Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

  • Thread starter Thread starter Pam
  • Start date Start date
P

Pam

Can you help me understand what this SYN_SENT means from a security standpoint
on a home PC?

WINDOWSXP_SP2> netstat -a -n -b

Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\System32\WINHTTP.dll
-- unknown component(s) --
[svchost.exe]

Here is what I tried ineffectively to debug so far.
Can you help me debug more?

Upon bootup, with no web browsers running, I ran netstat -a -n -b and saw this
SYN_SENT issue hanging at the SYN_SENT line. After a minute or two the netstat
completed as shown above.
..... I first looked up 63.236.111.222 on http://www.dnsstuff.com/ but it
didn't know who that was.
..... I then looked it up on http://ws.arin.net/whois/ which gave me THREE
owners for the same IP address, none of which I recognize and certainly none I
purposefully communicated with.
..... I looked up tcp/ip port 1058 and found it was registered to "nim" but
there is not much information about this port anywhere I could find.
..... Wikipedia has almost nothing on this special nim port 1058
http://en.wikipedia.org/wiki/Talk:TCP_and_UDP_port_numbers#nim_.281058.29_and_ni
mreg_.281059.29
..... The Microsoft Windows XP netstat doesn't even -list- a command called
SYN_SENT (it lists SYN_SEND)
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/n
etstat.mspx
..... However, other netstat manpages say " The socket is actively attempting
to establish a connection. " but what does THAT tell me?
http://dc.qut.edu.au/cgi-bin/man/man2html?netstat
..... A search for winhttp.dll & WS2_32.DLL is wierd. I couldn't find a
DESCRIPTION for these dlls. That's wierd.
http://support.microsoft.com/?id=837243 Where do we find descriptions of dlls?

Some housekeeping notes
..... I am running the latest Windows XP Service Pack 2
http://www.microsoft.com/athome/security/protect/windowsxp/Default.mspx
..... I ran the Microsoft Malicious Software Removal Tool but it didn't find
anything suspicious
http://www.microsoft.com/security/malwareremove/default.mspx
..... My avast antivirus doesn't list anything suspicious like Blaster or
anything like that.
..... I don't even -see- the connection in my sygate personal firewall traffic
logs
..... I'm wireless on a two PC home network

I'm flailing around ineffectively trying to figure this out so now I'm asking
you for help.

Can you give me the straight scoop on how to stop this problem?


Thanks, .....Pam
 
Process 912 on your system (192.168.0.101) sent a packet to
63.236.111.222 hoping to connect to the web server running on port 80
Your system wants to communicate, and grabs a semi-random
number over 1024 as the port.
Click to expand...

Thanks old guy!
You explained a lot!

One source of confusion you eliminated was the port used to make the outgoing
SYN request.
The evilware seems to change ports, as you predicted - eg it recently used
port 1032.
Thanks to your explanation, we can eliminate the port itself as a clue to the
solution of the dilemma.
I'll move on to debugging the process which seems to be svchost Generic Host
Process for Win32 Services, whatever that is.

Thanks, .....Pam
 
On
This IP is for Qwest communications
Your SYN_SENT means that a session is being established with their website
at that IP and is part of the tcp/ip handshake to establish a connection.
Such can be done to check for updates, etc or possibly spyware so you should
also scan for Spyware with something like AdAware SE.
Another thing you could do is to install, even if a software firewall
Click to expand...

I do have a software firewall on my windows xp pc behind my wireless router
and I did scan using not only AdAware but SpyBot Search and Destroy and the
Microsoft malicious software removal tool. None found anything suspicious but
there was that strange file GLB1A2B.EXE which I'm still trying to figure out
if it is a bad guy or part of AdAware which I updated before I ran the scan.

I can't find any legitimate use for this "TCP 192.168.0.101:1058
63.236.111.222:80 SYN_SENT process 912" Quest Communications outfit.

