The hunt is on

| 2 Comments

I've been noticing some strange behaviour on my laptop lately, and when it happened again today, I decided to look into it. I'm working normally, and suddenly a small pop-up tells me my virusscanner is trying to access a certain IP adress using POP3, even though I'm not - as far as I'm aware - running any application that would need POP3 access at the time.

I quickly opened a command prompt and a netstat session did indeed confirm an attempt to reach an ip address linked to bethere.co.uk, which makes NO sense at all. I'm not in the UK, I'm not using a UK provider and no one I know is either. It only happens on the latptop, so my first idea was that someone is messing with my wireless link to the desktop machine. However, I've set up my link using WPA2 with a completely random and strong key, so that shouldn't be possible.

I could suspect tor, but there is no real reason to do so, apart from the fact that when this happened earlier, it stopped after I removed the application. However, when I check tor and the bandwidth it uses, there is no activity at all, which sounds right as it is not in use all the time. I only fire up tor and the proxies when I need some additional privacy, and the speed with which data arrives is less important. Is someone trying to use my installed tor client to send out mail? That again should be impossible since I have it configured as a client, not a server, and by default it doesn't allow POP3. My idea is that it ain't caused by tor.

I quickly ran my antivirus, spyware and adware tools to see if anything got past my defenses, but nothing has shown up so far. The firewall is up, the virusscanner is up to date, yet something tries to create a POP3 connection to a UK based host. Go figure.

Update : I have now finetuned my netstat capture to not only list the open connections and their state, but also which binary is responsable for creating them, sorted by protocol. This should be enough to find out more about the perpetrator. My e-mail scanner log files it under AutoPOP3, which really doesn't ring a bell. To be sure I've upped my default log information from medium to high, so I hope to get some more info.

If anyone happens to know where this mysterious POP3 connection to bethere.co.uk originates from, I'd be happy to find out. The IP address it tries to connect to is 87.194.29.236.bethere.co.uk and the brand and model of the laptop is an Fujitsu-Siemens Amilo L7300. I must say that I've found similar questions from people online wondering why their AVG Mailscanner suddenly feels like connecting to foreign servers. To be continued, no doubt.

Note : I'm not running eMule, eDonkey, or any other filesharing programs, nor are they installed on my machine(s).

Update : Guess what. The PID of the offending program is 1264 in my case. I check the running processes and shows up? Tor. Crap. Off to read up and possibly talk to the developers of it. Solved : thanks to some volunteers in the #tor IRC channel (irc.oftc.net) the mystery was solved. Tor keeps some connections open and 87.194.29.236 is the address of a dir server, which runs on port 110, thus is captured by my mailscanner. Whether I find it "wise" to run a dirserver on a port specified for mail remains to be seen, but the mystery is solved. Off to throw something in the donation bin for tor now...

2 Comments

I have the same problems and have tracedthe numbers back to the TOR routers. I found this out by googling the number, it will return nothing, but then select, googles "sites the contain the search item" and you will see they are in the TOR status page.... I've written several administrators about this (usally at some college) and they claim they don't know why something is trying to "call home"... Now most recently, just about every time I fire up up TOR... up pops the scanner.

I have Told Zonealarms to Ask me everytime the AVG e-mail scanner pops up... BTW I don't have to be running any browers, e-mail programs or even TOR for that matter... for this attempt at calling home.
Here are two of the latest 4 dot numbers.. Sometimes if you drop the 110, you will be able to connect to a web page that wants and password and show nothing else. Strange

71.130.171.184:110
216.127.146.11:110

Please if you have found out anything new about this please let me know... Thanks

Guess I should read the whole post before commenting... Thanks for the answer

Leave a comment

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.04

About this Entry

This page contains a single entry by ServMe published on February 27, 2006 2:28 AM.

Aaaarrrrrr was the previous entry in this blog.

2500 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.