't find a
DESCRIPTION for these dlls. That's wierd.
http://support.microsoft.com/?id=837243 Where do we find descriptions of dlls?

Some housekeeping notes
..... I am running the latest Windows XP Service Pack 2
http://www.microsoft.com/athome/security/protect/windowsxp/D efault.mspx
..... I ran the Microsoft Malicious Software Removal Tool but it didn't find
anything suspicious
http://www.microsoft.com/security/malwareremove/default.mspx
..... My avast antivirus doesn't list anything suspicious like Blaster or
anything like that.
..... I don't even -see- the connection in my sygate personal firewall traffic
logs
..... I'm wireless on a two PC home network

I'm flailing around ineffectively trying to figure this out so now I'm asking
you for help.

Can you give me the straight scoop on how to stop this problem?


Thanks, .....Pam

Report this message

Mr Ad

Google

#2: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 04:27:46 by Steven L Umbach

The whois search indicates that this IP is for Qwest communications so I
doubt that it is malicious traffic. Maybe your ISP, other internet service,
or an application you have on your computer has something to do with Qwest.
Your SYN_SENT means that a session is being established with their website
at that IP and is part of the tcp/ip handshake to establish a connection.
Such can be done to check for updates, etc or possibly spyware so you should
also scan for Spyware with something like AdAware SE. Antivirus programs do
not check for spyware. Another thing you could do is to install, even if
just temporarily, a software firewall like Zone Alarm that would alert you
when an application is trying to access the internet and show you which
application. --- Steve

http://www.lavasoftusa.com/software/adaware/ --- AdAware SE
http://www.snapfiles.com/Freeware/security/fwfirewall.html --- Link to Zone
Alarm

"Pam" <per1818@nospam.planttel.net> wrote in message
news:0olLf.24221$_S7.793@newssvr14.news.prodigy.com...
> Can you help me understand what this SYN_SENT means from a security
> standpoint
> on a home PC?
>
> WINDOWSXP_SP2> netstat -a -n -b
>
> Active Connections
> Proto Local Address Foreign Address State
> PID
> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
> C:\WINDOWS\system32\WS2_32.dll
> C:\WINDOWS\System32\WINHTTP.dll
> -- unknown component(s) --
> [svchost.exe]
>
> Here is what I tried ineffectively to debug so far.
> Can you help me debug more?
>
> Upon bootup, with no web browsers running, I ran netstat -a -n -b and saw
> this
> SYN_SENT issue hanging at the SYN_SENT line. After a minute or two the
> netstat
> completed as shown above.
> .... I first looked up 63.236.111.222 on http://www.dnsstuff.com/ but it
> didn't know who that was.
> .... I then looked it up on http://ws.arin.net/whois/ which gave me THREE
> owners for the same IP address, none of which I recognize and certainly
> none I
> purposefully communicated with.
> .... I looked up tcp/ip port 1058 and found it was registered to "nim" but
> there is not much information about this port anywhere I could find.
> .... Wikipedia has almost nothing on this special nim port 1058
> http://en.wikipedia.org/wiki/Talk:TCP_and_UDP_port_numbers#n im_.281058.29_and_ni
> mreg_.281059.29
> .... The Microsoft Windows XP netstat doesn't even -list- a command called
> SYN_SENT (it lists SYN_SEND)
> http://www.microsoft.com/resources/documentation/windows/xp/ all/proddocs/en-us/n
> etstat.mspx
> .... However, other netstat manpages say " The socket is actively
> attempting
> to establish a connection. " but what does THAT tell me?
> http://dc.qut.edu.au/cgi-bin/man/man2html?netstat
> .... A search for winhttp.dll & WS2_32.DLL is wierd. I couldn't find a
> DESCRIPTION for these dlls. That's wierd.
> http://support.microsoft.com/?id=837243 Where do we find descriptions of
> dlls?
>
> Some housekeeping notes
> .... I am running the latest Windows XP Service Pack 2
> http://www.microsoft.com/athome/security/protect/windowsxp/D efault.mspx
> .... I ran the Microsoft Malicious Software Removal Tool but it didn't
> find
> anything suspicious
> http://www.microsoft.com/security/malwareremove/default.mspx
> .... My avast antivirus doesn't list anything suspicious like Blaster or
> anything like that.
> .... I don't even -see- the connection in my sygate personal firewall
> traffic
> logs
> .... I'm wireless on a two PC home network
>
> I'm flailing around ineffectively trying to figure this out so now I'm
> asking
> you for help.
>
> Can you give me the straight scoop on how to stop this problem?
>
>
> Thanks, .....Pam

Report this message

#3: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-24 08:19:42 by Sebastian Gottschalk

Steven L Umbach wrote:

> Such can be done to check for updates, etc or possibly spyware so you should
> also scan for Spyware with something like AdAware SE.

AdAware is not Spyware scanner, it's an adware scanner. Even though
obviously it is actually focusing on Spyware.
Anyway, it's crap. Just run it over a clean system and you'll what a
load of bullshitting false positives it generates. Besides that you'll
need to mess with file access rights when trying to install it as a
non-admin user, and that the GUI is nearby unusable if you have disabled
the MSIE rendering engine (for safety).

> Another thing you could do is to install, even if
> just temporarily, a software firewall like Zone Alarm that would alert you
> when an application is trying to access the internet and show you which
> application.

That's about as reliable as a squirrel (which is the devil). Didn't
Volker Birk show often enough that any Personal "Firewall" is trivially
circumvented with almost any of Windows' automation mechanisms? And
that's default for almost any modern malware. Hey, even RealPlayer 8
knew how to circumvent any stupid PFWs set up by stupid users for stupid
reasons.


Besides that, your analysis is kind of strange.

>> Active Connections
>> Proto Local Address Foreign Address State
>> PID
>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
>> C:\WINDOWS\system32\WS2_32.dll
>> C:\WINDOWS\System32\WINHTTP.dll
>> -- unknown component(s) --
>> [svchost.exe]

WINHTTP.dll is the relevant component for the Webclient service, which
allows to map WebDAV, FTP and simple HTTP requests to certain
_interactive_ file access dialogs.

Alternatively, it's part of the BITS service which allows low priority
background downloads and is pretty useless for almost any malware.

Report this message

#4: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-24 10:53:01 by Robert Lambe

> WINDOWSXP_SP2> netstat -a -n -b
>
> Active Connections
> Proto Local Address Foreign Address State PID
> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
> C:\WINDOWS\system32\WS2_32.dll
> C:\WINDOWS\System32\WINHTTP.dll
> -- unknown component(s) --
> [svchost.exe]

> .... I first looked up 63.236.111.222 on http://www.dnsstuff.com/ but it
> didn't know who that was.

http://www.dnsstuff.com/tools/ipall.ch?domain=63.236.111.222
http://www.whois.sc/63.236.111.222

The web server at the above IP is using host header security. I would
attempt a packet capture to learn host header values to access the site.
It is quite odd, though.

> .... I looked up tcp/ip port 1058 and found it was registered to "nim" but
> there is not much information about this port anywhere I could find.

No worries, it's just an ephemeral port.

> .... The Microsoft Windows XP netstat doesn't even -list- a command called
> SYN_SENT (it lists SYN_SEND)

I am quite sure that the two are synonymous.

> .... However, other netstat manpages say " The socket is actively attempting
> to establish a connection. " but what does THAT tell me?

192.168.0.101:1058 sent a syn to 63.236.111.222:80 and awaits a syn/ack
response.

