Can you help me understand what this SYN_SENT means from a security standpoint on a home PC?
WINDOWSXP_SP2> netstat -a -n -b
Active Connections Proto Local Address Foreign Address State PID TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912 C:\\WINDOWS\\system32\\WS2_32.dll C:\\WINDOWS\\System32\\WINHTTP.dll -- unknown component(s) -- [svchost.exe]
Here is what I tried ineffectively to debug so far. Can you help me debug more?
Upon bootup, with no web browsers running, I ran netstat -a -n -b and saw this SYN_SENT issue hanging at the SYN_SENT line. After a minute or two the netstat completed as shown above. .... I first looked up 63.236.111.222 on
formatting link
but it didn't know who that was. .... I then looked it up on
formatting link
which gave me THREE owners for the same IP address, none of which I recognize and certainly none I purposefully communicated with. .... I looked up tcp/ip port 1058 and found it was registered to "nim" but there is not much information about this port anywhere I could find. .... Wikipedia has almost nothing on this special nim port 1058
formatting link
.... The Microsoft Windows XP netstat doesn't even -list- a command called SYN_SENT (it lists SYN_SEND)
formatting link
.... However, other netstat manpages say " The socket is actively attempting to establish a connection. " but what does THAT tell me?
formatting link
.... A search for winhttp.dll & WS2_32.DLL is wierd. I couldn't find a DESCRIPTION for these dlls. That's wierd.
formatting link
Where do we find descriptions of dlls?
Some housekeeping notes .... I am running the latest Windows XP Service Pack 2
formatting link
.... I ran the Microsoft Malicious Software Removal Tool but it didn't find anything suspicious
formatting link
.... My avast antivirus doesn't list anything suspicious like Blaster or anything like that. .... I don't even -see- the connection in my sygate personal firewall traffic logs .... I'm wireless on a two PC home network
I'm flailing around ineffectively trying to figure this out so now I'm asking you for help.
Can you give me the straight scoop on how to stop this problem?
The whois search indicates that this IP is for Qwest communications so I doubt that it is malicious traffic. Maybe your ISP, other internet service, or an application you have on your computer has something to do with Qwest. Your SYN_SENT means that a session is being established with their website at that IP and is part of the tcp/ip handshake to establish a connection. Such can be done to check for updates, etc or possibly spyware so you should also scan for Spyware with something like AdAware SE. Antivirus programs do not check for spyware. Another thing you could do is to install, even if just temporarily, a software firewall like Zone Alarm that would alert you when an application is trying to access the internet and show you which application. --- Steve
The web server at the above IP is using host header security. I would attempt a packet capture to learn host header values to access the site. It is quite odd, though.
No worries, it's just an ephemeral port.
I am quite sure that the two are synonymous.
192.168.0.101:1058 sent a syn to 63.236.111.222:80 and awaits a syn/ack response.
ws2_32 is likely winsock2. WinHTTP is this groovy little windows component. I've written web spiders using it. I would look for a script to be utilizing this component at boot time, according to your observation.
Actually it's a race condition. To get awake, you need some coffee, but you're too tired to get using the coffee machine.
But this is no problem since Emacs fully implements RFC 2324 (Hyper Text Coffee Pot Control Protocol). And AFAIK recently someone has build a coffee machine that supports it, too. Now that's serious concurrence for my NetBSD toaster.
I believe that is one of the still unanswered questions in science, how to acurately specify requirements for QoS using distributed coffee solutions in large networks.
I've done some research in the area, but the results are unconclusive:
The cost of high-performance equipment tend to be significant, and with the current technology there will still be a threat of congestion at peak hours.
A plain coffee pot will have to be sized after the expected throughput, its size variations greatly affecting performance in terms of temperature and other QoS factors. There is also a problem when people empty the pot and fails to initiate the process to refill it. This is more of a social problem, and should be studied independently.
The coffee machines that deliver just one and one cup eliminates most of the QoS problems, but are more prone to congestion. Further research is needed in this area.
Your system initiated a connection. See any decent textbook on TCP such as 'TCP/IP Network Administration' 3rd Edition (O'Reilly & Assoc, ISBN
0-596-00297-1, April 2004, 746 pgs, US$45) by Craig Hunt, or W. Richard Stevens classic books 'TCP/IP Illustrated Volume 1' (Addison-Wesley, ISBN
0-201-93346-9). Briefly, your computer sends a TCP packet with the SYN flag set and a randomly generated sequence number. The peer should respond with a packet with the SYN and ACK flags set, agreeing to your random number, and proposing one of it's own. Your system would then respond with a third packet with the ACK flag, agreeing to the peers random number. This is the "three-way-handshake" that starts a TCP connection. The random numbers are used to keep track of bits sent. Now, the peer may not wish to talk to you, and instead of responding with a SYN ACK packet, may respond with a ACK RST packet, which basically says "go away kid, you're bothering me" and that is the end of that.
Sorry, I don't do windoze.
Process 912 on your system (192.168.0.101) sent a packet from port 1058 which is an ephemeral port allocated to users sent a SYN packet to
63.236.111.222 hoping to connect to the web server running on port 80 of that system. Apparently, it did not respond (which could be a firewall issue as that host seems to be alive).
