I have two systems at home, a Linux (Backtrack and CrashBang) and a Windows for work. The situation is as follows.
-In my windows machine my firewall status shows me that any time I open a network related application a few connections open, from 0.0.0.0 and a port between 3000 and 4200, to some external IPs 80 port. Three of these IPs are 188.8.131.52, 184.108.40.206, and 220.127.116.11.
-Reverse DNS and whois show the IPs belong to MarkMonitor, a company whose scope I am unsure about but whose full name is Markmonitor Brand Protection Antifraud Solutions. That sounds scary.
-I have no idea how if the connections start locally, or if they are just trying to hit the ports remotely and get answers from my network applications.
-Blocking the ports triggers the use of other ports.
I am not a newbie, but this falls slightly big for me. I need some guidance and would also like to hear any information about apart from website and strange press releases I have seen around, to try to understand what they might be after.
Just for your info, I don't do attacks from home nor am I involved in any criminal activities. Unless using Bittorrent can already fall into that description.
Both systems are at home. The Linux machine has dual boot Backtrack and CrashBang, and the Windows machine has software I can't use in Linux. I am the network admin, with limited knowledge but far bigger than most home users. I could notify my ISP, but any time I had a problem in the past it turned out to be me who was guiding them to find the problem, which is logical when you get to know the requirements to work in their call center and the money they pay.
I'm on my own on this..
You can try with netstat in a DOS shell:
Run that after launching your application.Code:netstat -anb
You can also watch the ports with tcpview from SystemInternals, but I don't remember if it also show which process uses the port.
You can also watch the new processes that appear when you start your network related application. For that, use ProcExp, from SystemInternals again; it show the new process in green. You can look at the details like which DLLs and which ports it uses.
If you didn't try yet, scan the computer with "Spybot: search and destroy" and/or Ad-Aware.
Could be spyware/malware, could be programs updating. Either way, not a big problem. The windows machine for work, if its work have them give you a nother one and rebuild that one, if its personal used for work nuke it from orbit and rebuild, either way back your stuff up if its a concern and rebuild. If you really wanna figure it out, i'd suggest a hub and a sniffer. Boot your backtrack machine and sniff over the hub your windows connection (or save yourself the time an hassle of even that and just fire up wireshark but if its anything worthwhile in terms of malicious its going to mask itself from you seeing it in your windows session).
I can see the processes doing the strange connections (launch Firefox and instantly, after home page is loaded, few Firefox 0.0.0.0: connections appear with ports ranging from 3000 to 4000, launch Thunderbird and the same, launch any other app allowed to connect and the same), and I can see the destination IPs. I guess, tek911, the hub and backtrack is the way to go, because if it's malware it might be coming from MarkMonitor, the owner of the destination IPs and an apparently known and respected consultancy company for Brand Protection, and if so I'd really want to know what kind of data is being transferred.
I'll be back there in 3 days, so I'll give it a try then.
Any more ideas welcome, help received so far, thanks!
I agree with tek911, nuke it from orbit, it's the only way to be sure.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
not sure if you found your answer yet. However, I did some digging on your IPs and found this:
As you said, they seem to belong to this Markmonitor. All seem to be using Google name servers. After some digging on this Markmonitor software, it seems to be a pretty good enterprise level malware protection. Among the list of names using this are Blizzard, and Facebook.
It doesn't look to be malicious, but why would it be installed on your pc?
I agree with streaker about nuking the whole system.
However if you can't/wont go that route then you could always use your route though your Linux box and firewall all connections to the destination IP block.
You could also use wireshark to try and inspect the data.
Mathematical reasoning may be regarded rather schematically as the exercise of a combination of two facilities, which we may call intuition and ingenuity.