Why or how did they get into my startup sequence such that it makes my machine
send the SYN_SENT signal to their port 80?
Can they figure out my ISP IP address from this one-way communication?

Thanks, .....Pam
 
Unbelievable, WinXP's Automatic Update Service actually works!
The others servers could be part of Akamia's load balancing system that
is used by Microsoft. Unbelievable, they're using load balancing!
Click to expand...

Are you saying EVERYONE on Windows gets these SYN_SENT signals?
I thank you very much for your advice & will follow you willingly.

I just rebooted & ran lots of netstats to test your supposition.
At least 15 servers were contacted by svchost via SYN_SENT in the first ten
minutes.
I'm sure I missed some as I ran netstat -a -b -n manually & copied the IP
addresses.
About ten minutes after rebooting, the seemingly random SYN_SENT attempts
stopped.

Here are the ones I captured manually, in order received.
TCP 192.168.0.102:1056 207.46.157.61:80 SYN_SENT 980
TCP 192.168.0.102:1068 64.152.17.158:80 SYN_SENT 980
TCP 192.168.0.102:1076 4.78.214.61:80 SYN_SENT 980
TCP 192.168.0.102:1059 64.4.21.61:80 SYN_SENT 980
TCP 192.168.0.102:1068 64.152.17.158:80 SYN_SENT 980
TCP 192.168.0.102:1061 64.4.21.125:80 SYN_SENT 980
TCP 192.168.0.102:1076 4.78.214.61:80 SYN_SENT 980
TCP 192.168.0.102:1060 64.4.21.93:80 SYN_SENT 980
TCP 192.168.0.102:1086 69.226.92.48:80 SYN_SENT 980
TCP 192.168.0.102:1097 207.46.250.185:80 SYN_SENT 980
TCP 192.168.0.102:1088 65.59.235.62:80 SYN_SENT 980
TCP 192.168.0.102:1102 207.46.253.125:80 SYN_SENT 980
TCP 192.168.0.102:1104 207.46.157.30:80 SYN_SENT 980
TCP 192.168.0.102:1106 207.46.244.253:80 SYN_SENT 980

Here are the "owners" of those IP addresses, in order.
http://www.whois.sc/207.46.157.61 OrgName: Microsoft Corp
http://www.whois.sc/64.152.17.158 OrgName: unknown, maybe Level 3
Communications, Inc.
http://www.whois.sc/4.78.214.61 OrgName: Level 3 Communications, Inc.
http://www.whois.sc/64.4.21.61 OrgName: MS Hotmail
http://www.whois.sc/64.152.17.158 OrgName: unknown, maybe Level 3
Communications, Inc.
http://www.whois.sc/64.4.21.125 OrgName: MS Hotmail
http://www.whois.sc/4.78.214.61 OrgName: Level 3 Communications, Inc.
http://www.whois.sc/64.4.21.93 OrgName: MS Hotmail
http://www.whois.sc/69.226.92.48 OrgName: unknown SBC Internet Services or
Akamai Server Farm
http://www.whois.sc/207.46.250.185 OrgName: Microsoft Corp
http://www.whois.sc/65.59.235.62 OrgName: unknown Level 3 Communications, Inc.
or CWIE, LLC LVLT-CWIE
http://www.whois.sc/207.46.253.125 OrgName: Microsoft Corp
http://www.whois.sc/207.46.157.30 OrgName: Microsoft Corp
http://www.whois.sc/207.46.244.253 OrgName: Microsoft Corp


If everyone gets SYN_SENT, why is there not much of a record in the google
search?
Most with SYN_SENT are asking what it means and none I found said it was
Microsoft.
Yet, I do see most of the SYN_SENT signals do resolve to Microsoft.
A clever ruse for a virus or malware perhaps?

To debug this, should I turn off Microsoft automatic update to see if that
stops these SYN_SENT signals?

Thanks, .....Pam
 
Are you saying EVERYONE on Windows gets these SYN_SENT signals?
Click to expand...

I was wondering why, if everyone on Windows gets these SYN_SENT syn-ack
attacks all the time, that they dion't complain more about it.

I can't be the only one with a syn-ack syn_sent attack since I see many on the
internet asking about this but almost none getting the answers.

I do very much appreciate your help. One debugging hint that may help is in
the event log where I just now found.
Type = Warning
Source = Tcpip
Category = None
Event = 4226
User = N/A
Computer = PAM
Description = TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp

Of course, Microsoft being Microsoft, there is nothing at that web page (why
do they bother to refer us to non-existent web pages anyway)?

Can you help me understand this. From my googling, I think maybe a limit is
set on the number of contiguous TCP connect attempts to the Microsoft servers???
http://www.lvllord.de/?url=tools#4226patch

There seems to be a registry key to prevent these microsoft syn_sent attacks
http://board.iexbeta.com/lofiversion/index.php/t44426.html
which says in part.

Microsoft published how to harden NT's tcpip stack against these attacks.
The registry hacks documented here are taken from Microsoft sources.
Synattack protection involves reducing the amount of retransmissions for
the SYN-ACKS, which will reduce the time for which resources have to remain
allocated. The allocation of route cache entry resources is delayed until a
connection is made. If synattackprotect = 2, then the connection indication
to AFD is delayed until the three-way handshake is completed. Also note that
the actions taken by the protection mechanism only occur if TcpMaxHalfOpen
and TcpMaxHalfOpenRetried settings are exceeded.
Apply the following registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: SynAttackProtect
Type: REG_DWORD
Value: 0
no syn attack protection
Value: 1
reduced retransmission retries and delayed RCE ( route cache entry ) creation
if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.
Value: 2
adds delayed indication to Winsock to setting of 1
When the system finds itself under attack the following options on any socket
can no longer be enabled : Scalable windows (RFC 1323) and per adapter
configured TCP parameters ( Initial RTT, window size ). This is because when
protection is functioning the route cache entry is not queried before the
SYN-ACK is sent and the Winsock options are not available at this stage of
the connection.

TcpMaxHalfOpen
parameter controls the number of connections in the SYN-RCVD state allowed
before SYN-ATTACK protection begins to operate. If SynAttackProtect is
set to 1, ensure that this value is lower than the AFD listen backlog on
the port you want to protect.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpen
Type: REG_DWORD
Value: 100
Professional, Server
Value: 500
Advanced Server

This is what I get from a Microsoft-Guy when i asked him why XPSP2 slows down
programs like emule which open many connections to different destinations:

"Thanks very much for responding. This new feature is one of the stack's
"springboards", security features designed to proactively reduce the
future threat from attacks like blaster and Sasser that typically spread
by opening connections to random addresses. In fact, if this feature had
already been deployed, Sasser would have taken much longer to spread.

It's not likely to help stop the spread of spam unless spammers are
trying to reach open email relays in the same way, by opening
connections on smtp ports of random IP addresses.
This is new with XP SP2 and we're trying to get it right so that it does
not interfere with normal system operation or performance of normal,
legitimate applications, but does slow the spread of viral code. New
connection attempts over the limit for half-open connections get queued
and worked off at a certain (limited rate)."


This is the key to add to modify the maximum number of simultaneous connections
TcpNumConnections

Key: Tcpip\Parameters
Value Type: REG_DWORD - Number
Valid Range: 0 - 0xfffffe
Default: 0xfffffe
Description: This parameter limits the maximum number of connections that TCP
can have open simultaneously.

128 decimal or 80 hexadecimal ---------------->>>0xfffffe

I have put the following into the reg to see what affect it would have, and it
seems to have stoppped the error for the moment..

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
"TcpNumConnections"=dword:00000020


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip]
"TcpNumConnections"=dword:00000080

original

then change "TcpNumConnections"=dword:0xfffffe
 
Back
Top