> .... A search for winhttp.dll & WS2_32.DLL is wierd. I couldn't find a
> DESCRIPTION for these dlls.

ws2_32 is likely winsock2. WinHTTP is this groovy little windows
component. I've written web spiders using it. I would look for a script
to be utilizing this component at boot time, according to your observation.

http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/winhttp/http/about_winhttp.asp

Report this message

#5: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 13:03:52 by Volker Birk

In comp.security.firewalls Pam <per1818@nospam.planttel.net> wrote:
> WINDOWSXP_SP2> netstat -a -n -b
> Active Connections
> Proto Local Address Foreign Address State PID
> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
> C:\WINDOWS\system32\WS2_32.dll
> C:\WINDOWS\System32\WINHTTP.dll
> -- unknown component(s) --
> [svchost.exe]
> Here is what I tried ineffectively to debug so far.

What process had PID 912?

Yours,
VB.
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)

Report this message

#6: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-24 13:17:59 by Sebastian Gottschalk

Volker Birk wrote:
> In comp.security.firewalls Pam <per1818@nospam.planttel.net> wrote:
>> WINDOWSXP_SP2> netstat -a -n -b
>> Active Connections
>> Proto Local Address Foreign Address State PID
>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
>> C:\WINDOWS\system32\WS2_32.dll
>> C:\WINDOWS\System32\WINHTTP.dll
>> -- unknown component(s) --
>> [svchost.exe]
~~~~~~~~~~~

>> Here is what I tried ineffectively to debug so far.
>
> What process had PID 912?

Didn't get enough sleep? :-)

Report this message

#7: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 13:36:42 by Eirik Seim

On Fri, 24 Feb 2006 13:17:59 +0100, Sebastian Gottschalk wrote:

> Didn't get enough sleep? :-)

It's just a matter of balancing the equation with enough
coffee.

--
New and exciting signature!

Report this message

#8: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-24 13:58:16 by Sebastian Gottschalk

Eirik Seim wrote:
> On Fri, 24 Feb 2006 13:17:59 +0100, Sebastian Gottschalk wrote:
>
>> Didn't get enough sleep? :-)
>
> It's just a matter of balancing the equation with enough
> coffee.

Actually it's a race condition. To get awake, you need some coffee, but
you're too tired to get using the coffee machine.

But this is no problem since Emacs fully implements RFC 2324 (Hyper Text
Coffee Pot Control Protocol). And AFAIK recently someone has build a
coffee machine that supports it, too. Now that's serious concurrence for
my NetBSD toaster.

Report this message

#9: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 14:09:46 by Volker Birk

Sebastian Gottschalk <seppi@seppig.de> wrote:
> Volker Birk wrote:
> > In comp.security.firewalls Pam <per1818@nospam.planttel.net> wrote:
> >> WINDOWSXP_SP2> netstat -a -n -b
> >> Active Connections
> >> Proto Local Address Foreign Address State PID
> >> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
> >> C:\WINDOWS\system32\WS2_32.dll
> >> C:\WINDOWS\System32\WINHTTP.dll
> >> -- unknown component(s) --
> >> [svchost.exe]
> ~~~~~~~~~~~
> >> Here is what I tried ineffectively to debug so far.
> > What process had PID 912?
> Didn't get enough sleep? :-)

Yes, indeed ;-)

Yours,
VB.
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)

Report this message

#10: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 14:10:19 by Volker Birk

Eirik Seim <eirik@mi.uib.no> wrote:
> On Fri, 24 Feb 2006 13:17:59 +0100, Sebastian Gottschalk wrote:
> > Didn't get enough sleep? :-)
> It's just a matter of balancing the equation with enough
> coffee.

*slurp*

VB.oO( HTH )
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)

Report this message

#11: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 15:58:38 by somebody.

"Sebastian Gottschalk" <seppi@seppig.de> wrote in message
news:468e79F9uigiU1@news.dfncis.de...
> Eirik Seim wrote:
>> On Fri, 24 Feb 2006 13:17:59 +0100, Sebastian Gottschalk wrote:
>>
>>> Didn't get enough sleep? :-)
>>
>> It's just a matter of balancing the equation with enough
>> coffee.
>
> Actually it's a race condition. To get awake, you need some coffee, but
> you're too tired to get using the coffee machine.
>
> But this is no problem since Emacs fully implements RFC 2324 (Hyper Text
> Coffee Pot Control Protocol). And AFAIK recently someone has build a
> coffee machine that supports it, too. Now that's serious concurrence for
> my NetBSD toaster.

You know, I always wondered why the first webcam (to achieve much publicity
anyway) was watchcing a coffee pot.

Then I got a job in a larger office full of developers and I found out.

:-)

-Russ.

Report this message

#12: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 16:40:37 by Eirik Seim

On Fri, 24 Feb 2006 09:58:38 -0500, Somebody. wrote:

[snip]

> You know, I always wondered why the first webcam (to achieve much publicity
> anyway) was watchcing a coffee pot.
>
> Then I got a job in a larger office full of developers and I found out.

I believe that is one of the still unanswered questions in
science, how to acurately specify requirements for QoS using
distributed coffee solutions in large networks.

I've done some research in the area, but the results are
unconclusive:

The cost of high-performance equipment tend to be significant,
and with the current technology there will still be a threat
of congestion at peak hours.

A plain coffee pot will have to be sized after the expected
throughput, its size variations greatly affecting performance
in terms of temperature and other QoS factors. There is also
a problem when people empty the pot and fails to initiate the
process to refill it. This is more of a social problem, and
should be studied independently.

The coffee machines that deliver just one and one cup eliminates
most of the QoS problems, but are more prone to congestion.
Further research is needed in this area.

Anyone got links to related work or statistics?

--
New and exciting signature!

Report this message

#13: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-24 18:31:20 by Quaestor

Sebastian Gottschalk wrote:

>Steven L Umbach wrote:
>
>
>
>>Such can be done to check for updates, etc or possibly spyware so you should
>>also scan for Spyware with something like AdAware SE.
>>
>>
>
>AdAware is not Spyware scanner, it's an adware scanner. Even though
>obviously it is actually focusing on Spyware.
>Anyway, it's crap.
>

It's excellent.

>Just run it over a clean system and you'll what a
>load of bullshitting false positives it generates.
>

None. You are either too forgiving about what asswipes like to put on
your machine, or you ARE one, a shill.



--
Godwin is a net-nazi
Learn about spam: http://www.seige-perilous.org/spam/spam.html

Report this message

#14: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 19:43:00 by Sebastian Gottschalk

Quaestor wrote:

>> AdAware is not Spyware scanner, it's an adware scanner. Even though
>> obviously it is actually focusing on Spyware.
>> Anyway, it's crap.
>
> It's excellent.

I needed a lot of fissle to even make it install! It seems like those
guys never heard something about file access controls. There's
absolutely no need for the installer trying to write temporary data to
%windir%\system32.

>> Just run it over a clean system and you'll what a
>> load of bullshitting false positives it generates.
>>
>
> None. You are either too forgiving about what asswipes like to put on
> your machine, or you ARE one, a shill.

I don't consider non-default explorer settings, WinSrv03 IE hardening
Configuration, a full-zero GUID registry entry for COM debugging or
non-write-access to the hosts file as a non-admin user as any problem,
infact it's the contrary.
Anyway, there're no asswipes putting anything on my machine. Neither
would I allow them nor would they be able to do so.

And I don't understand what you want to tell me - these tools clearly
show that my system, as supposed to be clean, is clean and the only
entries are really something I'm laughing about _exactly because I
understand them_.

Report this message

#15: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-24 21:01:58 by ibuprofin

