• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Confusing connection

It seems tha whenever I log off to reboot, the last connection noted in my NAV2008 connection log is some weird one.

example- I just rebooted I had not used my browser for at least 2-3 minutes before I rebooted. Yet the connection log showed an out bound connection to

217.212.246.153

which webyield shows as

Hostname: 217-212-246-153.customer.teliacarrier.com

and is located in Sweden

 

I have experimented with this 3 times in the last hour.

The previous time the address was in Colorado US and before that in France

The Colorado and France ones showed no reverse DNS

 

Does this smack of an infection? Prior to rebooting I did a quick scan and removed tracking cookies as well as deleting cookies from IE7 so there should have been no cookieseach time bytes sent is 115

Replies

Kudos0

Re: Confusing connection

It seems tha whenever I log off to reboot, the last connection noted in my NAV2008 connection log is some weird one.

example- I just rebooted I had not used my browser for at least 2-3 minutes before I rebooted. Yet the connection log showed an out bound connection to

217.212.246.153

which webyield shows as

Hostname: 217-212-246-153.customer.teliacarrier.com

and is located in Sweden

 

I have experimented with this 3 times in the last hour.

The previous time the address was in Colorado US and before that in France

The Colorado and France ones showed no reverse DNS

 

Does this smack of an infection? Prior to rebooting I did a quick scan and removed tracking cookies as well as deleting cookies from IE7 so there should have been no cookieseach time bytes sent is 115

Kudos0

Re: Confusing connection

I just rebooted again and prior to shutting down the outbound connection log shows several connection out bound just before I shut down

64.211.21.89  

Whois Is shows it as  Global Crossing

72.5.124.55

Webyield shows no reverse DNS but is in the US 

WHOIS shows it as SUN MICROSYSTEMS

63.217.8.154

Webyield shows it as static.pccwglobal.net

WHOIS shows it as Beyond the Network America Inc in Virginia USA

so do these sound like just tracking types of cookies or something more severe?

Kudos0

Re: Confusing connection

and could these odd ones like for france and sweden locations just be something legit that bounces from one point to the next as part of a relay?

I just wonder why this happens right when I close down to reboot?

Kudos0

Re: Confusing connection

Ok I just did it again and the connection activity log showed

72.5.124.55 which is java.sun.com

and

80.12.98.48 which shows no revers DNS but is located in France

both these occured at the same time I was logging off to reboot

Since it appears that java.sun.com is happening both times, would it be safe to assume the other addresses have to do with java.sun.com?

I'm assuming java.sun.com has to do with the well known java site and programs. Could they be employing these other IP addresses as part of their services? I knwo that sometimes some companies like symantec use different sets of servers. Does this look like it might be that or does it smack of maleware?

Still not sure why it would happen just before shutdown

bytes sent to the french IP are 115  bytes received as 6847 ( I don't know what that means) and a connection time of 0:20:32:184

which I assume is 20 seconds

bytes sent to the java.sun.com IP are 109  bytes received as 194 ( I don't know what that means) and a connection time of 0:20:32:434

which I assume is 20 seconds plus and longer than the connection to the french IP

again I wonder if these are just relays? Anyone who can shed some light on this please help me. Of course I'm concerned there is some maleware sending crap out

Remote service port on all these are http(80)

Kudos0

Re: Confusing connection

Hi NY1986

I don't have a definitive answer for you,But I know when I had NIS2008 and I was in the logs looking and yes worrying as well,I took note of the connections over a period of time and finally came to the conclusion I will never understand it all,I realized as what you have said your self I believe sometimes companies use different servers or outsource what ever they do.And if there is a uniform pattern to what's happening then I would not worry to much.I suppose you have to take note of what you are actually doing on the machine and then take note of whats happening in the logs.Does this help?

If it was connecting to say China,Russia maybe then I would worry.(Uneducated guess here!)

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: Confusing connection

Hi NY1986,

Interesting post :)

The IP that you provided (217.212.246.153) is one of a number used by Akamai Technologies.  I came across the same thing (various IP's though) and checked what was going on in real time by using Essential Net Tools.

Microsoft uses Akamai for various reasons - none 'bad' based on my research.

If you are interested, then perhaps you might want to look at some recent articles ...

Microsoft and Akamai Form Strategic Relationship To Enhance Internet Content Delivery and

March 17, 2009 - Akamai First to Offer Microsoft IIS7 Smooth Streaming to Customers

As for the other IP's ... 

If you have the Java Runtime Environment (JVE) installed then, by default, it does a periodic check to see if there are any updates.  This would *probably* explain the SUN IP address.

