Who is "phoning home" from my PC?

I bought IPTicker since it was only $10. (It's also free to try) It finds all kind of traffic into my pc and some traffic out. Netstat gave me similar info, but how the heck do you know what all those numerical addresses are?
Whois gave little info.

I installed a trial version of Smart Whois, which supposedly searches a broad database. They gave me some results, but many numerical IP numbers are only listed in a broad range of IP numbers that major corps have reserved, such as Akamai technologies, Level3.net and many come up as unknown.

I will list a few of the “out” reports:

66.77.165.161 get out to Akamai Technologies.
66.77.165.201 get in from same
66.77.165.160 get in from same all use port 80.
An email address was listed and I sent one asking why I’m getting their traffic. No response
A phone number was listed for their IT guy. I left a voicemail. No response.

172.16.0.255 gets out most frequently ……..numerous times per day. It’s listed as an ambiguous Internet assigned address in a huge block of numbers.

Many of the incoming traffic reports also have ambiguous IP addresses. Most are listed as TCP and use port 80 or 110. Some are listed as UDP. One was listed in another protocol, but I did not write that down.

With all the processes running on a modern XP computer and “phoning home”, it may be impossible to ID a suspicious internet connection that may be related to key logging.

This is a duplicate post. /postlite32134-.html

Yes, I'm sorry. I confess that it's a repeat. The prior thread ran out of gas and there were no responses. I did not want to bore folks with wading through the prior dialog which is mostly unrelated to this topic.

I thought it might be appropriate to start a new thread about a spyware tool, namely IPTicker. If this is the wrong forum, please advise me.

I

Bump.
Can any advise of how to tell what those Mysterious IP numbers (listed above) mean even after using a tool like SmartWhoIS?

In an earlier post, I was advised to try IPTicker, which I did, but now what?

66.77.165.161 = [ ]
OrgName: Qwest Cybercenters
OrgID: QCYB
Address: 950 17th Street
Address: Suite 1900
City: Denver
StateProv: CO
PostalCode: 80202
Country: US
NetRange: 66.77.0.0 - 66.77.255.255
CIDR: 66.77.0.0/16
NetName: QWEST-CYBERCENTER-2
NetHandle: NET-66-77-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DCA-ANS-01.INET.QWEST.NET
NameServer: SVL-ANS-01.INET.QWEST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-02-13
Updated: 2003-09-04
TechHandle: DW820-ARIN
TechName: Wysocki David
TechPhone: 1-201-770-4133
TechEmail: ip-admin@qis.qwest.net
OrgAbuseHandle: QIA2-ARIN
OrgAbuseName: Qwest IP Abuse
OrgAbusePhone: 1-877-886-6515
OrgAbuseEmail: abuse@qwest.net
OrgTechHandle: QIA-ARIN
OrgTechName: Qwest IP Admin
OrgTechPhone: 1-877-886-6515
OrgTechEmail: ipadmin@qwest.com
CustName: Akamai Technologies Inc.
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA
PostalCode: 02142
Country: US
RegDate: 2003-04-16
Updated: 2003-04-16
NetRange: 66.77.165.128 - 66.77.165.255
CIDR: 66.77.165.128/25
NetName: QWEST-CEC-AKAMAITINC
NetHandle: NET-66-77-165-128-1
Parent: NET-66-77-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-04-16
Updated: 2003-04-16
TechHandle: DW820-ARIN
TechName: Wysocki David
TechPhone: 1-201-770-4133
TechEmail: ip-admin@qis.qwest.net
OrgAbuseHandle: QIA2-ARIN
OrgAbuseName: Qwest IP Abuse
OrgAbusePhone: 1-877-886-6515
OrgAbuseEmail: abuse@qwest.net
OrgTechHandle: QIA-ARIN
OrgTechName: Qwest IP Admin
OrgTechPhone: 1-877-886-6515
OrgTechEmail: ipadmin@qwest.com

http://www.qwest.com/about/qwest/QwestCyberCenters/

Thanks, parputt

That was good work on the IP address that has been getting in and also “phoning home”. You got even more details than my trial of SmartWhoIS, including the parent company, Quest Communications, which is an ISP and telecom among other things…….. all I got was the apparent “customer”, or maybe more likely a subsidiary or partner:
CustName: Akamai Technologies Inc.
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA.

I did get the same listed name: David Wysocki and he didn’t return phone or email, probably because mine was a nuisance call, given whatever business they do.

That’s a lot of data……….. much of it mysterious, and I’m still wondering what it all means and if there is any way to tell why they are getting in AND out of this PC, even though I use ZAPRO?

To: 8goldfish

Great tips and especially great advice on getting a life. As an engineer and a computer lover only recently getting advanced skills, I have great curiousity and I am learning in this security project, but I want to put it to bed in a couple days so I can go out and plant tomatoes and go fishing. I had partial ID theft a couple years ago enough of a shock to get me serious about protection. When an anti spy program gave me a report of Esurveillor on my computer, I got interested. That was apparently a false positive, but because I spent 50 hours researching parts for my Maximum PC “dream computer” , I want assurance that it at least started clean. I also want assurance that the builder, a young guy who is awesome in his talents, but also a tinkerer, has enough integrity to avoid a prank.

I ran IPTicker again last night and as soon as I tried to open it, ZA asked me to allow permission for IPTicker to access the net and it was 172.16.0.163. FWIW, in the top header pane of IpTicker the box contains 172.16.0.2. This software is from Australia and it is pre-Beta. Absolutely no help file or instructions, so I cannot tell what that header pane address means. That address is apparently associated with the program. I’m wary of programs like this but it was recommended at Computer Cops in a prior post of mine and I haven’t seen any flags in the message boards.

