Questions

How do I find the app that is trying to send info through my firewall?

Tags:
+
0 Votes
Locked

How do I find the app that is trying to send info through my firewall?

alan williams
My firwall is trying to send to, what looks like, a dodgy IP address. AdAware, spybot, antivirus and anti-rootkit are not showing anything.
I would like to be able to find out what is sending the info.
  • +
    0 Votes
    robo_dev

    go to www.arin.net and enter the IP in the search box.

    Next, goto the IP address via the web browser and see what's there. If it's a server in south Hackistan, then your suspicions are valid.

    using netstat -an (from command prompt in Windows), you can see if there is an active session to that IP.

    A free sniffer such as Ethereral or Wireshark will allow you to do protocol analysis and see what type of communication is happening with that address.

    +
    0 Votes
    alan williams

    I use netstat and Sam Spade on a regular basis. Thats why I think the addresses are suspect.

    +
    0 Votes
    mjd420nova

    I use Zonealarm from Zonelabs to track every incoming and outgoing program. The only way this won't work is if the offending program is using IE, but it will still identify which program is attempting to send out info.

    +
    0 Votes
    alan williams

    but I am not impressed by the free Zone Labs version.

    +
    0 Votes
    Aakash Shah

    Download TCPView from Sysinternals (now Microsoft):
    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    This will allow you to see what connections are being made, who the connection is being made to and what program is making these requests.

    Good luck!

    +
    0 Votes
    alan williams

    TCPView is certainly a useful tool and gets me nearer what I want to find out. Trouble is that some of the list are System processes and I would like to track into them to find what is causing them to run.

    +
    0 Votes
    Aakash Shah

    By system processes, do you mean svchost? If so, you can use Process Explorer to peek inside svhost to see what is running inside it. Here is an article by Mark Russonvich from Sysinternals/MS that explains how to search for malware on computers:
    http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

    This site has a video that talks abotu advanced malware cleanup. You may find the tips it uses to be quite helpful.

    +
    0 Votes
    mjd420nova

    I use Zonealarm from Zonelabs to track every incoming and outgoing program. The only way this won't work is if the offending program is using IE, but it will still identify which program is attempting to send out info.

    +
    0 Votes
    Aakash Shah

    Download TCPView from Sysinternals (now Microsoft):
    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    This will allow you to see what connections are being made, who the connection is being made to and what program is making these requests.

    Good luck!

  • +
    0 Votes
    robo_dev

    go to www.arin.net and enter the IP in the search box.

    Next, goto the IP address via the web browser and see what's there. If it's a server in south Hackistan, then your suspicions are valid.

    using netstat -an (from command prompt in Windows), you can see if there is an active session to that IP.

    A free sniffer such as Ethereral or Wireshark will allow you to do protocol analysis and see what type of communication is happening with that address.

    +
    0 Votes
    alan williams

    I use netstat and Sam Spade on a regular basis. Thats why I think the addresses are suspect.

    +
    0 Votes
    mjd420nova

    I use Zonealarm from Zonelabs to track every incoming and outgoing program. The only way this won't work is if the offending program is using IE, but it will still identify which program is attempting to send out info.

    +
    0 Votes
    alan williams

    but I am not impressed by the free Zone Labs version.

    +
    0 Votes
    Aakash Shah

    Download TCPView from Sysinternals (now Microsoft):
    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    This will allow you to see what connections are being made, who the connection is being made to and what program is making these requests.

    Good luck!

    +
    0 Votes
    alan williams

    TCPView is certainly a useful tool and gets me nearer what I want to find out. Trouble is that some of the list are System processes and I would like to track into them to find what is causing them to run.

    +
    0 Votes
    Aakash Shah

    By system processes, do you mean svchost? If so, you can use Process Explorer to peek inside svhost to see what is running inside it. Here is an article by Mark Russonvich from Sysinternals/MS that explains how to search for malware on computers:
    http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

    This site has a video that talks abotu advanced malware cleanup. You may find the tips it uses to be quite helpful.

    +
    0 Votes
    mjd420nova

    I use Zonealarm from Zonelabs to track every incoming and outgoing program. The only way this won't work is if the offending program is using IE, but it will still identify which program is attempting to send out info.

    +
    0 Votes
    Aakash Shah

    Download TCPView from Sysinternals (now Microsoft):
    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    This will allow you to see what connections are being made, who the connection is being made to and what program is making these requests.

    Good luck!