On Thu, 23 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in article
<0olLf.24221$_S7.793@newssvr14.news.prodigy.com>, Pam wrote:

> Can you help me understand what this SYN_SENT means from a security
> standpoint on a home PC?

Your system initiated a connection. See any decent textbook on TCP such
as 'TCP/IP Network Administration' 3rd Edition (O'Reilly & Assoc, ISBN
0-596-00297-1, April 2004, 746 pgs, US$45) by Craig Hunt, or W. Richard
Stevens classic books 'TCP/IP Illustrated Volume 1' (Addison-Wesley, ISBN
0-201-93346-9). Briefly, your computer sends a TCP packet with the SYN
flag set and a randomly generated sequence number. The peer should
respond with a packet with the SYN and ACK flags set, agreeing to your
random number, and proposing one of it's own. Your system would then
respond with a third packet with the ACK flag, agreeing to the peers
random number. This is the "three-way-handshake" that starts a TCP
connection. The random numbers are used to keep track of bits sent.
Now, the peer may not wish to talk to you, and instead of responding with
a SYN ACK packet, may respond with a ACK RST packet, which basically says
"go away kid, you're bothering me" and that is the end of that.

> WINDOWSXP_SP2> netstat -a -n -b

Sorry, I don't do windoze.

> Active Connections
> Proto Local Address Foreign Address State PID
> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912

Process 912 on your system (192.168.0.101) sent a packet from port 1058
which is an ephemeral port allocated to users sent a SYN packet to
63.236.111.222 hoping to connect to the web server running on port 80
of that system. Apparently, it did not respond (which could be a firewall
issue as that host seems to be alive).

> Upon bootup, with no web browsers running, I ran netstat -a -n -b and saw
> this SYN_SENT issue hanging at the SYN_SENT line. After a minute or two
> the netstat completed as shown above.

You may not have a browser running, but something wants to talk to a web
server. As mentioned, I don't do windoze.

> .... I first looked up 63.236.111.222 on http://www.dnsstuff.com/ but it
> didn't know who that was.

Yes, the idiots running the datacenter did not configure a DNS PTR record.

> .... I then looked it up on http://ws.arin.net/whois/ which gave me THREE
> owners for the same IP address, none of which I recognize and certainly
> none I purposefully communicated with.

[compton ~]$ whois 63.236.111.222
[whois.arin.net]
Qwest Communications Corporation QWEST-INET-9 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Savvis Communications Corporation QWEST-IAD-SAVVIS (NET-63-236-111-192-1)
63.236.111.192 - 63.236.111.223

# ARIN WHOIS database, last updated 2006-02-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[compton ~]$

QWorst is one of the 'Baby Bells' - a regional telephone company with
delusions of grandeur. The 'Cybercenters' is a data center (think of
a large building with a major sized data cable, and rooms or cages leased
out to providers). Savvis is a "well known" provider who seems to have no
concern who they rent space, addresses, and bandwidth to. So, QWorst owns
the address, this block seems to be located in a data center they own in
the Washington DC metro area, and Savvis has leased a small block of
addresses there. Savvis _probably_ has sub-leased bandwidth to one of
their customers.

> .... I looked up tcp/ip port 1058 and found it was registered to "nim" but
> there is not much information about this port anywhere I could find.
> .... Wikipedia has almost nothing on this special nim port 1058
> http://en.wikipedia.org/wiki/Talk:TCP_and_UDP_port_numbers#n im_.281058.29_
> and_nimreg_.281059.29

Meaningless. Your system wants to communicate, and grabs a semi-random
number over 1024 (ports below 1025 "should" be reserved for server
applications) and uses that to source the connection. On a general basis,
port numbers are only registered/reserved on the _destination_ end of a
conversation. By this - you want to connect to "some" service. There are
65536 ports on the server, and which should you connect to in order to get
the service you are looking for. The answer is the registered/reserved or
'well known' port for that service.

> .... The Microsoft Windows XP netstat doesn't even -list- a command called
> SYN_SENT (it lists SYN_SEND)

SYN_SENT is a state - a condition. It's not a command.

> .... I am running the latest Windows XP Service Pack 2

> .... I ran the Microsoft Malicious Software Removal Tool but it didn't
> find anything suspicious

> .... My avast antivirus doesn't list anything suspicious like Blaster or
> anything like that.

None the less, _something_ on your system decided it wanted to connect to
a web server.

> Can you give me the straight scoop on how to stop this problem?

No, I got rid of windoze before microsoft belatedly invented networking some
13 years after everyone else.

Old guy

Report this message

#16: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 02:33:32 by donnie

On Thu, 23 Feb 2006 16:27:40 GMT, "Pam" <per1818@nospam.planttel.net>
wrote:

>WINDOWSXP_SP2> netstat -a -n -b
>
>Active Connections
> Proto Local Address Foreign Address State PID
> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
> C:\WINDOWS\system32\WS2_32.dll
> C:\WINDOWS\System32\WINHTTP.dll
> -- unknown component(s) --
> [svchost.exe]
################################################
arin.net showed Quest as the owner of that block. Search your HD and
the registry for quest. Run msconfig and look at the startup. You
might find something there.

Report this message

#17: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 05:26:34 by pam

On 24/02/2006 donnie <donnie@queyosepa.org> wrote:
>>WINDOWSXP_SP2> netstat -a -n -b
>> Proto Local Address Foreign Address State PID
>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912

>arin.net showed Quest as the owner of that block. Search your HD and
>the registry for quest. Run msconfig and look at the startup. You
>might find something there.

I wasn't sure how to tell what is running at startup so I googled for and
found a tiny program called "StartupList.exe" from Soeperman Enterprises, Ltd.
which listed all the programs running at startup.
None of these programs has "quest" in them though.
Do you see anything strange here?
Can I kill some of these initialization files?
Thanks, .....Pam


StartupList report, 02/23/2006, 9:02:23 PM
StartupList version: 1.52
Started from : C:\Program Files\os\start/p\startuplist\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5296.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
--------------------------------------------------
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
avast! = c:\Program Files\vaccine\malware\avast4\ashDisp.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Download Program Files:

--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\TEMP\HGL1A2B.EXE
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 4,170 bytes
--------------------------------------------------

Report this message

#18: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 06:19:50 by pam

On 24/02/2006 ibuprofin@painkiller.example.tld (Moe Trin) wrote:
> Process 912 on your system (192.168.0.101) sent a packet to
> 63.236.111.222 hoping to connect to the web server running on port 80
> Your system wants to communicate, and grabs a semi-random
> number over 1024 as the port.

Thanks old guy!
You explained a lot!

One source of confusion you eliminated was the port used to make the outgoing
SYN request.
The evilware seems to change ports, as you predicted - eg it recently used
port 1032.
Thanks to your explanation, we can eliminate the port itself as a clue to the
solution of the dilemma.
I'll move on to debugging the process which seems to be svchost Generic Host
Process for Win32 Services, whatever that is.

Thanks, .....Pam

Report this message

#19: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 06:24:30 by pam

On 24/02/2006 donnie <donnie@queyosepa.org> wrote:
>arin.net showed Quest as the owner of that block. Search your HD and
>the registry for quest.