On the 172.16.0.255 which got “out” 54 times all night, I’ve heard speculation that
“. 255 is a broadcast address, which means it is broadcasting on that network. It is broadcasting the \mailslot\browse
Which is just NetBIOS doing it's thing as far as I know. “

I sure hope that’s correct!

IPTicker log after 1 hour at 10:45pm:
Direction IP addr Host Total Protoc Port
In 208.185.174.52 Update.zonelabs.com 546 TCP 80
In 172.16.0.163 503 UDP 53

Out 172.16.0.255 1398 UDP 138
This 255 Out repeated 54 times all night last night.

Dump: (first hour of log)

Packet 172.16.0.2 --> 172.16.0.255, port 138
.......................!.......... FAEFEOFEEJFFENDECACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%..............................)...................).V.........:.\MAILSLOT\BROWSE....'..JOHNSON.................PENTIUM4.
Packet 172.16.0.163 --> 172.16.0.2, port 53
..15.........5.....w.............255.0.16.172.in-addr.arpa.............:..K.xbru.br.ns.els-gms.att.net..rm-hostmaster.ems.att.com...............:...:.
Packet 172.16.0.163 --> 172.16.0.2, port 53
..12.........5....X..............163.0.16.172.in-addr.arpa.............(..K.xbru.br.ns.els-gms.att.net..rm-hostmaster.ems.att.com...............:...:.
Packet 172.16.0.163 --> 172.16.0.2, port 53
..1~.........5...=.V.............update.zonelabs.com.............~......4
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...$.!d.p."8.......d....
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...%.!e.P...x...
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...%.!fKP..`....HTTP/1.1 200 OK..Date: Tue, 04 May 2004 02:14:12 GMT..Server: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c..Content-Length: 157..Connection: close..Content-Type: text/html....UpdateAvailable=no.UpdateURL=http://update.zonelabs.com/downloadrequest?updtConfId=44&updtReqId=732614134.UpdateNotice=Your Internet Security is up to date..
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...w.!fKP..`u>..
Packet 208.185.174.52 --> 172.16.0.2, port 80
.P.I...x.!fLP..`u=..
Packet 172.16.0.163 --> 172.16.0.2, port 53
..1b.........5...V...............52.174.185.208.in-addr.arpa..................update.zonelabs.com.
Packet 172.16.0.2 --> 172.16.0.255, port 138
...................a...%.......... FAEFEOFEEJFFENDECACACACACACACACA. FCEPFDEFEOEEEBEIEMCACACACACACABO..SMB%..............................!...................!.V.........2.\MAILSLOT\BROWSE.......PENTIUM4................U..
Packet 172.16.0.2 --> 172.16.0.255, port 138
..................Iz...'.......... FAEFEOFEEJFFENDECACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%..............................)...................).V.........:.\MAILSLOT\BROWSE.......JOHNSON.................PENTIUM4.
Packet 172.16.0.2 --> 172.16.0.255, port 138
...................h...(.......... FAEFEOFEEJFFENDECACACACACACACACA. FCEPFDEFEOEEEBEIEMCACACACACACABO..SMB%..............................!...................!.V.........2.\MAILSLOT\BROWSE.......PENTIUM4.. ...C.........U..
Packet 172.16.0.2 --> 172.16.0.255, port 138
..................%w...*.......... FAEFEOFEEJFFENDECACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%..............................)...................).V.........:.\MAILSLOT\BROWSE.......JOHNSON.................PENTIUM4.
Packet 172.16.0.2 --> 172.16.0.255, port 138
...................i...+.......... FAEFEOFEEJFFENDECACACACACACACACA. FCEPFDEFEOEEEBEIEMCACACACACACABO..SMB%..............................!...................!.V.........2.\MAILSLOT\BROWSE.......PENTIUM4..$.............U..

I am curious. If you type ipconfig /all, is your IP address 172.16.0.2?

Of your addresses, I am guessing.
172.16.0.2 - your own IP address
172.16.0.163 - your DNS server?

I think your biggest problem is that you are using NetBios. Can you turn that off (for your own sake - to prevent attacks and information leakage such as account names and passwords); including Port 137, and 139. I think securing your own ports will give you the peace of mind that you are looking for. If you want to read more - see Chap 17 of M/S Windows Security Inside Out by Ed Bott and Carl Siechert.

I am a frequent user of IpTicker myself. I have installed and run IPticker on every PCS that I am working on; including the PCs of my clients to make sure that I am not being spyed on . What you have said that the IP address 172.16.0.163 is associated with the program is not true. I don't see that happening on my side. If what I think is correct, IP ticker is probably trying to get more information from the mentioned IP address.

I think first thing first, change your protocol to use TCP/IP instead of NETBIOS. Then close the other ports that you think you should not use. Good luck.

Well, I think 163 is my own lan address. 172.16.0.2 mght be my router/server. I'm using a Netgear router as a hardware firewall. My installer preferred those numbers as being less common. I like that.

Whew! That explains the mysterious 172.xxx addresses now. They belong to you (and your service provider). Ha! ha! ha! ha! All these searches trying to find out who are calling home. i erred in the sense that i should have asked the first question - what is your ipconfig details. next time, i will ask this question first.

BTW, did you manage to run the filemon? Given this revelation, do you still feel it is necessary? Yeah, don't forget to close the ports I have adviced you.

Cheers

Well, we both learned from this, mostly me. It was an enlightening venture for me. I am happy to be confident that I am secure. I will do the filemon tomorrow just to be sure.

Thanks for your help.