Unwanted Connection
December 24, 2006 5:53 AM Subscribe
Something verycurious is going on in the bowels of my PC.
(Warning: Don't bother going to the URL, it's very spammy)
Some time ago netstat revealed and open connection to verycurious.com. Further investigation with netstat -b revealed that my shell, litestep, was the source of the connection, (though it's probably a DLL running it). Googling it found this forum post, but my search pages haven't been hijacked. Blocking it with my hosts file failed because it changed to s3a.verycurious.com. I then blocked this in hosts and it's still there after re-booting.
What gives? I've done grep style searches of the hd, searched the registry and come up blank. Why is this connection present? Who is it? Does anyone else have it?
(The obvious eg. spyware scans, hijackthis, antivirus and rootkitrevealer have all been done multiple times along with most of the things in that thread)
Running WinXPSP2, Sygate pers firewall pro, ewido, and avg. With sysinternals process explorer as task manager.
(Warning: Don't bother going to the URL, it's very spammy)
Some time ago netstat revealed and open connection to verycurious.com. Further investigation with netstat -b revealed that my shell, litestep, was the source of the connection, (though it's probably a DLL running it). Googling it found this forum post, but my search pages haven't been hijacked. Blocking it with my hosts file failed because it changed to s3a.verycurious.com. I then blocked this in hosts and it's still there after re-booting.
What gives? I've done grep style searches of the hd, searched the registry and come up blank. Why is this connection present? Who is it? Does anyone else have it?
(The obvious eg. spyware scans, hijackthis, antivirus and rootkitrevealer have all been done multiple times along with most of the things in that thread)
Running WinXPSP2, Sygate pers firewall pro, ewido, and avg. With sysinternals process explorer as task manager.
You don't need to specify three fields in a hosts-file entry. You should be able to block just "verycurious.net" (i.e. remap it to 127.0.0.1), so that the first field doesn't matter.
posted by Steven C. Den Beste at 6:21 AM on December 24, 2006
posted by Steven C. Den Beste at 6:21 AM on December 24, 2006
Response by poster: Unfortunately, it didn;t work out that way. After blocking verycurious.com, it switched to s3a.verycurious.com. So I added the s3a. Now it's s4a and it keeps mutating, regardless of what's in hosts. Then only thing that makes it lose it's connection is telling sygate to disallow litestep from connecting to the net and while this is a good temporary fix, I need to kill whatever this is and possibly report it (to where?).
While the connection is blocked, processexplorer keeps showing it attempting to send a syn packet. If I could just figure out which DLL is doing this and kill it....
posted by IronLizard at 6:33 AM on December 24, 2006
While the connection is blocked, processexplorer keeps showing it attempting to send a syn packet. If I could just figure out which DLL is doing this and kill it....
posted by IronLizard at 6:33 AM on December 24, 2006
Response by poster: And when you say field, you mean subdomain, right?
posted by IronLizard at 6:34 AM on December 24, 2006
posted by IronLizard at 6:34 AM on December 24, 2006
Well, this doesn't address the underlying problem, but it seems that all of those verycurious.com are round-robin mapped to one of four IP address: 38.114.169.185, 38.114.169.189, 38.141.169.193, and 38.114.169.197. Those are likely static and won't change in the near future. I don't use XP that much, but I'm pretty sure with SP2 it allows you to block specified IP addresses. So if you put those 4 in as block incoming and outgoing, that should stop it from making any connections.
posted by skynxnex at 7:22 AM on December 24, 2006
posted by skynxnex at 7:22 AM on December 24, 2006
Did you google for 'verycurious'? Seems like there are bunches of suggested fixes.
posted by SirStan at 8:33 AM on December 24, 2006
posted by SirStan at 8:33 AM on December 24, 2006
Blocking IPs would have to be done in the firewall. You can't do it with the Hosts file.
posted by Steven C. Den Beste at 10:36 AM on December 24, 2006
posted by Steven C. Den Beste at 10:36 AM on December 24, 2006
You can't do it with the Hosts file.
You can if they're connecting by name, not by IP. If you do a lookup on spammers.evilsite.com and get 127.0.0.1, you're not going to connect to the machine (unless, of course, you are running spammers.evilsite.com, in which case, 127.0.0.1 works just fine.)
For blocking IP on a machine, you could setup a blackhole route. Since both .185 and .197 route, they're using a least a /25 netblock, half of an old-style Class-C. (/26 and /27 break at .192, anything more narrow isn't wide enough.)
So, in this case, you'd type the following at the command prompt
We figured out that was a bad idea years ago, so now, no machine nor router will do anything to a packet destined for 0.0.0.0 other than drop it, for sanity's sake. Otherwise, any fuckwit on the planet could melt down h is connection to the Internet by typing "ping 0.0.0.0" and watching a few million ICMP echo-reply packets try to come back. Of course, when it does, those million of echo-reply packets will generate other ICMP packets, and so on.
So, we don't play that. 0.0.0.0 goes nowhere.
The -p switch means "persist" -- it's written to the registry, and reappears on reboot. Note this is XP and later only.
Hmm. I just realized that I don't have a Windows box handy to make sure this works on Windows. It does work on almost every Unix based system, and since Windows 'borrowed' the BSD TCP stack (which isn't a problem, really, the BSD license explicitly allows such) so the stack should do the right thing with a 0.0.0.0 host.
Note. Do not set your gateway to 0.0.0.0.