As for the other IP's ... it's difficult to tell without knowing which program (DLL etc) is involved.  I don't know how to do this from within a vanilla XP / VISTA installation - perhaps someone else here does?  I use a third party tool (mentioned above) that, among many excellent features, identifies each  process and the inbound / outbound IP address - and hostname.

Lots of stuff 'phones home' ... either to check for an update or to pass along usage info.  For example, I use the 'Free Download Manager'.  I noticed that it accessed 66.29.87.160 (Net Access Corporation) and could not explain why ... and then realised that in the program options I allowed it to periodically check for updates.  The same apllies to loads of other programs, especially anything from Apple / Real Player / Windows Media Player / Windows (XP & Vista etc) ... heaps.

I might be entirely wrong here ... but if you have NAV2008, then I thought you should be able to install NAV2009 so long as your subsription is valid.  I had about 150 days left on my NIS2008 subscription when NIS2009 came out and was able to install it without any problem.  

Could a moderator clarrify this please?

Anyway, my point is that the later release is better and you should upgrade especially if it won't cost you anything.

Finally, NAV is very good at picking up nasties so long as you don't turn it off.  However, I moved over to NIS2009 because it is a brilliant security  system which includes NAV.  I've checked my logs and nothing nasty gets past it (inbound / outbound) ... attempts ae logged. 

If you are familiar with hacking, then you might know that they exploit the most vulnerable part of your IT system whenever possible: you.  Such sites discuss ways and means to trick hapless users into clicking something (a pop-up window for example) which then activates a script or installs a nasty onto your system.  If you have not secured your NAV installation with a password then this makes it easier for bad folk to alter your settings without your knowledge. 

These days the web is becoming increasing dangerous because hackers / criminals adapt.  All you need do is pass by a bad site and you can be infected with all sorts of nasties - bots, drive-by downloads, joke diallers etc.  You don't even need to click anything and if your connection is fast, might not notice a rapid redirection ... it's scary.

NIS2009 has 'Site Safety' that checks thousands (millions?) of web pages for malware and offers a good / bad warning and report.  Plus, if you attempt to land on a danagerous site NIS2009 will block it and tell you why.  This feature has saved my butt  hundreds of times - and most were (to me at least) seemingly legitimate.  Your exposure to risk increases as you venture into sites which contain pirate software or movies ... torrents.  Without judging, anyone who surfs for porn does so at increasingly great risk ... HEAPS of the sites contain various forms of malware.  

Hope this helps ...

Kindest regards,

Mike

MikeXP PRO SP 3XP PRO SP 2Vista SP 1
Kudos0

Re: Confusing connection


NY1986 wrote:

bytes sent to the french IP are 115  bytes received as 6847 ( I don't know what that means) and a connection time of 0:20:32:184

which I assume is 20 seconds

bytes sent to the java.sun.com IP are 109  bytes received as 194 ( I don't know what that means) and a connection time of 0:20:32:434

which I assume is 20 seconds plus and longer than the connection to the french IP


The 6847 and 194 may be Port Numbers; a Screen Shot would be helpful to Confirm this.

Message Edited by Floating_Red on 03-21-2009 01:40 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Confusing connection


mcullet wrote:

...but if you have NAV2008, then I thought you should be able to install NAV2009 so long as your subsription is valid. 


That is correct.  And NY1986 does plan on Upgrading to N.I.S. 2009.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Confusing connection

Thansks Mo.

Maybe this has been occuring all along and I never noticed. Last night I did a further experiment.

 I stayed off from using any type of web browser for a good 5 minues before I turned of my computer

I deleted all cookies and did a scan to remove tracking cookies

I noted the last entry in the connection log (9:38pm)and then turned the computer off at 9:43pm

This morning I turned the computer back on

Looked at the connection log last connections (two) for last night was noted at 9:43pm

It was again a connection to

72.5.124.55

webyield shows

 no reverse DNS for this IP

whois shows

SUN MICROSYSTEMS INAP-SFO-SUN-4000                       72.5.124.0 - 72.5.125.255

and

62.41.80.58

webyield shows  the IP to be    unknown.eurorings.net

Whois shows this IP to belong to  RIPE Network Coordination Centre out of Holland

also a googlesearch shows eurorings.net to be a dutch based networking company

so again I have a java.sun.com out bound connection at the same time with another IP address

Leads me to believe tha maybe sun microsystems uses these other IP addresses as part of their network servers?

Still doesn't explain why the outbound connection that is not done by me

Kudos0

Re: Confusing connection

Thanks mcullet-

I had posted before seeing your response. I tiried to check this again this morning and posted the results.

