Rootkit? Odd attempts to access remote IP (alerted by & blocked by firewall)
Posted 01 April 2011 - 09:55 AM
File/print sharing is enabled (and needed on lan)
Shared printer connected to computer that is generating the alerts
ZA Free firewall 9.2.057.0000
NAT Router is interface to Internet
"The firewall has blocked Internet access to dns_registration [22.214.171.124] (TCP Port 445) from your computer [TCP Flags: S]"
Show the same outbound destination as did the alert. Source comes from a variety of ports. Outbound destination in the "Destination DNS" column is "dns_registration:MYNETWORKNAME" (net name obscured for this message).
Not in my LAN. Best I can find, it's a Rackspace server, but I'm not 100% certain of that. Little info found about that IP.
Events Causing Alert
1. On boot of one specific other computer on the LAN. I believe it's the one in the LAN that has control of the DHCP addresses for the LAN (but I'm at the limit of my network knowledge on that)
2. On double-click on any PDF document (yesterday, but not today)
3. On File/Print dialog on Outlook email messages (today, not before). Intermittent, not every File/Print dialog.
4. On intermittent File/Print dialog on variety of, but not all applications (Notepad, Wordpad, Notepad++ do, Office products do not). Not seeing it on other applications, but haven't tried all.
5. In all applications if File/Print dialog is initiated with Ctrl-P instead of menu, no apparent access attempt made.
6. No such behavior on any other computer on the LAN.
Malware Prevention / Scan
1. AVG always running & up-to-date
2. Full scan by AVG: no malware found
3. Full scan by MalwareBytes: no malware found
4: Full scan by GMER: no malware found
Despite the clean scans, this seems to stink of malware attempting to phone home. I really, really hope there's a benign reason and I'm not seeing a well-hidden rootkit.
1. Is there a reasonable benign explanation for this?
2. If it is malware, with ZA blocking these attempts, would anyone hazard if I've been reasonably protected to-date?
Hoping someone has some insight. I can obtain, run & submit HJT output if it'll be of benefit.
Posted 01 April 2011 - 11:15 AM
On what may have turned out to be a good whim, on the computer that was firing the firewall alert, I changed the DNS server from the ISP (Charter's) DNS servers to Google's public DNS servers (126.96.36.199 and 188.8.131.52).
Behavior, so far, isn't happening any longer.
ISP's DNS & Not Found
The ISP (Charter) has for some time been using their DNS servers to intercept not-found domain names and do a redirect to their "hey look at us, here's a search page for you because you typed in a bad domain name..." Hate that, but that's another story.
Changing to Google's DNS servers, of course, makes that stop.
Here's where it gets interesting. Now that bad DNS resolutions just stop there without redirect (thanks Google), I went to the offending destination IP address. Guess what? It still redirected. Tried a nonsense URL; no redirection.
<html> <head> <meta http-equiv="refresh" content="0;url=http://search.charter.net/index.php?origURL=http://184.108.40.206/"/> </head> <body> <script>window.location="http://search.charter.net/index.php?origURL="+escape(window.location)+"&r="+escape(document.referrer);</script> </body> </html>
My Thought -- I'm Interested in Other Thoughts Agree/Disagree
The actions that spurred the odd firewall alert (printing: looking for network printer, computer boot: looking at shared resources, Acrobat reader startup: looking for SW updates at a bad address?) were all hitting the Charter DNS, which was doing it's redirect garbage. The firewall was seeing that as a problem.
Am I off base here? If I'm not off base, then I think I'm much less concerned that this a malware episode.
Posted 29 April 2011 - 07:53 AM
Do you still need help?
I think I've self-diagnosed, but I'd be interested in your thoughts on my analysis -- in the first two posts in this thread.
Posted 02 May 2011 - 04:53 PM
Unfortunately, networking isn't my forte, but from what you described, it appears that everything you described is a "legitimate" action by your ISP. Can't do much about that I'm afraid (except changing to a different DNS as you have).
Any particular reason you're still running XP SP2? Microsoft no longer supports versions of XP without SP3 installed (unless they are the 64bit version).
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users