I searched the Windows XP file system for "Quest" and for "Quest
Communications" but came up blank.
Even when I searched inside the files, I mostly came up with hundreds of
"requests" and "questions" but not Quest Communications.

The registry search came up with similar results even after googling for and
downloading an enhanced registry search tool called "NirSoft regscanner" from
http://www.nirsoft.net/utils/regscanner.html

Most of the information I found I couldn't tell if it was significant or not
but none had the words "Quest Communications" unfortunately.

It was a good try though!
Thanks, .....Pam

Report this message

#20: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 06:33:15 by pam

On 24/02/2006 Eirik Seim <eirik@mi.uib.no> wrote:
>I believe that is one of the still unanswered questions in
>science, how to acurately specify requirements for QoS using
>distributed coffee solutions in large networks.

I'm not sure if you're poking fun at me or at the world at large or if this is
a technical discussion that I'm not understanding.

I did find a strange file which seems to be related to a virus but maybe not
from my googling.

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\TEMP\GLB1A2B.EXE

I'm in the process of figuring out just what GLB1A2B.EXE is really.

Thanks, .....Pam

Report this message

#21: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 07:04:57 by pam

On 24/02/2006 Volker Birk <bumens@dingens.org> wrote:
>> WINDOWSXP_SP2> netstat -a -n -b
>> Proto Local Address Foreign Address State
PID
>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
>> C:\WINDOWS\system32\WS2_32.dll
>> C:\WINDOWS\System32\WINHTTP.dll
>> -- unknown component(s) --
>> [svchost.exe]

>What process had PID 912?

I rebooted and ran netstat again a few times and at first did not know how to
see what process was 912 until I found and installed something called NirSoft
CurrProcess http://www.nirsoft.net/utils/cprocess.html which told me it was
the "svchost.exe" process and that this process was owned by the "NT
AUTHORITY\SYSTEM".

I tried finding more information about that process by downloading something
called Sysinternals Process Explorer by Mark Russinovich
http://www.sysinternals.com but I could not comprehend the information in the
bottom bar of the window (Thread, Semaphore, Port, Mutant, KeyedEvent, Key,
WindowStation, etc).

It seems that one of my many svchost "Generic Host Process for Win32 Services"
processes is the culprit which is initiating "SYN_SENT" signals on random
ports to Quest Communications (63.236.111.222) at port 80.
But why?

Even though I ran and reran a virus scan, malware scan, Ad-Aware scan, Spybot
Search and Destroy scan, etc., do you think this unsolicited request to
63.236.111.222 at port 80 might be related to the strange C:\TEMP\GLB1A2B.EXE
file I saw but which went away after a reboot?

Report this message

#22: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-25 07:14:52 by Sebastian Gottschalk

Pam wrote:
> On 24/02/2006 Eirik Seim <eirik@mi.uib.no> wrote:
>> I believe that is one of the still unanswered questions in
>> science, how to acurately specify requirements for QoS using
>> distributed coffee solutions in large networks.
>
> I'm not sure if you're poking fun at me

Not at you.

> or at the world at large

Is there a world outside the server room? Well, must be, where else
should the pizza man come from?

> Windows NT 'Wininit.ini':
> PendingFileRenameOperations: C:\TEMP\GLB1A2B.EXE
>
> I'm in the process of figuring out just what GLB1A2B.EXE is really.

Most likely just a temporary file from an installer.

Report this message

#23: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 07:16:37 by pam

On 24/02/2006 Dom <invalid@invalid.invalid> wrote:
>> WINDOWSXP_SP2> netstat -a -n -b
>> Proto Local Address Foreign Address State
PID
>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
>> C:\WINDOWS\system32\WS2_32.dll
>> C:\WINDOWS\System32\WINHTTP.dll
>> -- unknown component(s) --
>> [svchost.exe]

> http://www.dnsstuff.com/tools/ipall.ch?domain=63.236.111.222
> http://www.whois.sc/63.236.111.222
> The web server at the above IP is using host header security. I would
> attempt a packet capture to learn host header values to access the site.
> It is quite odd, though. 192.168.0.101:1058 sent a syn to 63.236.111.222:80
> and awaits a syn/ack response.

> I would look for a script
>to be utilizing this component at boot time, according to your observation.

I did an experiment of turning off my ISP's connection and the problem only
seems to occur at bootup. In this case (which maybe I didn't get right on
time) I saw
UDP 0.0.0.0:1032 *:* 920
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
[svchost.exe]

Where as it always seems to be, the process 920 resolved to "svchost.exe"
which I'm pretty unsure of what it does especially after googling for it as
there are a handful of svchosts.exe processes always running.

Where would I find boot up scripts that might be calling this?
All I know to look for is where the NirSoft startuplist program indicated
there was something in
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe

and in
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\TMP\GLB1A2B.EXE

The contents of the Windows XP C:\Windows\wininit.ine file seem to be:

[Rename]
NUL=
NUL=
NUL=
... (about twenty of these NUL lines are all the same)

At this point I don't know what to do to find out WHY my WinXP pc is
initiating these SYN_SENT requests from my 192.168.0.101 to the "Quest
Communications" 63.236.111.222 server on port 80 in the early minutes after a
reboot if the internet connection is alive on the wireless two-pc home
network. Do you?

Report this message

#24: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-25 07:18:32 by Sebastian Gottschalk

Pam wrote:
> On 24/02/2006 Volker Birk <bumens@dingens.org> wrote:
>>> WINDOWSXP_SP2> netstat -a -n -b
>>> Proto Local Address Foreign Address State
> PID
>>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
>>> C:\WINDOWS\system32\WS2_32.dll
>>> C:\WINDOWS\System32\WINHTTP.dll
>>> -- unknown component(s) --
>>> [svchost.exe]
>
>> What process had PID 912?
>
> I rebooted and ran netstat again a few times and at first did not know how to
> see what process was 912 until I found and installed something called NirSoft
> CurrProcess http://www.nirsoft.net/utils/cprocess.html which told me it was
> the "svchost.exe" process and that this process was owned by the "NT
> AUTHORITY\SYSTEM".
>
> I tried finding more information about that process by downloading something
> called Sysinternals Process Explorer by Mark Russinovich
> http://www.sysinternals.com but I could not comprehend the information in the
> bottom bar of the window (Thread, Semaphore, Port, Mutant, KeyedEvent, Key,
> WindowStation, etc).
>
> It seems that one of my many svchost "Generic Host Process for Win32 Services"
> processes is the culprit which is initiating "SYN_SENT" signals on random
> ports to Quest Communications (63.236.111.222) at port 80.

Wow, repeating my analysis from <news:467qceF98qirU1@news.dfncis.de>.

> But why?

Any BITS download leftover? Your DNS server? Random DNS lookups of
non-accepted connections due to some misconfigured mechanism? Any
special software running, looking for an automatic update or alike?

> might be related to the strange C:\TEMP\GLB1A2B.EXE
> file I saw but which went away after a reboot?

That what pending rename operations are good for. Most likely it's just
part of an uninstaller (which is not clever enough to delete itself
without letting Windows schedule it).

Report this message

#25: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 07:22:47 by Sebastian Gottschalk

Pam wrote:
> I did an experiment of turning off my ISP's connection and the problem only
> seems to occur at bootup. In this case (which maybe I didn't get right on
> time) I saw
> UDP 0.0.0.0:1032 *:* 920
> C:\WINDOWS\system32\mswsock.dll
> C:\WINDOWS\system32\WS2_32.dll
> c:\windows\system32\DNSAPI.dll
> C:\WINDOWS\system32\mswsock.dll
> C:\WINDOWS\system32\WS2_32.dll
> [svchost.exe]

That's the DnsCache service of Windows. Nothing to see here, move along.

