Re: upexpected outgoing tcp connection problem to various locations

From: Joep (joep_at_diydatarecovery.nl)
Date: 07/12/03 

Date: Sat, 12 Jul 2003 23:35:37 +0200

Get TCPview from www.sysinternals.com and try to figure out what's making
the connection. Make sure you have closed all browsers email clients etc.

I had a similar thing, the process trying to connect was 'Explorer.exe' (it
tried to 'call' every 10 minutes). Tried several antivirus scanners, trojan
scanners and adware scanners to see if I 'got infected' but they all came up
clean, I of course denied explorer.exe all access with a program I wrote
myself (I am still working to make this program a full-blown firewall).

I emailed the admin and he actually replied (!) and investigated the matter
and closed down the site in question. I was believed that a DoS attack was
pending. Of course Explorer kept on trying, the problem went away after I
uninstalled all suspucious software from my PC. Never was able to actually
pinpoint the real cause. 

--
Joep
"Terry" <terry@hotmail.com> wrote in message
news:bepd7h$5hf2@imsp212.netvigator.com...
> what the hell is going on? I did not connect to it explictly.
>
> "Joep" <joep@diydatarecovery.nl> wrote in message
> news:b6f0f$3f102d03$3eddca68$13979@nf1.news-service.com...
> > % [whois.apnic.net node-1]
> > % How to use this server http://www.apnic.net/db/
> > % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
> > inetnum: 203.215.240.0 - 203.215.255.255
> > netname: POWERBASE-HK
> > descr: 6/F, Somerset House
> > descr: TaiKoo Place, Quarry Bay,
> > descr: Hong Kong
> > country: HK
> > admin-c: PD28-AP
> > tech-c: PD28-AP
> > mnt-by: APNIC-HM
> > mnt-lower: MAINT-HK-HKTDCS
> > changed: hostmaster@apnic.net 20010703
> > changed: hostmaster@apnic.net 20020219
> > status: ALLOCATED PORTABLE
> > source: APNIC
> > role: Powerbase datacenter NOC
> > address: 6/F, Somerset House
> > address: TaiKoo Place, Quarry Bay,
> > address: Hong Kong
> > country: HK
> > phone: +852-2883-4961
> > fax-no: +852-2214-0129
> > e-mail: support@pbase.net
> > admin-c: PD50-AP
> > tech-c: PD50-AP
> > nic-hdl: PD28-AP
> > mnt-by: MAINT-HK-HKTDCS
> > changed: chin-wing.cw1.tong@pccw.com 20010711
> > source: APNIC
> >
> >
> > <<< Trying to connect to: 203.215.253.134:80 >>>
> > <<< ready to send/recv >>>
> > <<< GET http://203.215.253.134/ HTTP/1.0
> > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg
> > Accept-Language: en-us
> > Content-Encoding: gzip, deflate
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows XP; Phalanx
1.0.0)
> > Host: 203.215.253.134
> > Connection: Close
> > >>>
> > HTTP/1.0 403 Forbidden
> > Date: Sat, 12 Jul 2003 16:07:49 GMT
> > Content-Length: 257
> > Content-Type: text/html
> > Server: NetCache (NetApp/5.3R2D5)
> > Connection: keep-alive
> > <HTML>
> > <HEAD><TITLE>403 Forbidden</TITLE></HEAD>
> > <BODY>
> > <H1>Forbidden</H1>
> > <H4>
> > You were denied access because:<P>
> > Access denied by access control list.
> > </H4>
> > <HR>
> > </BODY>
> > </HTML>
> >
> > --
> > Joep
> >
> >
> > "Terry" <terry@hotmail.com> wrote in message
> > news:bepa42$5h41@imsp212.netvigator.com...
> > > Firewall blocked an outgoing TCP packet.  The remote address
associated
> > with
> > > the traffic was 203.215.253.134.  The remote port was 80 [HTTP].  The
> > local
> > > port on your PC was 1473
> > >
> > >
> > > "Steve Horsley" <steve.horsley1@virgin.NO_SPAM.net> wrote in message
> > > news:pan.2003.07.12.15.35.46.416702@virgin.NO_SPAM.net...
> > > > On Sat, 12 Jul 2003 23:24:42 +0800, Terry wrote:
> > > >
> > > > > the firewall log shows above mentioned tcp connection which was
> > blocked
> > > by
> > > > > the firewall, I wonder why and how such connections started, any
> > ideas?
> > > >
> > > > It might be easier to guess if you show us the log entry.
> > > >
> > > > Steve
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages