Secure client issue

[rn4it]

I have a user who has to sites set up 1 on the 209.x.x.x and the other on the 216.x.x.x network. While testing an appliance we noticed alot of small connections being attempted from his laptop to 96.8.72.78. Now when we stop the services for Checkpoint Secure client these connections stop, if we start it these process start up again. His AV is up to date and spybot reports nothing strange.

Any ideas??thanks

 

[chipk]

What do you mean by small connections? Which port/service is the IP connecting on?

Also look at whois.net and do a search by IP. That IP belongs to a hosting company called AlphaRed, and it looks like they have an office in Houston, which this IP address traces to.

If your user is in Houston, he or she may be using them for some service. If you're in Houston, you may be using them for some service. If neither of you are in Houston, I'd check the user's laptop for search bars, spyware/adware, and the like.

 

[rn4it]

I believe the size of the connection was 4k, it was many tcp high port all connecting back to the 96.8.72.78. The user is in Canada and we have no offices in Texas. I have the client passing me a copy of the capture he did using netstat. I'll update this once I get the capture.

 

[rn4it]

so here's a netstat after enabling secure client, which has nothing in it's config to point to this address. If we disable the CP services all these connections close down. thanks
c:\downloads>netstat -a 5 | grep 96.8.72.78
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
TCP ltdayes:1044 96.8.72.78:1045 ESTABLISHED
TCP ltdayes:1045 96.8.72.78:1044 ESTABLISHED
TCP ltdayes:1046 96.8.72.78:1047 ESTABLISHED
TCP ltdayes:1047 96.8.72.78:1046 ESTABLISHED
TCP ltdayes:1049 96.8.72.78:1050 ESTABLISHED
TCP ltdayes:1050 96.8.72.78:1049 ESTABLISHED
TCP ltdayes:1051 96.8.72.78:1052 ESTABLISHED
TCP ltdayes:1052 96.8.72.78:1051 ESTABLISHED
TCP ltdayes:1097 96.8.72.78:1098 ESTABLISHED
TCP ltdayes:1098 96.8.72.78:1097 ESTABLISHED
TCP ltdayes:1099 96.8.72.78:1100 ESTABLISHED
TCP ltdayes:1100 96.8.72.78:1099 ESTABLISHED
TCP ltdayes:1163 96.8.72.78:27015 ESTABLISHED
TCP ltdayes:1238 96.8.72.78:1239 ESTABLISHED
TCP ltdayes:1239 96.8.72.78:1238 ESTABLISHED
TCP ltdayes:1240 96.8.72.78:1241 ESTABLISHED
TCP ltdayes:1241 96.8.72.78:1240 ESTABLISHED
TCP ltdayes:27015 96.8.72.78:1163 ESTABLISHED
^C^C
c:\downloads>

 

[chipk]

If this user simply connects to the internet at a cafe or hotel or something, does he or she still see this traffic when doing a netstat? That would indicate it has nothing to do with the VPN and everything to do with a virus or trojan or some other malware. Just for giggles, I'd have the user go to trendmicro.com or some other reputable site that will do a free malware scan.

 

[rn4it]

The weird thing is that he has only started the service, not chosen to connect to a site. No VPN's established, he is running the new Symantec 11 I believe which is reporting nothing. He's currently getting ready to wipe his laptop.
thanks

 

[chipk]

Geez, don't wipe the laptop, unless you think it's a rootkit. Run a spyware scan first using another brand besides Symantec. Download Lavasoft's Ad-Aware or something similar. If that turns up nothing, go through the installed programs and look for something that doesn't belong (i.e. toolbars, filesharing software, etc.).

 

[g33man]

Hi,
I'm new to this forum, and just read the thread. No idea what is causing the connection, but I know how to track it. A few years ago, I learned about Sunbelt Personal Firewall (aka Kerio) for Windows. LOVE IT! Spent my $30 and never looked back. It's main feature is software-based firewall protection, that blocks and reports both internal and egress attempts! In the case above, you would get an immediate pop-up dialog that would say exactly which program/process is trying to open the outbound connection. Options are to BLOCK, ALLOW, with the sub-option to remember the choice and not ask again. I was astounded at the number of apps that 'silently' phone home for undocumented reasons. I say silently because the apps don't complain when their phone home attempt is BLOCKed. I find M$ apps to be the worst in this regard. God knows what information they would be sending home (if I let them).
I'm sure there many other products in this category, but I'm only familiar with SPF. Did I mention I love it?
;-)