Question

Locked

How do I find the app that is trying to send info through my firewall?

By alan williams ·
My firwall is trying to send to, what looks like, a dodgy IP address. AdAware, spybot, antivirus and anti-rootkit are not showing anything.
I would like to be able to find out what is sending the info.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

First, find who the IP address belongs to

by robo_dev In reply to How do I find the app tha ...

go to www.arin.net and enter the IP in the search box.

Next, goto the IP address via the web browser and see what's there. If it's a server in south Hackistan, then your suspicions are valid.

using netstat -an (from command prompt in Windows), you can see if there is an active session to that IP.

A free sniffer such as Ethereral or Wireshark will allow you to do protocol analysis and see what type of communication is happening with that address.

Collapse -

Thanks

by alan williams In reply to First, find who the IP ad ...

I use netstat and Sam Spade on a regular basis. Thats why I think the addresses are suspect.

Collapse -

Try the Zonealarm Firewall

by mjd420nova In reply to How do I find the app tha ...

I use Zonealarm from Zonelabs to track every incoming and outgoing program. The only way this won't work is if the offending program is using IE, but it will still identify which program is attempting to send out info.

Collapse -

Thanks

by alan williams In reply to Try the Zonealarm Firewal ...

but I am not impressed by the free Zone Labs version.

Collapse -

TCPView from Sysinternals

by Aakash Shah In reply to How do I find the app tha ...

Download TCPView from Sysinternals (now Microsoft):
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

This will allow you to see what connections are being made, who the connection is being made to and what program is making these requests.

Good luck!

Collapse -

Thanks

by alan williams In reply to TCPView from Sysinternals

TCPView is certainly a useful tool and gets me nearer what I want to find out. Trouble is that some of the list are System processes and I would like to track into them to find what is causing them to run.

Collapse -

Process Explorer

by Aakash Shah In reply to Thanks

By system processes, do you mean svchost? If so, you can use Process Explorer to peek inside svhost to see what is running inside it. Here is an article by Mark Russonvich from Sysinternals/MS that explains how to search for malware on computers:
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

This site has a video that talks abotu advanced malware cleanup. You may find the tips it uses to be quite helpful.

Back to Malware Forum
8 total posts (Page 1 of 1)  

Security Forums