Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
This is about my THIS home PC hooked to internet through ADSL broadband and working as gateway for my Laptop connected to this system through a twisted pair cat5 cable. I run 602Pro Lansuite 2003 proxy on this system.
This system's IP : 10.43.1.78
Laptop's IP : 10.43.1.77Now I've noticed a phenomenon over here since last fortnight, and this is a matter of real concern for myself. When the proxy is running, I find some SOCKS5 connections getting established through the proxy as shown by the proxy's logs in real time.
Here's the log file :
1]===================================
1:03:32 PM PROXY: 1720 10.43.1.77 Connection has arrived.
1:03:32 PM PROXY: 1720 Request: http://support.objectplanet.com/licenser/register.jsp?fid=5
1:03:32 PM PROXY: 1720 Proxy.
1:03:34 PM PROXY: 1720 662B/0s
1:03:34 PM PROXY: 1556 10.43.1.77 Connection has arrived.
1:03:34 PM PROXY: 1556 Request: support.objectplanet.com:443
1:03:34 PM PROXY: 1720 Connection closed.
1:03:34 PM PROXY: 1556 Proxy.
1:03:36 PM PROXY: 1556 2547B/1s
1:03:36 PM PROXY: 1556 Connection closed.
1:03:36 PM PROXY: 2072 10.43.1.77 Connection has arrived.
1:03:36 PM PROXY: 2072 Request: support.objectplanet.com:443
1:03:36 PM PROXY: 2072 Proxy.
1:03:37 PM PROXY: 2072 2548B/1s
1:03:38 PM PROXY: 2072 Connection closed.
1:05:55 PM SOCKS: 2128 Connect Administrator@172.200.232.163-> 63.240.202.138:6112
1:05:59 PM SOCKS: 2128 175B/3s
1:05:59 PM SOCKS: 2128 Terminated
1:08:52 PM SOCKS: 1488 Connect SOCKS5 59.149.171.190
1:08:54 PM SOCKS: 1488 Terminated SOCKS5 59.149.171.190
1:10:11 PM SOCKS: 2064 Connect Administrator@ 69.234.235.173-> 63.241.83.8:6112
1:10:12 PM SOCKS: 2064 174B/2s
1:10:12 PM SOCKS: 2064 Terminated
1:10:35 PM SOCKS: 1604 Connect Administrator@ 71.120.10.22-> 63.240.202.126:6112
1:10:37 PM SOCKS: 1604 174B/2s
1:10:37 PM SOCKS: 1604 Terminated
1:13:52 PM SOCKS: SOCKS server stopped.
1:14:07 PM Configuration saved.
1:23:29 PM SOCKS: StartSockd
1:23:29 PM SOCKS: SOCKS server started.
1:23:33 PM Configuration saved.
1:23:41 PM SOCKS: 2236 Connect SOCKS5 71.120.10.22
1:23:42 PM SOCKS: 1940 Connect SOCKS5 71.120.10.22
1:23:42 PM SOCKS: 2068 Connect SOCKS5 71.120.10.22
1:23:44 PM SOCKS: 1940 Connect anonymous@ 71.120.10.22-> 63.240.202.120:6112
1:23:44 PM SOCKS: 2236 Connect anonymous@ 71.120.10.22-> 63.240.202.120:6112
1:23:44 PM SOCKS: 2068 Connect anonymous@ 71.120.10.22-> 63.240.202.120:6112
1:24:22 PM SOCKS: 2068 995B/39s
1:24:22 PM SOCKS: 2068 Terminated
1:24:22 PM SOCKS: 1940 970B/39s
1:24:22 PM SOCKS: 1940 Terminated
1:24:23 PM SOCKS: 2236 980B/39s
1:24:23 PM SOCKS: 2236 Terminated
1:24:55 PM SOCKS: 2436 Connect anonymous@ 71.120.10.22-> 63.240.202.120:6112
1:24:55 PM SOCKS: 2420 Connect anonymous@ 71.120.10.22-> 63.240.202.120:6112
1:24:56 PM SOCKS: 1624 Connect anonymous@ 71.120.10.22-> 63.240.202.120:6112
1:25:01 PM SOCKS: SOCKS server stopped.
