[cleako]

I use Norton Internet Security and I am trying to figure out where everything is connecting to. Occasionally programs will try to connect to an IP address through port 53 and I cannot seem to try to connect to it myself just to see what it is and Google-ing it returns nothing.

So what I would like to know is if this is an innocent connection or if I should block it everytime? Today it was Microsoft Printer Spooler Server and the other day it was one of the Generic Host Process or a svhost connection.

Thanks,
Cleako

Edited by cleako, 02 September 2005 - 01:34 PM.

[Advertisements]

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.

[Kat]

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.

[cleako]

I actually had a clean bill on this thread - http://www.geekstogo..._up-t51439.html. I have Webroot Spysweeper installed and have run all of the various scanners. This is something that has always gone on and I usually just leave automatic control on in Internet Security. Well I decided to turn it off and it has some things connecting out that I dont understand the purpose of. I work in the IT industry so please feel free to lay it on me here.

Thanks,
Cleako

[cleako]

Like I said, this is something that has been going on for quite a while - before and after the clean bill of health. It is random programs that I dont know what they are connecting to. If it is something benign then I will just let them connect - it might just be some kind of Microsoft call or something. Just let me know if you have any idea.

Cleako

[cleako]

I still havent heard anything. Do I need to just allow these connections?

Cleako

[Tyger]

Look at the Norton logs and your event logs too. You may need to enable more logging, I beleive you can enable looging for your network adapter also. When you find an IP don't forget to put the http:// in front when you try to access it.

[Baggyboy]

Have you tried to lookup the IP numbers with a WHOIS request? http://www.samspade.org/ is a great resource for researching this type of thing and may give you some indication as to the legitimacy of those connections.

Also lookup those port numbers here for some idea as to the services running on them. Port 53, as per your example, is related to DNS tasks and therefore the IP numbers concerned are probably requests for DNS resolution. Usually nothing to worry about. As you have reported a clean bill of health elsewhere then you can rest easy!

[cleako]

Wow that is exactly what I needed to know. It turns out it is just connecting out to the ISP so DNS resolution is probably what is going on.

Thanks!
Cleako

[Baggyboy]

Hey, glad to be of service!

One point though. You mentioned that it's just connecting to your ISP. When you look up the domain name on sam spade, does it resolve to a userID address type of thing or to a proper DNS server. ie. ns1-edi.blueyonder.net is my DNS server and xxx-xxx-xxx-xxx.cable.ubr02.xxxx.blueyonder.co.uk is my own ip address resolved (with sensitive details replaced with trusty x's!). Hopefully you will see what i'm trying to get at here.

If it is indeed a DNS server that is recieving the connection then you should be able to tell (simple address, which maybe even have a description if you dig deep). If it is not then it may be a sign of something more untoward, like DNS poisoning for example. Highly doubtful though, just an outside chance. Easily checked so I thought I would throw it in for the sake of completeness.

Edited by Baggyboy, 03 September 2005 - 01:29 PM.