From the info I have gathered each time these last outbound before reboot occurs, one has to do with sunmicrosystems and the other is always a different IP, sometimes located in Sweden, sometimes France, sometimes the US

since sun microsystems is always one of the 2, would there be some logic that the second non-sunmicrosystems connection is indeed associated with Microsystems as a server?

Is it maube that the Java Runtime is set up so that before turning off the computer, it is designed to check for updates and these other IP addresses are servers that sun uses?

It just seems odd to me that the check would be as the computer is turning off. I could understand it more if it was when the computer was turning on.

Does any of this appear to reflect maleware or my computet being taken over?

I check the connection logs sometimes while I'm browsing and I never see these connection combos

Kudos0

Re: Confusing connection


Floating_Red wrote:

NY1986 wrote:

bytes sent to the french IP are 115  bytes received as 6847 ( I don't know what that means) and a connection time of 0:20:32:184

which I assume is 20 seconds

bytes sent to the java.sun.com IP are 109  bytes received as 194 ( I don't know what that means) and a connection time of 0:20:32:434

which I assume is 20 seconds plus and longer than the connection to the french IP


The 6847 and 194 may be Port Numbers; a Screen Shot would be helpful to Confirm this.

Message Edited by Floating_Red on 03-21-2009 01:40 PM

Red I don't think these are ports It is the number of bytes send and received. Here is a recent example of the bytes sent/received (not specific to the issue of this thread)

 Connection: weather.service.msn.com: http(80).
from My-PC: 49901.
463 bytes sent.
1112 bytes received.
1:00.184 elapsed time.

as a side note does this mean my computer sent out a connection request of 463 bytes and received a response of 1112 bytes?

Oh and I don'yt want NAV2009 as it has no firewall function

Message Edited by NY1986 on 03-21-2009 07:03 AM
Kudos0

Re: Confusing connection

mcullet- the IP 217.212.246.153  is connected with teliacarrier.com. Is that part of Akamai?  I think symantec uses Akamai servers too. so maybe sun microsystems does?
Kudos1 Stats

Re: Confusing connection

Hi NY1986,

The IP block (results below) are within the Akamai family however I can't be certain all IP's in the range are Akamai.

I use a couple of nifty utilities to manage programs that start up via the registry.  Mike Lin wrote them and they are imaginatively called: (a) Startup Control Panel applet and (b) Startup Manager (www.mlin.net).  I've tried both with Vista and they work fine ... might take a bit of effort though.

Startup manager monitors all attempts to change the registry that would result in a program / process being included on system start up. Like all such tools you should exercise caution in your decisions about what you allow and don't allow to run on start upduring an install process.  It's perfectly acceptable to allow cleanup() routines to run ... these generally involve housekeeping processes after an install or update of your operating system.  On the other hand, if you saw an alert appear while you were browsing and weren't deliberately installing anything ... well, that's a worry :)  I've seen it and the program trapped the attempt.

The control panel applet actually shows parts of the registry (although it doesn't appear anywhere as complicated) with start up entries.  It has several panels: startup (user), startup (common), HKLM / Run (user), HKLM / Run (all users) and Run Once.  The registry is complicted - no way around it.  I would not advise people with limited tech skills to run wild and delete hives or alter keys unless they were closely following a known, competent authority.  MSCONFIG is 'sorta' similar but includes a slew of other features ... generally something you might use when troubleshooting a problematic startup.

If you installed both of these utilities then see what exists in the control panel applet panels.  You may be quite surprised.  So long as you know what you are doing then it's probably OK to turn off things like the JRE scheduled check, Quicktime, or whatever you DON'T need.  (Lots of programs want to appear in the task bar but aren't vital to a health system.)  Some programs fall over if you stop their start up entry ... for example, Adobe reader.  The reader also has a regular check for updates.

To add to the confusion, lots of programs install as services and you might not see them in the task manager or tell (by simple means) if they are phoning home.  You access services via the  "Admin tools" on the programs list or by right-clicking the 'my computer' icon and selecting 'manage'.  This pulls up the computer management console (Microsoft Management Console 3.0) and among some excellent choices, select 'services and applications', then 'services' ... and voila ... you reveal all services in your PC.  From here you can see which ones are runining now, how they start (automatically / manual) and a description (mostly) of what they do.  Some are interdependant.

I use Firefox which also periodically checks for updates.  Like many, I have lots of neat addons ... and many of these check for updates.  A few share info about your usage ... history etc ... possibly to direct targetted advertising your way??  