> Where as it always seems to be, the process 920 resolved to "svchost.exe"
> which I'm pretty unsure of what it does especially after googling for it as
> there are a handful of svchosts.exe processes always running.

And you still didn't find the simple technical description of svchost
and why this is normal behaviour?

> Where would I find boot up scripts that might be calling this?

HijackThis?

> there was something in
> [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
> UserInit = C:\WINDOWS\system32\userinit.exe

That something is part of the normal login process.

> The contents of the Windows XP C:\Windows\wininit.ine file seem to be:
>
> [Rename]
> NUL=
> NUL=
> NUL=
> ... (about twenty of these NUL lines are all the same)

Yeah, quite normal.
Anyway, why do you have write access to that file? :-)

Report this message

#26: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 07:25:13 by pam

On
>This IP is for Qwest communications
>Your SYN_SENT means that a session is being established with their website
>at that IP and is part of the tcp/ip handshake to establish a connection.
>Such can be done to check for updates, etc or possibly spyware so you should
>also scan for Spyware with something like AdAware SE.
> Another thing you could do is to install, even if a software firewall

I do have a software firewall on my windows xp pc behind my wireless router
and I did scan using not only AdAware but SpyBot Search and Destroy and the
Microsoft malicious software removal tool. None found anything suspicious but
there was that strange file GLB1A2B.EXE which I'm still trying to figure out
if it is a bad guy or part of AdAware which I updated before I ran the scan.

I can't find any legitimate use for this "TCP 192.168.0.101:1058
63.236.111.222:80 SYN_SENT process 912" Quest Communications outfit.

Why or how did they get into my startup sequence such that it makes my machine
send the SYN_SENT signal to their port 80?
Can they figure out my ISP IP address from this one-way communication?

Thanks, .....Pam

Report this message

#27: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-25 07:39:28 by Sebastian Gottschalk

Pam wrote:
> On
>> This IP is for Qwest communications
>> Your SYN_SENT means that a session is being established with their website
>> at that IP and is part of the tcp/ip handshake to establish a connection.
>> Such can be done to check for updates, etc or possibly spyware so you should
>> also scan for Spyware with something like AdAware SE.
>> Another thing you could do is to install, even if a software firewall
>
> I do have a software firewall

That might be the actual cause of the problem.

Report this message

#28: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 07:47:52 by pam

On 24/02/2006 Sebastian Gottschalk <seppi@seppig.de> wrote:
> Is there a world outside the server room?
> Well, must be, where else would pizza come from?

You are hilarious! You are as good as Seinfeld. They should do a show on that
topic.

>> I'm in the process of figuring out just what GLB1A2B.EXE is really.
>Most likely just a temporary file from an uninstall.

Half of what I found in the googling said glb1a2b is somehow related to
ZoneAlarm or AdAware (both of which I have running) but some say it's related
to a virus as shown below.
So,like the gal with two watches, the more I look the more I become unsure of
the real answer.

Thanks, .....Pam

http://groups.google.com/group/nz.comp/msg/f0cb6adecb6e3f1e? q=GLB1A2B.exe&hl=en&
lr=&ie=UTF-8&oe=UTF-8&rnum=1
Here,

Details - This is a combo worm and virus - and is transmitted by e-
mail that will include a file attachment that appears to be a text file.

The file is - in fact - text, but is a Program Information File (which
usually carries a .pif file extension). When executed it will dump a
payload file into the \windows\temp directory (or whatever your
default temp directory is!) with the file name GLB1A2B.EXE and
then execute this program.

To save you all the gory details - the short version is that GLB1A2B
will add the files MTX_.EXE and IE_PACK.EXE to the windows
directory, as well as a file titled WININIT.INI. Every time windows is
started the WININIT file will load the other programs, and the
computer will attempt to call home. If the programs fail to reach the
author, they will repeat the attempt every two minutes until
successful.

GLB1A2B also fixes a hidden attribute to many of the files so that
they are 'typically' invisible to the end user.

Once MTX_ or IE_PACK run - as many as 60 other files can be
infected - making the virus virtually impossible to remove manually

Detection - Start Windows Explorer, click on View and then folder
options. Click on the view tab, and then click on the radio button next
to "show all files". Click on apply and then OK. Next click
on Tools,
Find Files and Folders. Conduct a search on Drive C for a tile titled
MTX_.EXE and / or IE_PACK.EXE.

If either of these files are located, disconnect the computer from it's
internet access and obtain a copy of Mcafee's Anti-Virus program,
including the update version 4094.

Mcafee was the first company (and the only one I know of at this
time) that has virus definitions for this one - the bug was discovered
on 8/30/00. McAfee's antivirus program will rename and / or delete
the infected files - but you may need to manually reinstall certain
Windows programs such as REGEDIT, NOTEPAD, CALC, etc.

Transmission - via e-mail manually, or via Microsoft e-mail programs
in the same manner as the love-bug. There are several (as many as
a hundred or so) different e-mail subject lines, most of which
reference MP3 files, Napster, or pornographic image files.

Closing information - we haven't figured out what information is sent
back to the point of origin, or the exact point of origin, other than
to
say that it's in Germany somewhere! Additional information is
available from

www.mcafee.com

as well as the latest virus definitions. One extremely interesting
feature of the bug is that if you are infected, and you attempt to
access mcafee.com or datafellows.com in an effort to obtain virus
information or definitions etc. the bug will cause Internet Explorer
(versions 4.X and 5.X at least) to crash. We haven't tested it with
Netscape.

Report this message

#29: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 08:19:13 by pam

On 24/02/2006 Sebastian Gottschalk <seppi@seppig.de> wrote:
>> UDP 0.0.0.0:1032 *:* 920
>That's the DnsCache service of Windows.
>HijackThis?

I keep running the netstat and keep seeing MORE AND MORE of these SYN_SENT
signals, for example.

TCP 192.168.0.102:1435 207.46.20.93:80 SYN_SENT 920
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\System32\WINHTTP.dll
[svchost.exe]

To make matters even more exasperating, THIS ip address resolves to Microsoft
themselves!
http://www.whois.sc/207.46.20.93
http://www.dnsstuff.com/tools/ipall.ch?domain=207.46.20.93

For some reason, my WinXP PC is sending a variety of TCP handshakes out on
random ports connecting to port 80 of a variety of servers for what reason I
do not know.

I just located & downloaded HijackThis
(http://www.download.com/HijackThis/3000-8022_4-10227353.htm l) to see if there
is something it can report.

Thanks, .....Pam

Report this message

#30: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-25 09:20:34 by Sebastian Gottschalk

Pam wrote:

> I keep running the netstat and keep seeing MORE AND MORE of these SYN_SENT
> signals, for example.
>
> TCP 192.168.0.102:1435 207.46.20.93:80 SYN_SENT 920
> C:\WINDOWS\system32\WS2_32.dll
> C:\WINDOWS\System32\WINHTTP.dll
> [svchost.exe]
>
> To make matters even more exasperating, THIS ip address resolves to Microsoft
> themselves!
> http://www.whois.sc/207.46.20.93
> http://www.dnsstuff.com/tools/ipall.ch?domain=207.46.20.93

Unbelievable, WinXP's Automatic Update Service actually works!

> For some reason, my WinXP PC is sending a variety of TCP handshakes out on
> random ports

Wow, random ports. but isn't that just how it's supposed to be?

> connecting to port 80 of a variety of servers for what reason I do not know.