1:25:01 PM SOCKS: 2436 372B/7s
1:25:01 PM SOCKS: 2420 372B/7s
1:25:01 PM SOCKS: 1624 297B/6s
1:25:01 PM SOCKS: 2436 Terminated
1:25:01 PM SOCKS: 2420 Terminated
1:25:01 PM SOCKS: 1624 Terminated
1:25:05 PM Configuration saved.
===================================Another log :
2]===================================
12:55:20 PM PROXY: 2056 Connection closed.
12:55:20 PM PROXY: 2136 Connection closed.
12:58:23 PM SOCKS: 1772 Connect SOCKS5 216.176.178.74
12:58:24 PM SOCKS: 1772 Terminated SOCKS5 216.176.178.74
12:59:00 PM PROXY: 2060 10.43.1.77 Connection has arrived.
12:59:00 PM PROXY: 2060 Request: http://www.google.com/search?q=network+activity+monitor&sourceid=opera&num=0&ie=utf-8&oe=utf-8
12:59:00 PM PROXY: 2060 Proxy.
12:59:02 PM PROXY: 2060 592B/0s
12:59:02 PM PROXY: 2052 10.43.1.77 Connection has arrived.
12:59:02 PM PROXY: 2052 Request: http://www.google.com/search?client=opera&rls=en&q=network+activity+monitor&sourceid=opera&ie=utf-8&oe=utf-8
12:59:02 PM PROXY: 2052 Proxy.
12:59:02 PM PROXY: 2060 Connection closed.
12:59:03 PM PROXY: 2052 6528B/0s
===================================Another connection :
3]===================================
12:51:44 PM SOCKS: 1484 Connect SOCKS5 59.149.171.190
12:51:45 PM SOCKS: 1484 Terminated SOCKS5 59.149.171.190
12:53:34 PM PROXY: 1468 10.43.1.77 Connection has arrived.
===================================THEN, I SEE ANOTHER LOG THAT I'M TRULY CONCERNED ABOUT :
4]=====================================
12:43:51 PM PROXY: 1412 61.225.144.91 Connection has arrived.
12:44:11 PM PROXY: 1412 Connection reset by peer (ProcessRead)
12:44:11 PM PROXY: 1412 Blank URL
12:44:11 PM PROXY: 1412 Connection closed.
12:44:12 PM PROXY: 1344 61.225.144.91 Connection has arrived.
12:44:12 PM PROXY: 1344 Request: 61.135.132.100:25
12:44:13 PM PROXY: 1344 Proxy.
12:44:13 PM PROXY: 1344 Access Denied by IP Filter
12:44:14 PM PROXY: 1344 Connection closed.
=====================================
Regarding THIS log above, I don't know whether it's a matter of true hack attempt or some installed app doing a routine connected with their owner host server....Pls help! Pls let me know if all this reflects to a real hacked scenario.
For now, I've scanned my whole system a-squared online scanner from emsisoft.com and it detected a few malwares and spywares. I removed them all yesterday. Today I've downloaded and installed spywareguard and Prevx and both these tools are running at the moment. But even then, if I run the Lansuite and as soon as I envoke it's SOCKS proxy, in a few moments, those SOCKS5 connection logs start coming up!
