Computer Keeps Phoning Home(?)

My computer keeps trying to access servers owned by Level 3 Communications, most of them outside Wichita, but one outside Nashville. Once or twice one of their servers tries to phone *in* to my computer as well.

I've gone through the whole process of installing various scanning software as prescribed in the Malware forum, and my computer comes up clean, yet it still keeps trying to do it.

I called Level 3 Communications and they told me to file a report at their abuse email link. I did. They never replied.

The following list of IP addresses all belong to Level 3 Communications and my computer has tried to get at all of them. It keeps changing which one it's trying to reach.

204.160.118.126, 8.26.219.126, 8.27.224.126, 205.128.65.126 (this one once tried to phone into my computer, as well), 204.160.102.126.

It also daily tries to access a site that apparently is associated with multi-casting, 239.255.255.250, which is owned by Microsoft. Why would my computer be multi-casting? It's nothing I mean to be doing.

Finally, I have different sites that occasionally try to phone into my computer from time to time. Besides the one from Level 3 Communications, for example, there's 199.16.83.72, belonging to Verisign Global Registry Services, Sterling, Virginia.

This has been going on for some weeks now. I can't find anything to explain what it's doing, and I can't stop it, other than blocking each attempt with my firewall.

Any ideas would be appreciated. Has my machine been recruited by a very clever botnet, or what?

 

Monitoring your internet traffic is interesting to say the least. I too have the Level 3 problem - and I'm sure it comes from some of the "bad" sites I surf when checking out problems (spelled "pr0n") Mine has an IP starting with 8.25.xxx.xxx

I use WallWatcher (free, but no longer supported by the author) to track all the traffic in and out of my network. Here's a list of the sites that I've blocked:

2.137.189.61 ES_BLOCKED 20111226 - rima-tde.net - TELEFONICA DE ESPANA
8.27.2.253 xUS_BLOCKED 20120105 - Level 3 Communications
10.1.3.253 UNK_BLOCKED private address space
23.57.68.65 US_BLOCKED 20120102 - akamaitechnologies.com - Akamai Technologies European AS
24.186.243.237 US_BLOCKED 20111226 - optonline.net
41.251.104.195 MA_BLOCKED 20120102 - IAM-AS
42.98.85.52 HK_BLOCKED 20111226 - netvigator.com
50.115.32.249 US_BLOCKED 20120104 - webnx.com - WebNX
58.56.159.226 xCN_BLOCKED 20120102 - CHINANET-BACKBONE No.31,Jin-rong Street
58.218.199.227 xCN_BLOCKED 20111226 - CHINANET
59.34.0.12 xCN_BLOCKED 20111226 - CHINANET-BACKBONE No.31,Jin-rong Street
60.173.26.45 xCN_BLOCKED 20120101 - CHINANET-BACKBONE No.31,Jin-rong Street
61.160.201.26 xCN_BLOCKED 20120103 - CHINANET jiangsu province backbone
63.140.39.204 US_BLOCKED 20120103 - OMNITURE ====
64.60.205.138 US_BLOCKED 20111226 - telepacific.net - Telepacific Communications
64.236.144.136 US_BLOCKED 20111226 - AOL
67.175.14.39 US_BLOCKED 20111226 - Comcast
69.26.170.43 US_BLOCKED 20120102 - co1.megahunt.com - XEEX-COMMUNICATIONS
69.161.5.121 US_BLOCKED 20111226 - acsalaska.net - Alaska Communications Systems Group
78.36.226.219 RU_BLOCKED 20111226 - pskov.dslavangard.ru - Rostelecom
81.56.47.117 FR_BLOCKED 20111226 - proxad.net - PROXAD Free SAS
85.44.32.82 IT_BLOCKED 20120102 - business.telecomitalia.it - Telecom Italia S.p.a.
86.169.226.47 GB_BLOCKED 20120103 - btcentralplus.com - BTnet UK Regional network
88.249.4.65 TR_BLOCKED 20111226 - ttnet.net.tr
91.211.52.53 CZ_BLOCKED 20111226 - mk-net.ru - ISP MK-NET
95.9.158.70 TR_BLOCKED 20120103 - ttnet.net.tr - Turk Telekomunikasyon Anonim Sirketi
95.90.165.124 DE_BLOCKED 20111226 - superkabel.de
95.110.203.234 IT_BLOCKED 20111226 - globalitalia.it -Aruba S.p.A. - Network
96.48.163.145 CA_BLOCKED 20111226 - shawcable.net
99.192.154.104 xUS_BLOCKED 20120102 - MOJOHOST out of Michigan
112.230.192.166 CN_BLOCKED 20120104 -
114.160.226.83 xJP_BLOCKED 20120107 - marunouchi.tokyo.ocn.ne.jp - OCN NTT Communications
114.243.142.112 CN_BLOCKED 20111226 - cncgroup
115.238.55.150 CN_BLOCKED 20111226 - CHINANET-BACKBONE No.31,Jin-rong Street
116.236.211.21 CN_BLOCKED 20120102 - CHINANET-SH-AP China Telecom (Group)
118.33.241.144 KR_BLOCKED 20111226 - Korea Telecom
121.14.213.36 CN_BLOCKED 20111226 - CHINANET-BACKBONE No.31,Jin-rong Street
122.224.72.132 CN_BLOCKED 20120102 - CHINANET-BACKBONE No.31,Jin-rong Street
123.100.5.87 CN_BLOCKED 20120102 - CNNIC-SINO-I Beijing CE Huatong Information Technology Co
124.193.108.75 xCN_BLOCKED 20111226 - CNCGROUP China169 Backbone
124.239.195.131 xCN_BLOCKED 20111226 - CHINANET-BACKBONE No.31,Jin-rong Street
124.248.35.78 xCN_BLOCKED 20111226 - CHINATELECOM asn for Hebei Provincial Net of CT
125.46.31.236 CN_BLOCKED 20120102 - hn.kd.ny.adsl - CNCGROUP China169 Backbone
128.11.162.246 US_BLOCKED 20111226 - Computer Sciences Corp (is an ISP)
150.162.25.164 BR_BLOCKED 20120103 - polo.ufsc.br - POP-SC - Po
159.53.52.105 US_BLOCKED 20111226 - Banc One Service
173.239.38.234 US_BLOCKED 20120104 - Webair Internet Development Company
175.45.25.83 HK_BLOCKED 20111226 - saaki.net - NEWTT-IP-AP Wharf T&T Ltd
180.169.33.66 CN_BLOCKED 20111226 - China Telecom (Group)
182.23.209.233 JP_BLOCKED 20111226 - Ip Core
184.26.150.238 xUS_BLOCKED 20120105 - akamaitechnologies.com - nLayer Communications
188.227.161.232 GB_BLOCKED 20111226 - delta.simplexnetwork.com - Redstation Limited
199.87.232.189 US_BLOCKED 20120102 - eSited Solutions
199.193.250.122 xUS_BLOCKED 20120105 - leakz.info - Enzu Inc
199.193.250.200 xUS_BLOCKED 20111226 - scalabledns.com - Enzu Cloud Hosting
201.94.201.142 BR_BLOCKED 20111226 - ibys.com.br - Internet By Sercomtel
202.114.255.31 CN_BLOCKED 20111226 - China Education and Research Network Center
203.147.62.90 TH_BLOCKED 20111226 - 20120101 - Jasmine Internet Co, Ltd
203.156.207.85 CN_BLOCKED 20111226 - CHINANET-SH-AP China Telecom (Group)
203.162.35.91 VN_BLOCKED 20111226 - Vietnam Posts and Telecommunications (VNPT)
210.14.133.147 CN_BLOCKED 20111226 -
210.51.56.178 CN_BLOCKED 20120104 - China Unicom Shanghai network
210.73.44.249 CN_BLOCKED 20120102 - CSTNET-AS-AP Computer Network Information Center
213.175.215.185 GB_BLOCKED 20111226 - excel.im - Simply Transit Ltd
218.16.143.237 xCN_BLOCKED 20120102 - CHINANET-BACKBONE No.31,Jin-rong Street
218.75.49.242 xCN_BLOCKED 20111226 - CHINANET-BACKBONE No.31,Jin-rong Street
219.139.150.80 xCN_BLOCKED 20111226 - CHINANET-BACKBONE No.31,Jin-rong Street
219.242.28.71 xCN_BLOCKED 20111226 - China Education and Research Network Center
221.12.160.198 xCN_BLOCKED 20111226 - CHINA169-BACKBONE CNCGROUP
221.179.7.1 xCN_BLOCKED 20111226 - CMNET-GUANGDONG-AP China Mobile communications corp
221.192.199.49 xCN_BLOCKED 20111226 - cncgroup
221.194.46.176 xCN_BLOCKED 20111226 - cncgroup
221.232.143.123 xCN_BLOCKED 20111226 - CHINANET-BACKBONE No.31,Jin-rong Street


8.0.0.1-8.255.255.255 US_BLOCKED 20120105 - Level 3 Communications
58.0.0.1-61.255.255.255 CN_BLOCKED 20120104 -
99.192.154.96-99.192.154.127 US_BLOCKED 20120102 - MOJOHOST out of Michigan
114.160.0.1-114.191.255.255 JP_BLOCKED 20120107 - marunouchi.tokyo.ocn.ne.jp - OCN NTT Communications
124.193.108.1-124.248.255.255 CN_BLOCKED 20111226 -
184.24.0.1-184.31.255.255 US_BLOCKED 20120105 - akamaitechnologies.com - nLayer Communications
199.193.250.1-199.193.250.255 US_BLOCKED 20120105 - ENZU Inc
218.0.0.1-221.255.255.255 CN_BLOCKED 20120107 -

 

Yes. On my machine whatever is trying to reach Level 3 Communications keeps coming up with new addresses. To the list from earlier, add:

204.160.102.126
207.123.44.126
and 206.33.36.126

I have no idea how to find out what's going on.

 

Thank you for the links. The last one offered this "We tested this site and didn't find any significant problems."

What I hope to find out is who is doing this and why. There's a chance that what McAfee, for instance, thinks is no problem may look a little differently from over here. The fact that it keeps generating new IP addresses just looks like strange behavior from a "benign" program. How do I determine whether it is in my interest to allow the conversation between computers or it's instead a clever virus or Trojan?

I went through your malware forum process, as I mentioned earlier. Here's the link to the thread: http://forums.majorgeeks.com/showthread.php?t=251795

Thanks for your help.

 

You can check out IP addresses at the Internet Storm Center: http://isc.sans.edu/ipinfo.html

 

Thank you. That site offers pretty much the same information I got off IPTRACER http://www.ip-address.org/lookup/ip-locator.php, but neither one of those tells me who is doing this and why. Where can I go to find out the answers to those two questions?

In the mainframe era system administrators held control over everything a user did. It's starting to look to me like we've returned to that era, where our computers are just terminals on a "mainframe" system controlled across the web, with, apparently, nobody having any idea what programs on our "terminals" are doing. Or do I misunderstand? Am I the only one who wonders whether some of this may be activity that's harmful? How do I find out what they're up to?

Thanks again for your help.

 

Browse the links at the Internet Storm Center for more information about links behaving badly. I'm not a malware specialist, so I can't help any more than that.

 

Maybe take a look at what processes are trying to connect to who.

http://majorgeeks.com/CurrPorts_d5079.html

 

Unfortunately, mostly my firewall just tells me that it's something that Microsoft is sponsoring, through its svchost how facility, so it masks what's really driving the attempt at access.

I'm really surprised that there isn't somewhere where folks concern themselves with identifying what all these accesses are doing.

Thanks again, one and all.

 

If your firewall does not show you the PID(s), CurrPorts will.

Once you know the PID of the particular instance of svchost that is trying to access the addresses of concern, you can then use something like Process Explorer or What's Running to determine what that instance of svchost is doing.

Note that What's Running is a beta, but it has worked fine for me with no problems.

 

Thank you very much! That should keep me amused for a while.