The other way to do it on the host is TCP filtering, but the Windows TCP filter interface sucks. In particular, whenever I've looked at it, it doesn't have a Permit All Except -- it's got Permit All or Permit Only. In this case, we really want Deny Only.
posted by eriko at 2:21 PM on December 24, 2006
You can if they're connecting by name, not by IP. If you do a lookup on spammers.evilsite.com and get 127.0.0.1, you're not going to connect to the machine (unless, of course, you are running spammers.evilsite.com, in which case, 127.0.0.1 works just fine.)
For blocking IP on a machine, you could setup a blackhole route. Since both .185 and .197 route, they're using a least a /25 netblock, half of an old-style Class-C. (/26 and /27 break at .192, anything more narrow isn't wide enough.)
So, in this case, you'd type the following at the command prompt
route -p add 38.114.169.128 mask 255.255.255.128 gateway 0.0.0.0Translation. To reach the IP addresses in the 38.114.169.128/25 network, or (38.114.169.128 through 38.114.169.245) send the packets to 0.0.0, which is an unroutable address. Well, not really. Technically, sending to 0.0.0.0 means send to the network at 0.0.0.0/0, which means send to every host on the Internet. Heh.
We figured out that was a bad idea years ago, so now, no machine nor router will do anything to a packet destined for 0.0.0.0 other than drop it, for sanity's sake. Otherwise, any fuckwit on the planet could melt down h is connection to the Internet by typing "ping 0.0.0.0" and watching a few million ICMP echo-reply packets try to come back. Of course, when it does, those million of echo-reply packets will generate other ICMP packets, and so on.
So, we don't play that. 0.0.0.0 goes nowhere.
The -p switch means "persist" -- it's written to the registry, and reappears on reboot. Note this is XP and later only.
Hmm. I just realized that I don't have a Windows box handy to make sure this works on Windows. It does work on almost every Unix based system, and since Windows 'borrowed' the BSD TCP stack (which isn't a problem, really, the BSD license explicitly allows such) so the stack should do the right thing with a 0.0.0.0 host.
Note. Do not set your gateway to 0.0.0.0.
The other way to do it on the host is TCP filtering, but the Windows TCP filter interface sucks. In particular, whenever I've looked at it, it doesn't have a Permit All Except -- it's got Permit All or Permit Only. In this case, we really want Deny Only.
posted by eriko at 2:21 PM on December 24, 2006
That route command doesn't execute here, XP SP2. Windows' route.exe doesn't need 'gateway' specified explicitly, so modifying it to:
route -p add 38.114.169.128 mask 255.255.255.128 0.0.0.0
Gives: The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine.
I fiddled a bit with it but I couldn't get a meaningful blackhole route out of route.exe. Setting it to 127.0.0.1 worked, but of course didn't work. Maybe setting the gw to some random IP inside that /25 would work?
posted by Skorgu at 8:20 PM on December 24, 2006
route -p add 38.114.169.128 mask 255.255.255.128 0.0.0.0
Gives: The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine.
I fiddled a bit with it but I couldn't get a meaningful blackhole route out of route.exe. Setting it to 127.0.0.1 worked, but of course didn't work. Maybe setting the gw to some random IP inside that /25 would work?
posted by Skorgu at 8:20 PM on December 24, 2006
Response by poster: Did you google for 'verycurious'? Seems like there are bunches of suggested fixes.
Yes, I tried most and then made up a few of my own. If you'll notice, the forum post I linked to is the top search result. They didn't appear to resolve this issue, either. I can't seem to track down the individual file(s) responsible to delete them. It would be truly evil if litestep itself were doing this, but someone would have noticed that by now.
I guess I'll just let the firewall keep blocking it until I can figure out what this is, but thanks and happy holidays to everyone.
posted by IronLizard at 10:03 PM on December 24, 2006
Yes, I tried most and then made up a few of my own. If you'll notice, the forum post I linked to is the top search result. They didn't appear to resolve this issue, either. I can't seem to track down the individual file(s) responsible to delete them. It would be truly evil if litestep itself were doing this, but someone would have noticed that by now.
I guess I'll just let the firewall keep blocking it until I can figure out what this is, but thanks and happy holidays to everyone.
posted by IronLizard at 10:03 PM on December 24, 2006
Best answer: My best guess - the LiteStep theme that you're running is what's causing the connection attempts by checking for an update, or pulling something from the domain (RSS feed, image, etc). An example of the issue can be found here. You can check your theme's .rc files for a Wazup NetLoadModule, and comment out the line (the linked forum post has a little more info.) Or, you can want to search the theme.rc or skinbase.rc for verycurious or the IP addresses to see exactly what function is using it and either comment out that specific function, or the Wazup line(s) related to it.
Alternately, try changing your litestep theme, and see if the connections stop. Apologies if you've already tried this/seen the forum post.
posted by sysinfo at 11:28 PM on December 24, 2006
Alternately, try changing your litestep theme, and see if the connections stop. Apologies if you've already tried this/seen the forum post.
posted by sysinfo at 11:28 PM on December 24, 2006
Response by poster: That's funny, no I haven't seen that one and NBI studios is the creator of this particular theme (Obsidian) (as have the others I've tried). You certainly live up to your nick, sysinfo.
Even after their explanation this still seems scummy to me, after checking out the domains involved, so I'm killing it.
posted by IronLizard at 12:20 AM on December 25, 2006
Even after their explanation this still seems scummy to me, after checking out the domains involved, so I'm killing it.
posted by IronLizard at 12:20 AM on December 25, 2006
This thread is closed to new comments.
posted by IronLizard at 5:57 AM on December 24, 2006