Unknown IP connected to my PC

[niggles]

OK, this is really begining to drive me a littly nutty so I'm hoping someone with some experience on this may have some insight. I have my Dell laptop and from time to time it just starts acting screwy. It's a pretty new machine (Inspiron 6000) and so I was trying to track down what the issue was and I ran a netstat to see what was going on. I have formatted with the Dell recovery partition and I'm begining to wonder if there is something within the installation of the CDs that's acting screwy. Anyway, when I run a netstat from the comand line I find that I am attached to the following IP: 203.73.25.206:http and my source is (computername):1034

Now I have no browsen when I do this and as far as I know I have shut down all the Dell crap that's running in the background. When I look the IP up it shows up as an IP in Taiwan. It's the same IP everytime. Anyone have any thoughts on this, on how I can shut this down, on what it is, anything?

 

[MercenaryForHire]

<a target=_blank class=ftalternatingbarlinklarge href="http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html">W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034.
</a>

Unpwn yourself.

- M4H

 

[w00t]

Originally posted by: MercenaryForHire
<a target=_blank class=ftalternatingbarlinklarge href="http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html">W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034.
</a>

Unpwn yourself.

- M4H

 

[Googer]

The same thing just happend to me a few hours ago, but i have added the IP to the banned list, did a WHOIS, and emailed the ISP of the host computer.

 

[niggles]

I can't even figure out how they'd deposit this thing on my machine. They are all freshly formatted and I don't open unknown e-mails.

ok, so a couple things

1. my copy of Norton 2006 finds no virus, so if it is an existing virus Norton can't detect it.
2. I have a Linksys BEFSR41, any idea how I can go about banning the IP, or even closing the port for that matter?
3. So far I have found abuse complaints even to my own ISP useless. Unless I'm a corporation they don't seem even slightly interested. Seeing as the host IP is located in Taiwan I really don't think they're going to give a hoot about little old me. I'll mail my ISP just for the hell of it, but anyone know how I can shut this down on my end?

 

[AdamSnow]

Originally posted by: w00t

Originally posted by: MercenaryForHire
<a target=_blank class=ftalternatingbarlinklarge href="http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html">W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034.
</a>

Unpwn yourself.

- M4H

 

[niggles]

Originally posted by: AdamSnow

Originally posted by: w00t

Originally posted by: MercenaryForHire
<a target=_blank class=ftalternatingbarlinklarge href="http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html">W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034.
</a>

Unpwn yourself.

- M4H

right, how?!? I have formated my machines, Norton can't find it.

 

[MrHayt]

So you reformatted and the first thing you did was check to see if that port was still opened?

If so, you have a bios virus, and you need to reflash your bios and than WITHOUT rebooting the computerbox reinstall windows.

A bios virus seems unlikely tho.

Good Luck

 

[Bozo Galora]

Originally posted by: niggles

right, how?!? I have formated my machines, Norton can't find it.

um, the places to look in registry and removal tool is noted in the link given

since you formatted, I think its DELL monitoring from hidden partitions
if you buy another hdd and put it in, (removing old) I think that will stop it

 

[w00t]

you should be able to block the ip and port in your router configuration settings.

 

[niggles]

Originally posted by: Bozo Galora

Originally posted by: niggles

right, how?!? I have formated my machines, Norton can't find it.

um, the places to look in registry and removal tool is noted in the link given

since you formatted, I think its DELL monitoring from hidden partitions
if you buy another hdd and put it in, (removing old) I think that will stop it

OK, so the registry removal tool is actually tools, 21 of them in fact depending on the variant. So I guess I'll just need to go through them all. What I find interesting is Symantec's declaration that they are not going to include it in their standard virus scanner, only the coporate version will cover it. What did I bother buying a virus scanner for if the one time I get a worm I can't even detect it with the software I bought. Get this:

"Due to the propagation method of this mass-mailing worm, which does not include automatic network propagation techniques or any exploitation of network-based vulnerabilities, we will NOT be releasing an update at this time. We are, however, constantly monitoring the threat landscape to protect against the latest attacks."

Hopefully the tool will fix the issue. Just wondering, does anyone know how to block the port on a linksys router? I can't find anything in the settings of my router.

Thanks for everyone's help on this so far. I've said it before and I'll say it again, you guys are great.