If you have a good firewall like that included in NIS2009 then you are pretty much wrapped in a safety bubble.  If you have malware that is trying to get info out (unproven as yet) then your firewall *should* tell you about it.  NIS2009 has an excellent library containing info on a slew of programs / DLL's so it can remove most of the guesswork out of this.  Sometimes it asks me for instructions if it comes acrtoss something that isn't known to it ... rare, generally pesky stuff that isn't a virus.

The default operating system firewall is better than nothing.  I have a hardware firewall and can view the logs whenever I want ... I'm most interested in outbound traffic to areas that I don't know. 

You've found a web resource that lets you check IP's ... which is great.  Perhaps these might help too?

 whatismyip.com and whatismyipaddress.com

Each has useful features ... the latter is scary at nailing your physical location :)

Sorry if none of what I have said has been of much help.  If you have a good (comprehensive) security solution like NIS2009 then mostof your concerns would be moot because the software is very, very good at protecting you while you use the web (including wireless - a whole other area of risk exposure).  If not ... then NAV can only do so much.  It's primary function is antivirus and the things we have been discussing aren't related to that.  A program need not be a virus to be 'bad' - it's a matter of perspective / choice.  I don't like any program feeding my internet usage info to anyone but others might.

Cheers,

Mike

217.212.246.153 ...

=============

<ip address/hostname>
217.212.246.153
217-212-246-153.customer.teliacarrier.com
Host reachable, 351 ms. average, 3 of 4 pings lost

<net block>
217.212.246.0 - 217.212.246.255

<owner>
Akamai International B.V.
Sweden

<administrative contact>
Network Architecture Role Account
Akamai Technologies
8 Cambridge Center
Cambridge, MA 02142
phone: +1-617-938-3130

<technical contact>
Network Architecture Role Account
Akamai Technologies
8 Cambridge Center
Cambridge, MA 02142
phone: +1-617-938-3130

<additional data>
SE-AKAMAI
Source: whois.ripe.net

==================================================


<net block>
217.0.0.0 - 217.255.255.255

<owner>
RIPE NCC
European Regional Registry
EU

<administrative contact>
RIPE NCC Registration Services Department
RIPE Network Coordination Centre
P.O. Box 10096
1001 EB Amsterdam
the Netherlands
phone: +31 20 535 4444
fax: +31 20 535 4445

<technical contact>
RIPE NCC Operations
Singel 258
1016 AB Amsterdam
The Netherlands
phone: +31 20 535 4444
fax: +31 20 535 4445

<additional data>
EU-ZZ-217
Source: whois.ripe.net

=====================


<net block>
217.208.0.0 - 217.215.255.255

<owner>
TeliaSonera AB
Sweden

<administrative contact>
TeliaNet Registry
TeliaSonera AB Networks
Marbackagatan 11
SE-123 86 Farsta
Sweden
********************************
Abuse and intrusion reports should
be sent to: abuse@telia.com
********************************
fax: +46 8 6047006

<technical contact>
TeliaNet Registry
TeliaSonera AB Networks
Marbackagatan 11
SE-123 86 Farsta
Sweden
********************************
Abuse and intrusion reports should
be sent to: abuse@telia.com
********************************
fax: +46 8 6047006

<additional data>
SE-TELIANET-20010402
Source: whois.ripe.net

========================

<ip address/hostname>
217.212.246.153
217-212-246-153.customer.teliacarrier.com
Host reachable, 351 ms. average, 3 of 4 pings lost

<net block>
217.212.246.0 - 217.212.246.255

<owner>
Akamai International B.V.
Sweden

<administrative contact>
Network Architecture Role Account
Akamai Technologies
8 Cambridge Center
Cambridge, MA 02142
phone: +1-617-938-3130

<technical contact>
Network Architecture Role Account
Akamai Technologies
8 Cambridge Center
Cambridge, MA 02142
phone: +1-617-938-3130

<additional data>
SE-AKAMAI
Source: whois.ripe.net

==================================================

<ip address/hostname>
217.212.246.153
217-212-246-153.customer.teliacarrier.com
Host reachable, 351 ms. average, 3 of 4 pings lost

<net block>
217.212.246.0 - 217.212.246.255

<owner>
Akamai International B.V.
Sweden

<administrative contact>
Network Architecture Role Account
Akamai Technologies
8 Cambridge Center
Cambridge, MA 02142
phone: +1-617-938-3130

<technical contact>
Network Architecture Role Account
Akamai Technologies
8 Cambridge Center
Cambridge, MA 02142
phone: +1-617-938-3130

<additional data>
SE-AKAMAI
Source: whois.ripe.net

==================================================

 

MikeXP PRO SP 3XP PRO SP 2Vista SP 1
Kudos0

Re: Confusing connection

Thanks mcullett. I think that as usual for me, I make much out of nothing. I went an installed malwarebytes and ran a full scan. It came up clean, so whatever this is that happens before I shutdown, it may have been there and I never noticed it.

