User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » why is ftp trying to connect to same random shit Page [1]  
clalias
All American
1580 Posts
user info
edit post

Sygate keeps telling me that ftp is trying to connect to 69655.co-ip.com [10.10.10.10] using port 21. Do I want to allow access?

I have never seen this before and can't find anything on google. Maybe I am just trying the wrong keywords.

Any ideas

----------details------------
File Version : 5.1.2600.2180
File Description : File Transfer Program (ftp.exe)
File Path : C:\WINDOWS\system32\ftp.exe
Process ID : 0xCC8 (Heximal) 3272 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.1.102
Local Port : 2263
Remote Name : 69655.no-ip.com
Remote Address : 10.10.10.10
Remote Port : 21 (FTP - File Transfer [Control])

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 00-04-5a-2e-58-cd
Source: 00-12-3f-72-c1-66
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x5e0c (Correct)
Source: 192.168.1.102
Destination: 10.10.10.10
Transmission Control Protocol (TCP)
Source port: 2263
Destination port: 21
Sequence number: 1875923314
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xcee2 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 04 5A 2E 58 CD 00 12 : 3F 72 C1 66 08 00 45 00 | ..Z.X...?r.f..E.
0010: 00 30 58 48 40 00 40 06 : 0C 5E C0 A8 01 66 0A 0A | .0XH@.@..^...f..
0020: 0A 0A 08 D7 00 15 6F D0 : 51 72 00 00 00 00 70 02 | ......o.Qr....p.
0030: FF FF E2 CE 00 00 02 04 : 05 B4 01 01 04 02 2E 70 | ...............p
0040: 6C 67 3F 74 3D 32 26 72 : 3D 34 33 2C | lg?t=2&r=43,


[Edited on September 27, 2005 at 12:38 AM. Reason : details]

9/27/2005 12:36:47 AM

disco_stu
All American
7436 Posts
user info
edit post

I'm gonna go out on a limb here and say that you don't want to let ftp connect to a remote site that you don't know about. no-ip.com is a ddns service, so I'm betting that 69655.no-ip.com forwards to some shithole on a cable modem or college network trying to steal personal info. You need to update your virus scan and run a scan. Also, take a look at the process list in your Task Manager and google any processes you're not familiar with.

9/27/2005 8:32:11 AM

clalias
All American
1580 Posts
user info
edit post

"do I want to allow access?" is what sygate was asking me. I have not been allowing access.
I have bitdefender 9 pro plus. with the latest definitions. It is not picking anything up.

i am seeing if anyone has heard of this. Also there is an aplication "setup" running that shouldn't be. again can't get anything on google or anti-virus websites because 'setup' is such a common word I suppose.

9/27/2005 11:44:20 AM

disco_stu
All American
7436 Posts
user info
edit post

It's almost definitly a trojan. Odd that bitdefender isn't picking it up, maybe it's a newer one. Make sure your virus definitions are up to date, and if that doesn't work, try downloading the antivirus offered by state. http://www.ncsu.edu/antivirus

Maybe it's a brand new one, in which case you could talk with bitdefender or symmantec and isolate it. I'm interested in this so let me know.

9/27/2005 11:58:10 AM

split
All American
834 Posts
user info
edit post

try going to trendmicro's housecall site to scan for viruses from there. Also, you might want to download the fport program so that the next time you get a popup asking you whether you want to accept the traffic, you can run fport and find out what is attempting to make the connection. Another option is to manually set the IP of 69655.no-ip.com to a FTP server you control to see what it is trying to do.

[edit] though i am not sure if fport will allow you to track back to the process that calls ftp.exe, worth a shot though

[Edited on September 27, 2005 at 12:06 PM. Reason : -]

9/27/2005 12:04:16 PM

clalias
All American
1580 Posts
user info
edit post

response from abuse@no-ip.com :

Your going to want to not allow that traffic and update your virus
scanner. That host named was recently shut down because it was linked
to a virus that has been going around.

Thanks,
Kurt

---------------------

Now I got to contact Bitdefender and ask wtf is their problem?

[Edited on September 27, 2005 at 12:24 PM. Reason : .]

[Edited on September 27, 2005 at 12:24 PM. Reason : .]

9/27/2005 12:23:32 PM

tjoshea
All American
4906 Posts
user info
edit post

OWNED

9/27/2005 3:55:37 PM

moron
All American
34185 Posts
user info
edit post

^^ You realize your name looks a lot like the impotency drug Cialis?

9/27/2005 4:20:56 PM

clalias
All American
1580 Posts
user info
edit post

^ hah, know. that's so fucked up. I was pissed when I first saw that damn commercial. But I don't want to pay to get another account.

[Edited on September 27, 2005 at 7:51 PM. Reason : .]

9/27/2005 7:50:53 PM

 Message Boards » Tech Talk » why is ftp trying to connect to same random shit Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.