The others servers could be part of Akamia's load balancing system that
is used by Microsoft. Unbelievable, they're using load balancing!

Report this message

#31: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-25 11:46:27 by Robert Lambe

> I'll move on to debugging the process which seems to be svchost Generic Host
> Process for Win32 Services, whatever that is.

start>control panel>administrative tools>services

Report this message

#32: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 17:51:12 by pam

On 25/02/2006 Sebastian Gottschalk <seppi@seppig.de> wrote:
>> I keep running the netstat -a -b -n and keep seeing more SYN_SENT signals
>> TCP 192.168.0.102:1435 207.46.20.93:80 SYN_SENT 920
>Unbelievable, WinXP's Automatic Update Service actually works!
>The others servers could be part of Akamia's load balancing system that
>is used by Microsoft. Unbelievable, they're using load balancing!

Are you saying EVERYONE on Windows gets these SYN_SENT signals?
I thank you very much for your advice & will follow you willingly.

I just rebooted & ran lots of netstats to test your supposition.
At least 15 servers were contacted by svchost via SYN_SENT in the first ten
minutes.
I'm sure I missed some as I ran netstat -a -b -n manually & copied the IP
addresses.
About ten minutes after rebooting, the seemingly random SYN_SENT attempts
stopped.

Here are the ones I captured manually, in order received.
TCP 192.168.0.102:1056 207.46.157.61:80 SYN_SENT 980
TCP 192.168.0.102:1068 64.152.17.158:80 SYN_SENT 980
TCP 192.168.0.102:1076 4.78.214.61:80 SYN_SENT 980
TCP 192.168.0.102:1059 64.4.21.61:80 SYN_SENT 980
TCP 192.168.0.102:1068 64.152.17.158:80 SYN_SENT 980
TCP 192.168.0.102:1061 64.4.21.125:80 SYN_SENT 980
TCP 192.168.0.102:1076 4.78.214.61:80 SYN_SENT 980
TCP 192.168.0.102:1060 64.4.21.93:80 SYN_SENT 980
TCP 192.168.0.102:1086 69.226.92.48:80 SYN_SENT 980
TCP 192.168.0.102:1097 207.46.250.185:80 SYN_SENT 980
TCP 192.168.0.102:1088 65.59.235.62:80 SYN_SENT 980
TCP 192.168.0.102:1102 207.46.253.125:80 SYN_SENT 980
TCP 192.168.0.102:1104 207.46.157.30:80 SYN_SENT 980
TCP 192.168.0.102:1106 207.46.244.253:80 SYN_SENT 980

Here are the "owners" of those IP addresses, in order.
http://www.whois.sc/207.46.157.61 OrgName: Microsoft Corp
http://www.whois.sc/64.152.17.158 OrgName: unknown, maybe Level 3
Communications, Inc.
http://www.whois.sc/4.78.214.61 OrgName: Level 3 Communications, Inc.
http://www.whois.sc/64.4.21.61 OrgName: MS Hotmail
http://www.whois.sc/64.152.17.158 OrgName: unknown, maybe Level 3
Communications, Inc.
http://www.whois.sc/64.4.21.125 OrgName: MS Hotmail
http://www.whois.sc/4.78.214.61 OrgName: Level 3 Communications, Inc.
http://www.whois.sc/64.4.21.93 OrgName: MS Hotmail
http://www.whois.sc/69.226.92.48 OrgName: unknown SBC Internet Services or
Akamai Server Farm
http://www.whois.sc/207.46.250.185 OrgName: Microsoft Corp
http://www.whois.sc/65.59.235.62 OrgName: unknown Level 3 Communications, Inc.
or CWIE, LLC LVLT-CWIE
http://www.whois.sc/207.46.253.125 OrgName: Microsoft Corp
http://www.whois.sc/207.46.157.30 OrgName: Microsoft Corp
http://www.whois.sc/207.46.244.253 OrgName: Microsoft Corp


If everyone gets SYN_SENT, why is there not much of a record in the google
search?
Most with SYN_SENT are asking what it means and none I found said it was
Microsoft.
Yet, I do see most of the SYN_SENT signals do resolve to Microsoft.
A clever ruse for a virus or malware perhaps?

To debug this, should I turn off Microsoft automatic update to see if that
stops these SYN_SENT signals?

Thanks, .....Pam

Report this message

#33: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 18:39:23 by Volker Birk

In comp.security.firewalls Pam <per1818@nospam.planttel.net> wrote:
> On 25/02/2006 Sebastian Gottschalk <seppi@seppig.de> wrote:
> >> I keep running the netstat -a -b -n and keep seeing more SYN_SENT signals
> >> TCP 192.168.0.102:1435 207.46.20.93:80 SYN_SENT 920
> >Unbelievable, WinXP's Automatic Update Service actually works!
> >The others servers could be part of Akamia's load balancing system that
> >is used by Microsoft. Unbelievable, they're using load balancing!
> Are you saying EVERYONE on Windows gets these SYN_SENT signals?

Yes.

> If everyone gets SYN_SENT, why is there not much of a record in the google
> search?

This question implies its answer.

> A clever ruse for a virus or malware perhaps?

No.

Just read RFC 793 on www.rfc-editor.org.

Yours,
VB.
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)

Report this message

#34: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 18:52:04 by pam

On 25/02/2006 "Pam" <per1818@nospam.planttel.net> wrote:
>On 25/02/2006 Sebastian Gottschalk <seppi@seppig.de> wrote:
>>> I keep running the netstat -a -b -n and keep seeing more SYN_SENT signals
>>Unbelievable, WinXP's Automatic Update Service actually works!
>>The others servers could be part of Akamia's load balancing system that
>>is used by Microsoft. Unbelievable, they're using load balancing!
>Are you saying EVERYONE on Windows gets these SYN_SENT signals?

I was wondering why, if everyone on Windows gets these SYN_SENT syn-ack
attacks all the time, that they dion't complain more about it.

I can't be the only one with a syn-ack syn_sent attack since I see many on the
internet asking about this but almost none getting the answers.

I do very much appreciate your help. One debugging hint that may help is in
the event log where I just now found.
Type = Warning
Source = Tcpip
Category = None
Event = 4226
User = N/A
Computer = PAM
Description = TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp

Of course, Microsoft being Microsoft, there is nothing at that web page (why
do they bother to refer us to non-existent web pages anyway)?

Can you help me understand this. From my googling, I think maybe a limit is
set on the number of contiguous TCP connect attempts to the Microsoft servers???
http://www.lvllord.de/?url=tools#4226patch

There seems to be a registry key to prevent these microsoft syn_sent attacks
http://board.iexbeta.com/lofiversion/index.php/t44426.html
which says in part.

Microsoft published how to harden NT's tcpip stack against these attacks.
The registry hacks documented here are taken from Microsoft sources.
Synattack protection involves reducing the amount of retransmissions for
the SYN-ACKS, which will reduce the time for which resources have to remain
allocated. The allocation of route cache entry resources is delayed until a
connection is made. If synattackprotect = 2, then the connection indication
to AFD is delayed until the three-way handshake is completed. Also note that
the actions taken by the protection mechanism only occur if TcpMaxHalfOpen
and TcpMaxHalfOpenRetried settings are exceeded.
Apply the following registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: SynAttackProtect
Type: REG_DWORD
Value: 0
no syn attack protection
Value: 1
reduced retransmission retries and delayed RCE ( route cache entry ) creation
if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.
Value: 2
adds delayed indication to Winsock to setting of 1
When the system finds itself under attack the following options on any socket
can no longer be enabled : Scalable windows (RFC 1323) and per adapter
configured TCP parameters ( Initial RTT, window size ). This is because when
protection is functioning the route cache entry is not queried before the
SYN-ACK is sent and the Winsock options are not available at this stage of
the connection.

TcpMaxHalfOpen
parameter controls the number of connections in the SYN-RCVD state allowed
before SYN-ATTACK protection begins to operate. If SynAttackProtect is
set to 1, ensure that this value is lower than the AFD listen backlog on
the port you want to protect.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpen
Type: REG_DWORD
Value: 100
Professional, Server
Value: 500
Advanced Server

This is what I get from a Microsoft-Guy when i asked him why XPSP2 slows down
programs like emule which open many connections to different destinations:

"Thanks very much for responding. This new feature is one of the stack's
"springboards", security features designed to proactively reduce the