 

[niggles]

ok, just rant the fix tool and it didn't find that worm. It's actually only the one tool for all 21 of the variants. So I'm back to square 1. how do I shut off port 1034 on a Linksys router?

 

[niggles]

great, now it's connecting to port 1036 and not 1034 and more. I've done a search on 1036 and can't find anything.

edit: oh and the ip has changed slightly, now it's changed by 2 adresses but is obviously from the same block of IPs 203.73.25.205 and not 203.73.25.206

 

[MercenaryForHire]

There should be some setting in your firewall rules to deny all traffic from a certain range. Just deny all from 203.73.25.x or forward it to an IP that doesn't exist on your network.

- M4H

 

[Bozo Galora]

could be some software doing an auto update

203.73.25.205

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 203.73.0.0 - 203.73.255.255
netname: SEEDNET
descr: Digital United Inc.
descr: 9F, No. 125, Song Jiang Road
descr: Taipei, Taiwan
country: TW
admin-c: CY74-AP
tech-c: CY74-AP
mnt-by: MAINT-TW-TWNIC
changed: **********@twnic.net 20000113
changed: **********@apnic.net 20021219
status: ALLOCATED PORTABLE
source: APNIC

person: Chyi-Chuan Yang
nic-hdl: CY74-AP
e-mail: ******@du.net.tw
address: 9F, 125, song jiang road
address: Taipei, 104, R.O.C
phone: +886-2-2737-7298
fax-no: +886-2-2739-7512
country: TW
changed: **********@twnic.net.tw 20050531
mnt-by: MAINT-TW-TWNIC
source: APNIC

 

[niggles]

APNIC is like ARIN or CIRA. They simply register domain names. The IP addresses are linked to them, but we have no idea who provides the service. The fact that the IP is listed as portable says to me that APNIC is simply hosting the IP and it is not registered to them. Thanks for the idea though...

 

[piasabird]

Maybe go to mccaffee and try to find a removal tool. They call it Stinger.

Try filtering on the port number.

 

[fire400]

I just want to get one thing clear:

Norton 2006 does not due "everything."

Get better programs and learn how to configure your settings to:

"block all *incoming traffic* except for those to which I confirm."
incoming, as in, someone trying to connect to your computer.

I know Norton is very respectable, but I would never pay for their prices, it's ridiculous.

 

[mechBgon]

niggles, what is the Service Pack level of your WindowsXP after a fresh restoration? If it's Service Pack 2, then the Windows Firewall would be on (which is good for a freshly-installed machine, keeps worms out). If it's not, then I'd suggest having SP2 saved on a CD (download here) and installing it first thing after a fresh restoration, because pre-SP2 WinXP is easy prey for worm attack, computer-to-computer, without you doing anything to cause it.

Also, if you have a wireless router, enable WPA encryption if it has it, or at least WEP otherwise, to keep your neighbors from doing a no-brainer connection to it (and bringing their worms inside your router's firewall in the process).

 

[niggles]

Originally posted by: fire400
I just want to get one thing clear:

Norton 2006 does not due "everything."

Get better programs and learn how to configure your settings to:

"block all *incoming traffic* except for those to which I confirm."
incoming, as in, someone trying to connect to your computer.

I know Norton is very respectable, but I would never pay for their prices, it's ridiculous.

I didn't think Norton did everything, but it clearly advertises itself as having the ability to protect and get rid of worms. Then to make a judgement call that a worm isn't serious enough to include in it's updates despite world wide coverage of said worm is simply bizarre to me. Still, not my company, so if they want to act in a bizarre manner it's up to them. They're still heads above McAfee so what can I do.

On the subject of getting better programs, which programs are you talking about? Everything I have is top notch so what is it that you are referring to? Learn how to configure my settings? Yes, I'd love to, that's what I'm asking for some pointers on here. Is there a way to simply turn a port on or off because I can not find documentation on the subject.

By blocking all traffic I assume you are suggesting a firewall over and above my router. I have had to fall back to that point, but I should be able to simply do that through my router, which is why I am asking the question how do I turn up or down specific ports on a Linksys router as I can not find documentation on it. Do you know? Would you be able to share?

 

[xtknight]

http://www.sysinternals.com/Utilities/TcpView.html

Find whatever's listening on port 1034 and nuke it.