You may not have a browser running, but something wants to talk to a web server. As mentioned, I don't do windoze.
Yes, the idiots running the datacenter did not configure a DNS PTR record.
# ARIN WHOIS database, last updated 2006-02-23 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. [compton ~]$
QWorst is one of the 'Baby Bells' - a regional telephone company with delusions of grandeur. The 'Cybercenters' is a data center (think of a large building with a major sized data cable, and rooms or cages leased out to providers). Savvis is a "well known" provider who seems to have no concern who they rent space, addresses, and bandwidth to. So, QWorst owns the address, this block seems to be located in a data center they own in the Washington DC metro area, and Savvis has leased a small block of addresses there. Savvis _probably_ has sub-leased bandwidth to one of their customers.
Meaningless. Your system wants to communicate, and grabs a semi-random number over 1024 (ports below 1025 "should" be reserved for server applications) and uses that to source the connection. On a general basis, port numbers are only registered/reserved on the _destination_ end of a conversation. By this - you want to connect to "some" service. There are
65536 ports on the server, and which should you connect to in order to get the service you are looking for. The answer is the registered/reserved or 'well known' port for that service.
SYN_SENT is a state - a condition. It's not a command.
None the less, _something_ on your system decided it wanted to connect to a web server.
No, I got rid of windoze before microsoft belatedly invented networking some
################################################ arin.net showed Quest as the owner of that block. Search your HD and the registry for quest. Run msconfig and look at the startup. You might find something there.
I wasn't sure how to tell what is running at startup so I googled for and found a tiny program called "StartupList.exe" from Soeperman Enterprises, Ltd. which listed all the programs running at startup. None of these programs has "quest" in them though. Do you see anything strange here? Can I kill some of these initialization files? Thanks, .....Pam
StartupList report, 02/23/2006, 9:02:23 PM StartupList version: 1.52 Started from : C:\\Program Files\\os\\start/p\\startuplist\\StartupList.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v7.00 (7.00.5296.0000)
One source of confusion you eliminated was the port used to make the outgoing SYN request. The evilware seems to change ports, as you predicted - eg it recently used port 1032. Thanks to your explanation, we can eliminate the port itself as a clue to the solution of the dilemma. I'll move on to debugging the process which seems to be svchost Generic Host Process for Win32 Services, whatever that is.
I searched the Windows XP file system for "Quest" and for "Quest Communications" but came up blank. Even when I searched inside the files, I mostly came up with hundreds of "requests" and "questions" but not Quest Communications.
The registry search came up with similar results even after googling for and downloading an enhanced registry search tool called "NirSoft regscanner" from
formatting link
Most of the information I found I couldn't tell if it was significant or not but none had the words "Quest Communications" unfortunately.
I rebooted and ran netstat again a few times and at first did not know how to see what process was 912 until I found and installed something called NirSoft CurrProcess
formatting link
which told me it was the "svchost.exe" process and that this process was owned by the "NT AUTHORITY\\SYSTEM".
I tried finding more information about that process by downloading something called Sysinternals Process Explorer by Mark Russinovich
formatting link
but I could not comprehend the information in the bottom bar of the window (Thread, Semaphore, Port, Mutant, KeyedEvent, Key, WindowStation, etc).
It seems that one of my many svchost "Generic Host Process for Win32 Services" processes is the culprit which is initiating "SYN_SENT" signals on random ports to Quest Communications (63.236.111.222) at port 80. But why?
Even though I ran and reran a virus scan, malware scan, Ad-Aware scan, Spybot Search and Destroy scan, etc., do you think this unsolicited request to
63.236.111.222 at port 80 might be related to the strange C:\\TEMP\\GLB1A2B.EXE file I saw but which went away after a reboot?
I did an experiment of turning off my ISP's connection and the problem only seems to occur at bootup. In this case (which maybe I didn't get right on time) I saw UDP 0.0.0.0:1032 *:* 920 C:\\WINDOWS\\system32\\mswsock.dll C:\\WINDOWS\\system32\\WS2_32.dll c:\\windows\\system32\\DNSAPI.dll C:\\WINDOWS\\system32\\mswsock.dll C:\\WINDOWS\\system32\\WS2_32.dll [svchost.exe]
Where as it always seems to be, the process 920 resolved to "svchost.exe" which I'm pretty unsure of what it does especially after googling for it as there are a handful of svchosts.exe processes always running.
Where would I find boot up scripts that might be calling this? All I know to look for is where the NirSoft startuplist program indicated there was something in [HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon] UserInit = C:\\WINDOWS\\system32\\userinit.exe
and in Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\\TMP\\GLB1A2B.EXE
The contents of the Windows XP C:\\Windows\\wininit.ine file seem to be:
[Rename] NUL= NUL= NUL= .. (about twenty of these NUL lines are all the same)
At this point I don't know what to do to find out WHY my WinXP pc is initiating these SYN_SENT requests from my 192.168.0.101 to the "Quest Communications" 63.236.111.222 server on port 80 in the early minutes after a reboot if the internet connection is alive on the wireless two-pc home network. Do you?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.