ckbosh

Rootkit? Odd attempts to access remote IP (alerted by & blocked by firewall)

5 posts in this topic

I seriously hope I'm not seeing the results of (rootkit?) malware...

Background

WinXP sp2

File/print sharing is enabled (and needed on lan)

Shared printer connected to computer that is generating the alerts

ZA Free firewall 9.2.057.0000

NAT Router is interface to Internet

Popup Alert

"The firewall has blocked Internet access to dns_registration [184.106.31.166] (TCP Port 445) from your computer [TCP Flags: S]"

Log Entries

Show the same outbound destination as did the alert. Source comes from a variety of ports. Outbound destination in the "Destination DNS" column is "dns_registration:MYNETWORKNAME" (net name obscured for this message).

Destination IP

Not in my LAN. Best I can find, it's a Rackspace server, but I'm not 100% certain of that. Little info found about that IP.

Events Causing Alert

1. On boot of one specific other computer on the LAN. I believe it's the one in the LAN that has control of the DHCP addresses for the LAN (but I'm at the limit of my network knowledge on that)

2. On double-click on any PDF document (yesterday, but not today)

3. On File/Print dialog on Outlook email messages (today, not before). Intermittent, not every File/Print dialog.

4. On intermittent File/Print dialog on variety of, but not all applications (Notepad, Wordpad, Notepad++ do, Office products do not). Not seeing it on other applications, but haven't tried all.

5. In all applications if File/Print dialog is initiated with Ctrl-P instead of menu, no apparent access attempt made.

6. No such behavior on any other computer on the LAN.

Malware Prevention / Scan

1. AVG always running & up-to-date

2. Full scan by AVG: no malware found

3. Full scan by MalwareBytes: no malware found

4: Full scan by GMER: no malware found

Despite the clean scans, this seems to stink of malware attempting to phone home. I really, really hope there's a benign reason and I'm not seeing a well-hidden rootkit.

Questions

1. Is there a reasonable benign explanation for this?

2. If it is malware, with ZA blocking these attempts, would anyone hazard if I've been reasonably protected to-date?

Hoping someone has some insight. I can obtain, run & submit HJT output if it'll be of benefit.

Share this post


Link to post
Share on other sites

Update

On what may have turned out to be a good whim, on the computer that was firing the firewall alert, I changed the DNS server from the ISP (Charter's) DNS servers to Google's public DNS servers (8.8.8.8 and 8.8.4.4).

Behavior, so far, isn't happening any longer.

ISP's DNS & Not Found

The ISP (Charter) has for some time been using their DNS servers to intercept not-found domain names and do a redirect to their "hey look at us, here's a search page for you because you typed in a bad domain name..." Hate that, but that's another story.

Changing to Google's DNS servers, of course, makes that stop.

Here's where it gets interesting. Now that bad DNS resolutions just stop there without redirect (thanks Google), I went to the offending destination IP address. Guess what? It still redirected. Tried a nonsense URL; no redirection.

Disabled the browser's following of Meta Refresh, and disabled javascript, and guess what I find when I go to the IP address now (Don't know if this forum allows HTML paste - will see if gets stripped):

<html>
<head>
<meta http-equiv="refresh" content="0;url=http://search.charter.net/index.php?origURL=http://184.106.31.166/"/>
</head>
<body>
<script>window.location="http://search.charter.net/index.php?origURL="+escape(window.location)+"&r="+escape(document.referrer);</script>
</body>
</html>

Isn't that special. That IP address is a HTML page with a meta refresh element and a javascript redirect to Charter's fancy-pants search page.

My Thought -- I'm Interested in Other Thoughts Agree/Disagree

The actions that spurred the odd firewall alert (printing: looking for network printer, computer boot: looking at shared resources, Acrobat reader startup: looking for SW updates at a bad address?) were all hitting the Charter DNS, which was doing it's redirect garbage. The firewall was seeing that as a problem.

Am I off base here? If I'm not off base, then I think I'm much less concerned that this a malware episode.

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

My apologies for the extended delay. Do you still need help?

Share this post


Link to post
Share on other sites

Greetings,

Do you still need help?

I think I've self-diagnosed, but I'd be interested in your thoughts on my analysis -- in the first two posts in this thread.

Thanks.

Share this post


Link to post
Share on other sites

Hi,

Unfortunately, networking isn't my forte, but from what you described, it appears that everything you described is a "legitimate" action by your ISP. Can't do much about that I'm afraid (except changing to a different DNS as you have).

Any particular reason you're still running XP SP2? Microsoft no longer supports versions of XP without SP3 installed (unless they are the 64bit version).

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.