Results 1 to 10 of 10

Thread: MarkMonitor monitors my system

Hybrid View

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    42

    Exclamation MarkMonitor monitors my system

    Hi.

    I have two systems at home, a Linux (Backtrack and CrashBang) and a Windows for work. The situation is as follows.

    -In my windows machine my firewall status shows me that any time I open a network related application a few connections open, from 0.0.0.0 and a port between 3000 and 4200, to some external IPs 80 port. Three of these IPs are 209.85.135.103, 74.125.39.139, and 64.124.14.70.

    -Reverse DNS and whois show the IPs belong to MarkMonitor, a company whose scope I am unsure about but whose full name is Markmonitor Brand Protection Antifraud Solutions. That sounds scary.

    -I have no idea how if the connections start locally, or if they are just trying to hit the ports remotely and get answers from my network applications.

    -Blocking the ports triggers the use of other ports.

    I am not a newbie, but this falls slightly big for me. I need some guidance and would also like to hear any information about apart from website and strange press releases I have seen around, to try to understand what they might be after.

    Just for your info, I don't do attacks from home nor am I involved in any criminal activities. Unless using Bittorrent can already fall into that description.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by madmanu View Post
    Hi.
    I have two systems at home, a Linux (Backtrack and CrashBang) and a Windows for work. The situation is as follows.

    . I need some guidance
    So if this is your work computer why not just let your network or system admin know about the problem or maybe they already do.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    42

    Default

    Both systems are at home. The Linux machine has dual boot Backtrack and CrashBang, and the Windows machine has software I can't use in Linux. I am the network admin, with limited knowledge but far bigger than most home users. I could notify my ISP, but any time I had a problem in the past it turned out to be me who was guiding them to find the problem, which is logical when you get to know the requirements to work in their call center and the money they pay.

    I'm on my own on this..

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    22

    Default

    You can try with netstat in a DOS shell:
    Code:
    netstat -anb
    Run that after launching your application.

    You can also watch the ports with tcpview from SystemInternals, but I don't remember if it also show which process uses the port.

    You can also watch the new processes that appear when you start your network related application. For that, use ProcExp, from SystemInternals again; it show the new process in green. You can look at the details like which DLLs and which ports it uses.

    If you didn't try yet, scan the computer with "Spybot: search and destroy" and/or Ad-Aware.

  5. #5
    Junior Member tek911's Avatar
    Join Date
    Jan 2010
    Posts
    59

    Default

    Could be spyware/malware, could be programs updating. Either way, not a big problem. The windows machine for work, if its work have them give you a nother one and rebuild that one, if its personal used for work nuke it from orbit and rebuild, either way back your stuff up if its a concern and rebuild. If you really wanna figure it out, i'd suggest a hub and a sniffer. Boot your backtrack machine and sniff over the hub your windows connection (or save yourself the time an hassle of even that and just fire up wireshark but if its anything worthwhile in terms of malicious its going to mask itself from you seeing it in your windows session).

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    42

    Default

    I can see the processes doing the strange connections (launch Firefox and instantly, after home page is loaded, few Firefox 0.0.0.0: connections appear with ports ranging from 3000 to 4000, launch Thunderbird and the same, launch any other app allowed to connect and the same), and I can see the destination IPs. I guess, tek911, the hub and backtrack is the way to go, because if it's malware it might be coming from MarkMonitor, the owner of the destination IPs and an apparently known and respected consultancy company for Brand Protection, and if so I'd really want to know what kind of data is being transferred.
    I'll be back there in 3 days, so I'll give it a try then.
    Any more ideas welcome, help received so far, thanks!

  7. #7
    Member
    Join Date
    Feb 2010
    Location
    Root
    Posts
    121

    Default

    Quote Originally Posted by madmanu View Post
    Hi.

    I have two systems at home, a Linux (Backtrack and CrashBang) and a Windows for work. The situation is as follows.

    -In my windows machine my firewall status shows me that any time I open a network related application a few connections open, from 0.0.0.0 and a port between 3000 and 4200, to some external IPs 80 port. Three of these IPs are 209.85.135.103, 74.125.39.139, and 64.124.14.70.

    -Reverse DNS and whois show the IPs belong to MarkMonitor, a company whose scope I am unsure about but whose full name is Markmonitor Brand Protection Antifraud Solutions. That sounds scary.

    -I have no idea how if the connections start locally, or if they are just trying to hit the ports remotely and get answers from my network applications.

    -Blocking the ports triggers the use of other ports.

    I am not a newbie, but this falls slightly big for me. I need some guidance and would also like to hear any information about apart from website and strange press releases I have seen around, to try to understand what they might be after.

    Just for your info, I don't do attacks from home nor am I involved in any criminal activities. Unless using Bittorrent can already fall into that description.
    Hey man,
    not sure if you found your answer yet. However, I did some digging on your IPs and found this:

    As you said, they seem to belong to this Markmonitor. All seem to be using Google name servers. After some digging on this Markmonitor software, it seems to be a pretty good enterprise level malware protection. Among the list of names using this are Blizzard, and Facebook.

    It doesn't look to be malicious, but why would it be installed on your pc?

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by ghost40 View Post

    It doesn't look to be malicious, but why would it be installed on your pc?
    1. The laptop actually belongs to his employer
    2. The laptop decommissioned by a company and resold
    3. The laptop is hot.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Junior Member Valifake's Avatar
    Join Date
    Jan 2010
    Location
    Don't worry Sir, I'm from the Internets
    Posts
    38

    Default

    I agree with streaker about nuking the whole system.

    However if you can't/wont go that route then you could always use your route though your Linux box and firewall all connections to the destination IP block.

    You could also use wireshark to try and inspect the data.
    Mathematical reasoning may be regarded rather schematically as the exercise of a combination of two facilities, which we may call intuition and ingenuity.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •