Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Secure client issue

Status
Not open for further replies.
rn4it

rn4it

MIS
Joined
Nov 7, 2002
Messages
671
Location
CA
I have a user who has to sites set up 1 on the 209.x.x.x and the other on the 216.x.x.x network. While testing an appliance we noticed alot of small connections being attempted from his laptop to 96.8.72.78. Now when we stop the services for Checkpoint Secure client these connections stop, if we start it these process start up again. His AV is up to date and spybot reports nothing strange.

Any ideas??thanks
 
Sort by date Sort by votes
What do you mean by small connections? Which port/service is the IP connecting on?

Also look at whois.net and do a search by IP. That IP belongs to a hosting company called AlphaRed, and it looks like they have an office in Houston, which this IP address traces to.

If your user is in Houston, he or she may be using them for some service. If you're in Houston, you may be using them for some service. If neither of you are in Houston, I'd check the user's laptop for search bars, spyware/adware, and the like.
 
Upvote 0 Downvote
I believe the size of the connection was 4k, it was many tcp high port all connecting back to the 96.8.72.78. The user is in Canada and we have no offices in Texas. I have the client passing me a copy of the capture he did using netstat. I'll update this once I get the capture.
 
Upvote 0 Downvote
so here's a netstat after enabling secure client, which has nothing in it's config to point to this address. If we disable the CP services all these connections close down. thanks
c:\downloads>netstat -a 5 | grep 96.8.72.78
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
^C^C
c:\downloads>
 
Upvote 0 Downvote
If this user simply connects to the internet at a cafe or hotel or something, does he or she still see this traffic when doing a netstat? That would indicate it has nothing to do with the VPN and everything to do with a virus or trojan or some other malware. Just for giggles, I'd have the user go to trendmicro.com or some other reputable site that will do a free malware scan.
 
Upvote 0 Downvote
The weird thing is that he has only started the service, not chosen to connect to a site. No VPN's established, he is running the new Symantec 11 I believe which is reporting nothing. He's currently getting ready to wipe his laptop.
thanks
 
Upvote 0 Downvote
Geez, don't wipe the laptop, unless you think it's a rootkit. Run a spyware scan first using another brand besides Symantec. Download Lavasoft's Ad-Aware or something similar. If that turns up nothing, go through the installed programs and look for something that doesn't belong (i.e. toolbars, filesharing software, etc.).
 
Upvote 0 Downvote
Hi,
I'm new to this forum, and just read the thread. No idea what is causing the connection, but I know how to track it. A few years ago, I learned about Sunbelt Personal Firewall (aka Kerio) for Windows. LOVE IT! Spent my $30 and never looked back. It's main feature is software-based firewall protection, that blocks and reports both internal and egress attempts! In the case above, you would get an immediate pop-up dialog that would say exactly which program/process is trying to open the outbound connection. Options are to BLOCK, ALLOW, with the sub-option to remember the choice and not ask again. I was astounded at the number of apps that 'silently' phone home for undocumented reasons. I say silently because the apps don't complain when their phone home attempt is BLOCKed. I find M$ apps to be the worst in this regard. God knows what information they would be sending home (if I let them).
I'm sure there many other products in this category, but I'm only familiar with SPF. Did I mention I love it?
;-)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
987
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
306
Russtoleum
Russtoleum
Jimbo2015
  • Locked
  • Question Question
Avaya - Watch guard issue with keep alives
Replies
1
Views
416
hairlessupportmonkey
hairlessupportmonkey
texwiz
  • Locked
  • Question Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
424
texwiz
texwiz
pbxnkey
  • Locked
  • Question Question
Cisco ASA VPN using Windows Client-Error 691
Replies
1
Views
353
pbxnkey
pbxnkey

Part and Inventory Search

Sponsor

Back
Top