So my Norton AV2008 scans show clean, Malewarebytes shows clean. and windows defender shows clean. so I guess all is well

I do have a router that I had uninstalled when I was unable to get my internet connection after a reboot. But we will try to install it again, it has an SP1 firewall, so with that and the mini NAV2008 firewall, I should be protected

When I use a router, will I still be able to see the activity log for NAV2008 where it shows what is blocked and what is allowed? Or would the router block things before the NAV2008 firewall?

I also did the Norton online security scan and it showed all was secure, only exception is that pinging is not stealthed

Kudos0

Re: Confusing connection

Hi NY1986,

Cool :)

Ummm ... you mentioned that you have SP 1 installed.  So your operating system is Vista and not XP?  If it's the former then that's fine but if it's the latter ... oh dear.

Let me know if you are using XP PRO SP 1 and I'll explain what to do and why it's so important.

Harware fiewalls might present different interfaces but, with some exceptions, most have fairly similar features.  If you had a problem connecting to the internet which was resolved by taking the hardware firewall out of the system then it suggests that the firewall has either malfunctioned (unlikely) or previously installed settings no longer apply.

Most routers have some way of resetting everything to the factory default.  If you don't have the manual then the instructions might be found on the manufacturers site.  Mine has a tiny recessed button that needs to be depressed (with a paper clip) for about 10 seconds and presto ... default user, password etc.  Suggest that you don't attempt this procedure until you get a hold of the manual which *should* contain the default user and password otherwise you might make things worse.

Run IPCONFIG /all from a DOS window and you should see everything that you need to get your router working properly.  For example, it will tell you the MAC address of the adapter used to connect to the internet, it's local IP (usually something like 192.168.0.???/ subnet: 255.255.255.0) and other helpful stuff like your default gateway (generally this would be you router's IP) and DNS server (from your ISP).

If you know your routers IP address then see if you can ping it or access it via Firefox or IE.  If either is possible then you should be able to make certain all router settings are OK.  Without knowing more about how you connect to your router ... it's difficult to advise you further.  For instance, you *may* have set it up so that it works with specific devices (identified by MAC address) ... 

One of your tasks *should* be to change the default user and password on the router.  Lots of people forget to do this and it allows anyone who knows the default values to do whatever they like ... including stealing your bandwidth and accessing your system and locking you out from making changes.  Many hacker sites have such lists.

Here is an example of a router log:

[Sat, 2009-03-21 19:39:01] - TCP Packet - Source:192.168.x.x,1521 ,LAN - Destination:96.17.159.41,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
[Sat, 2009-03-21 19:39:03] - TCP Packet - Source:192.168.x.x,1522 ,LAN - Destination:96.17.159.41,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
[Sat, 2009-03-21 19:39:04] - TCP Packet - Source:192.168.x.x,1523 ,LAN - Destination:96.17.159.41,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
[Sat, 2009-03-21 19:39:04] - TCP Packet - Source:192.168.x.x,1524 ,LAN - Destination:96.17.159.41,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
[Sat, 2009-03-21 19:39:04] - TCP Packet - Source:192.168.x.x,1525 ,LAN - Destination:96.17.159.41,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]

BTW - the destination IP's are all Akamai related.

As to the info contained in the logs, it depends up your router's settings.  If you log every single thing then the log gets filled up with fairly useless info.  Most times you want to look for port scans, DOS attacks, attempted access to blocked sites, and admin log-ins.

I use NIS2009 and the logs seem OK but then DOS attacks *should* be picked up by the router and not NIS2009.  It shows blocked attempts by programs to access the internet ... all helpful.

I've never been entirely convinced that I am perfectly hidden behind my security because my IP is immediately picked up by  whatismyipaddress.com.  What's worse, they accurately show my location to within a km or two.  Not exactly what I had in mind when I got all of this stuff.  It makes sense when you think about though ... there are heaps of ports open for legitimate reasons.  Unless you use some sort of anonmyiser (switching from proxy to proxy) then your IP is available to any website admin.  Some site specifically exclude you if they detect any attempt to disguise your IP ... 

Good luck.

Mike

Australia

MikeXP PRO SP 3XP PRO SP 2Vista SP 1
Kudos0

Re: Confusing connection

I'm usin Vista home premium with Vista service pack 1

That good or bad?

This thread is closed from further comment. Please visit the forum to start a new thread.