future threat from attacks like blaster and Sasser that typically spread
by opening connections to random addresses. In fact, if this feature had
already been deployed, Sasser would have taken much longer to spread.

It's not likely to help stop the spread of spam unless spammers are
trying to reach open email relays in the same way, by opening
connections on smtp ports of random IP addresses.
This is new with XP SP2 and we're trying to get it right so that it does
not interfere with normal system operation or performance of normal,
legitimate applications, but does slow the spread of viral code. New
connection attempts over the limit for half-open connections get queued
and worked off at a certain (limited rate)."


This is the key to add to modify the maximum number of simultaneous connections
TcpNumConnections

Key: Tcpip\Parameters
Value Type: REG_DWORD - Number
Valid Range: 0 - 0xfffffe
Default: 0xfffffe
Description: This parameter limits the maximum number of connections that TCP
can have open simultaneously.

128 decimal or 80 hexadecimal ---------------->>>0xfffffe

I have put the following into the reg to see what affect it would have, and it
seems to have stoppped the error for the moment..

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParam eters]
"TcpNumConnections"=dword:00000020


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip]
"TcpNumConnections"=dword:00000080

original

then change "TcpNumConnections"=dword:0xfffffe

Report this message

#35: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-25 20:48:09 by Steven L Umbach

I suggest that you use either msconfig and selective startup or the more
advanced Autoruns from SysInternals to see what you have as far as startup
applications/services/processes and these programs give you the ability to
disable such to troubleshoot in a trial and error method. Once you track
down the offending process you can disable or remove it if you want. Offhand
I have no idea why it is on your computer as everyone has different
applications and hardware installed.

http://support.microsoft.com/kb/310560/ --- Msconfig use
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns

"Can they figure out my ISP IP address from this one-way communication?" Yes
they can because it is not a one way communication. IMHO the fact that
someone knows your public IP address is not any sort of security threat and
is a necessary part of internet communications.

If your malware and spyware detection and removal programs are current with
their definition files and you also scan in Safe Mode and nothing is found
then very likely you do not have anything of major concern though Microsoft
malicious software removal tool is not meant to do a thorough scan for
malware. You need to use a full virus detection and removal program to do
that and if you do not have one you can get a free one from AVG here
http://free.grisoft.com/doc/1 and do online scans at places such as
http://security.symantec.com/sscv6/home.asp?langid=ie&venid= sym&plfid=23&pkj=IEGSUQIZQVMUYTACDCO
..



"Pam" <per1818@nospam.planttel.net> wrote in message
news:dLSLf.16347$2O6.8890@newssvr12.news.prodigy.com...
> On
>>This IP is for Qwest communications
>>Your SYN_SENT means that a session is being established with their website
>>at that IP and is part of the tcp/ip handshake to establish a connection.
>>Such can be done to check for updates, etc or possibly spyware so you
>>should
>>also scan for Spyware with something like AdAware SE.
>> Another thing you could do is to install, even if a software firewall
>
> I do have a software firewall on my windows xp pc behind my wireless
> router
> and I did scan using not only AdAware but SpyBot Search and Destroy and
> the
> Microsoft malicious software removal tool. None found anything suspicious
> but
> there was that strange file GLB1A2B.EXE which I'm still trying to figure
> out
> if it is a bad guy or part of AdAware which I updated before I ran the
> scan.
>
> I can't find any legitimate use for this "TCP 192.168.0.101:1058
> 63.236.111.222:80 SYN_SENT process 912" Quest Communications outfit.
>
> Why or how did they get into my startup sequence such that it makes my
> machine
> send the SYN_SENT signal to their port 80?
> Can they figure out my ISP IP address from this one-way communication?
>
> Thanks, .....Pam
>

Report this message

#36: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-25 21:28:10 by Duane Arnold

Pam wrote:
> On 24/02/2006 donnie <donnie@queyosepa.org> wrote:
>
>>>WINDOWSXP_SP2> netstat -a -n -b
>>> Proto Local Address Foreign Address State PID
>>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
>
>
>>arin.net showed Quest as the owner of that block. Search your HD and
>>the registry for quest. Run msconfig and look at the startup. You
>>might find something there.
>
>
> I wasn't sure how to tell what is running at startup so I googled for and
> found a tiny program called "StartupList.exe" from Soeperman Enterprises, Ltd.
> which listed all the programs running at startup.
> None of these programs has "quest" in them though.
> Do you see anything strange here?
> Can I kill some of these initialization files?
> Thanks, .....Pam
>

I suggest that you get yourself the Windows XP Resource Kit Book buy it
or go to the library and see if you can check out one. It's a little bit
technical but you seem you might be able to deal with it. I didn't read
all of this thread.


You can use the tools in the link

Long

http://www.windowsecurity.com/articles/Hidden_Backdoors_Troj an_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

You may also want to look at Root Toolkit detectors and the Process
Explorer People in the link above have one.

Duane :)

Report this message

#37: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-25 21:43:32 by Robert Lambe

> I was wondering why, if everyone on Windows gets these SYN_SENT syn-ack
> attacks all the time, that they dion't complain more about it.

Don't jump to conclusions. Not a single shred of evidence has been
presented that indicates an attack of any kind.

> I can't be the only one with a syn-ack syn_sent attack since I see many on the
> internet asking about this but almost none getting the answers.

Look up TCP handshake and TCP states. Your computer does not send a
syn_sent, your computer sends a syn.

> Event = 4226
> Description = TCP/IP has reached the security limit imposed on the number of
> concurrent TCP connect attempts.

Limited number of simultaneous incomplete outbound TCP connection attempts

Detailed description

The TCP/IP stack now limits the number of simultaneous incomplete
outbound TCP connection attempts. After the limit has been reached,
subsequent connection attempts are put in a queue and will be resolved
at a fixed rate. Under normal operation, when applications are
connecting to available hosts at valid IP addresses, no connection
rate-limiting will occur. When it does occur, a new event, with ID 4226,
appears in the systemÂís event log.

http://www.microsoft.com/technet/prodtechnol/winxppro/mainta in/sp2netwk.mspx#EIAA

> There seems to be a registry key to prevent these microsoft syn_sent attacks

Once again: Syn flooding is an attack. Syn_sent is a TCP state.

Report this message

#38: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-26 01:48:59 by shultzjrX

"Pam" <per1818@nospam.planttel.net> wrote in message
news:dLSLf.16347$2O6.8890@newssvr12.news.prodigy.com...
> On
> >This IP is for Qwest communications
> >Your SYN_SENT means that a session is being established with their
website
> >at that IP and is part of the tcp/ip handshake to establish a connection.
> >Such can be done to check for updates, etc or possibly spyware so you
should
> >also scan for Spyware with something like AdAware SE.
> > Another thing you could do is to install, even if a software firewall
>
> I do have a software firewall on my windows xp pc behind my wireless
router
> and I did scan using not only AdAware but SpyBot Search and Destroy and
the
> Microsoft malicious software removal tool. None found anything suspicious
but
> there was that strange file GLB1A2B.EXE which I'm still trying to figure
out
> if it is a bad guy or part of AdAware which I updated before I ran the
scan.
>
> I can't find any legitimate use for this "TCP 192.168.0.101:1058
> 63.236.111.222:80 SYN_SENT process 912" Quest Communications outfit.
>
> Why or how did they get into my startup sequence such that it makes my
machine
> send the SYN_SENT signal to their port 80?
> Can they figure out my ISP IP address from this one-way communication?
>
> Thanks, .....Pam

GLB1A2B.EXE is invasion ware. You're in for some googling on how
to get rid of it, it is pretty invasive.

charles.....

Report this message

#39: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-26 09:02:11 by Volker Birk

Pam <per1818@nospam.planttel.net> wrote:
> Even though I ran and reran a virus scan, malware scan, Ad-Aware scan, Spybot
> Search and Destroy scan, etc., do you think this unsolicited request to
> 63.236.111.222 at port 80 might be related to the strange C:\TEMP\GLB1A2B.EXE
> file I saw but which went away after a reboot?

Hm... this file would make me a little nervous:

http://groups.google.com/group/nz.comp/msg/f0cb6adecb6e3f1e? q=GLB1A2B.exe&hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1

http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx

Yours,
VB.
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)

Report this message

#40: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port1058 ?

Posted on 2006-02-26 16:20:47 by Sebastian Gottschalk

Volker Birk wrote:
> Pam <per1818@nospam.planttel.net> wrote:
>> Even though I ran and reran a virus scan, malware scan, Ad-Aware scan, Spybot
>> Search and Destroy scan, etc., do you think this unsolicited request to
>> 63.236.111.222 at port 80 might be related to the strange C:\TEMP\GLB1A2B.EXE
>> file I saw but which went away after a reboot?
>
> Hm... this file would make me a little nervous:
>
> http://groups.google.com/group/nz.comp/msg/f0cb6adecb6e3f1e? q=GLB1A2B.exe&hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1

Unbelievable, the uninstaller of a certain software always uses the same
filenames and the software is used by at least two people!

Report this message

#41: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-02-27 19:08:13 by Eirik Seim

On Sat, 25 Feb 2006 07:14:52 +0100, Sebastian Gottschalk wrote:
> Pam wrote:
> > On 24/02/2006 Eirik Seim <eirik@mi.uib.no> wrote:
> >> I believe that is one of the still unanswered questions in
> >> science, how to acurately specify requirements for QoS using
> >> distributed coffee solutions in large networks.
> >
> > I'm not sure if you're poking fun at me
>
> Not at you.

Not at anyone, actually :)

--
New and exciting signature!

Report this message

#42: Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

Posted on 2006-03-02 06:53:47 by Alun

In article <8P0Mf.16412$2O6.4206@newssvr12.news.prodigy.com>, "Pam"
<per1818@nospam.planttel.net> wrote:
>On 25/02/2006 "Pam" <per1818@nospam.planttel.net> wrote:
>>On 25/02/2006 Sebastian Gottschalk <seppi@seppig.de> wrote:
>>>> I keep running the netstat -a -b -n and keep seeing more SYN_SENT signals
>>>Unbelievable, WinXP's Automatic Update Service actually works!
>>>The others servers could be part of Akamia's load balancing system that
>>>is used by Microsoft. Unbelievable, they're using load balancing!
>>Are you saying EVERYONE on Windows gets these SYN_SENT signals?
>
>I was wondering why, if everyone on Windows gets these SYN_SENT syn-ack
>attacks all the time, that they dion't complain more about it.

Wow... one sentence, but such a lot of mistaken assumptions.

SYN_SENT is a TCP state. SYN_SENT is an indication that you sent a
SYN-flagged TCP packet to a remote computer, and that you are waiting for a
returned ACK.

SYN-ACK is a pair of flags, SYN and ACK, that may be set on a socket.
Usually, this is seen in the sequence "SYN, SYN-ACK, ACK", which describes a
TCP handshake - the client sends a SYN-flagged packet to the server. The
server responds with a SYN-ACK-flagged packet (one with both SYN and ACK flags
set), and the client responds with an ACK. ACK means "Acknowledge", and SYN
means "Synchronise".

A SYN attack is where a machine - a server - is sent SYN-flagged packets, over
and over, to which it responds with a SYN-ACK, one for each packet, and it
holds a socket open for each of these. It's a simple denial-of-service
attack.

>I can't be the only one with a syn-ack syn_sent attack since I see many on the
>internet asking about this but almost none getting the answers.
>
>I do very much appreciate your help. One debugging hint that may help is in
>the event log where I just now found.
>Type = Warning
>Source = Tcpip
>Category = None
>Event = 4226
>User = N/A
>Computer = PAM
>Description = TCP/IP has reached the security limit imposed on the number of
>concurrent TCP connect attempts.
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp

This means, quite simply, that your machine is sending out a lot of SYNs to
other machines - it's trying to connect to servers, and the server isn't
responding.

This _could_ be a sign that you are infected with software designed to spam
people. Or it could be a sign that you are running something that makes a lot
of TCP connections - for instance, a peer-to-peer "file-sharing" system, or
something like that.

If you'd like, you can run "netstat -abo" to see what ports are opened by
which applications, so that you can find out which open the SYN_SENT sockets.

>Can you help me understand this. From my googling, I think maybe a limit is
>set on the number of contiguous TCP connect attempts to the Microsoft
> servers???

XP SP2 set a limit of 10 half-open TCP connections (a half-open connection is
one where the SYN has been sent, but no ACK has yet been received in
response).

>http://www.lvllord.de/?url=tools#4226patch

Yeah, I wouldn't suggest you apply this kind of a patch.

>There seems to be a registry key to prevent these microsoft syn_sent attacks
>http://board.iexbeta.com/lofiversion/index.php/t44426.html
>which says in part.

SYN_SENT is not an indication of an attack coming in. If it is anything, it's
an indication that you are attacking other machines! You (or anyone that
doesn't understand the difference between SYN_SENT and SYN-attacks) should not
have software running on your machine that creates that many half-open socket
connections.

>Microsoft published how to harden NT's tcpip stack against these attacks.
>The registry hacks documented here are taken from Microsoft sources.
>Synattack protection involves reducing the amount of retransmissions for
>the SYN-ACKS, which will reduce the time for which resources have to remain
>allocated. The allocation of route cache entry resources is delayed until a
>connection is made. If synattackprotect = 2, then the connection indication
>to AFD is delayed until the three-way handshake is completed. Also note that
>the actions taken by the protection mechanism only occur if TcpMaxHalfOpen
>and TcpMaxHalfOpenRetried settings are exceeded.

This has nothing whatsoever to do with the 4226 errors you are seeing.
Nothing.

>Apply the following registry hack:

This isn't a hack, it's a documented registry setting designed to change the
protection you have against _incoming_ SYN attacks, and makes sense _only_ if
you are running a server. It makes _no_ sense in response to a glut of
SYN_SENT sockets.

>This is what I get from a Microsoft-Guy when i asked him why XPSP2 slows down
>programs like emule which open many connections to different destinations:

Here's the key.

eMule is opening connections to machines that are unreachable. eMule is a
sucky user of the network. eMule's aberrant TCP behaviour is not compatible
with a security measure introduced into Windows XP SP2. Use a better tool
when "sharing" Britney Spears songs and porn movies. Better still, stop
pirating them in the first place. Blockbusters, Netflix, etc, are able to
pass some of your money on to the persons who produced the movies, so they can
afford to produce the next movies that you haven't seen yet. Don't be
stealing the content.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Report this message