Some more logs reflecting the IP address it's connecting to :
10:27:32 AM SOCKS: 1416 Connect SOCKS5 194.225.126.4
10:27:32 AM SOCKS: 1416 Terminated SOCKS5 194.225.126.410:31:07 AM SOCKS: 1740 Connect SOCKS5 218.235.12.113
10:31:08 AM SOCKS: 1740 Terminated SOCKS5 218.235.12.113
10:31:12 AM PROXY: 2124 543B/6s
10:31:12 AM PROXY: 2124 Connection closed.10:32:49 AM SOCKS: 1980 Connect SOCKS5 194.225.126.4
10:32:49 AM SOCKS: 1980 Terminated SOCKS5 194.225.126.410:38:06 AM SOCKS: 2396 Connect SOCKS5 194.225.126.4
10:38:06 AM SOCKS: 2396 Terminated SOCKS5 194.225.126.4
10:43:22 AM SOCKS: 1836 Connect SOCKS5 194.225.126.4
10:43:22 AM SOCKS: 1836 Terminated SOCKS5 194.225.126.4
10:46:33 AM SOCKS: 2216 Connect SOCKS5 24.233.52.102
10:46:35 AM SOCKS: 2216 Terminated SOCKS5 24.233.52.102
10:48:12 AM SOCKS: 2252 Connect SOCKS5 216.176.178.74
10:48:13 AM SOCKS: 2252 Terminated SOCKS5 216.176.178.74
10:48:39 AM SOCKS: 1524 Connect SOCKS5 194.225.126.4
10:48:39 AM SOCKS: 1524 Terminated SOCKS5 194.225.126.4
10:50:44 AM SOCKS: 1492 Connect SOCKS5 61.93.34.6
10:50:44 AM SOCKS: 1492 Terminated SOCKS5 61.93.34.6
10:53:55 AM SOCKS: 2252 Connect SOCKS5 194.225.126.4
10:53:55 AM SOCKS: 2252 Terminated SOCKS5 194.225.126.4
10:58:01 AM SOCKS: 2200 Connect SOCKS5 74.134.242.229
10:58:02 AM SOCKS: 2200 Terminated SOCKS5 74.134.242.229
10:58:53 AM SOCKS: 2092 Connect SOCKS5 194.225.126.4
10:58:53 AM SOCKS: 2092 Terminated SOCKS5 194.225.126.4
11:00:26 AM SOCKS: 1904 Connect SOCKS5 218.235.12.113
11:00:26 AM SOCKS: refused @ 218.235.12.113-> 66.218.70.44:5001
11:00:27 AM SOCKS: 1904 Terminated SOCKS5 218.235.12.113
11:04:29 AM SOCKS: 1660 Connect SOCKS5 194.225.126.4
11:04:29 AM SOCKS: 1660 Terminated SOCKS5 194.225.126.4
11:05:34 AM SOCKS: 2124 Connect SOCKS5 206.53.51.11
11:05:35 AM SOCKS: 2124 Terminated SOCKS5 206.53.51.11
11:05:35 AM SOCKS: 1660 Connect SOCKS5 206.53.51.11
11:05:36 AM SOCKS: 1660 Terminated SOCKS5 206.53.51.11
11:05:37 AM SOCKS: 2300 Connect SOCKS5 206.53.51.11
11:05:37 AM SOCKS: 2300 Terminated SOCKS5 206.53.51.1111:09:45 AM SOCKS: 2192 Connect SOCKS5 194.225.126.4
11:09:45 AM SOCKS: 2192 Terminated SOCKS5 194.225.126.411:11:49 AM SOCKS: 1828 Connect SOCKS5 24.233.52.102
11:11:50 AM SOCKS: 1828 Terminated SOCKS5 24.233.52.102
11:13:17 AM SOCKS: SOCKS server stopped.
11:13:22 AM Configuration saved.=========================================
My system is already loaded with Norton Antivirus and already p[owered with Zonealarm and the WinXp's firewall too is activated.
Pls help me and let me know if this is some virus or some trojan or some spyware or it's a hack attempt and my system is compromised!
Pls help!
Hi
have a look here
http://www.sysinternals.com/Utilities/TcpView.htmlTcpview app lets you see what exactly is connecting with details , ip addresses etc
may help , zone/A is pretty good at stopping inbound connections check what progs are allowed out/in under Alerts log tab,,maybe its simply a prog update check running.
0 
There are trojans out there that even stealth firewalls can not detect.. I myself know of one and I'd just not wish to popularize it over here as it's truly a huge security hazard.. If THAT get's popularity, it will be a havoc everywhere... THAT trojan can not be traced by any firewall...
This is James Anderson back again... Zonealarm already there.. even then if I envoke the socks5 proxy on my gateway and even if I assign IP filter barring the gateway itself to access internet through that proxy so that only other systems can access internet through that proxy, even then I'm even right now getting those logs..
PLs help... Should I format my whole system?
If I take backups by burning everything on media and if I restore it back, I don't know the trojan thing will still come back and if once again it will try to connect to unknown addresses..Pls help...
0  |
 Virus that keeps coming b...
|
browser page loading prob...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
