Welcome! Log In Create A New Profile

Advanced

Peerblock detecting something odd

Posted by skooma 
Peerblock detecting something odd
December 03, 2010 07:24PM
Sometimes when I look at peerblock I see something is trying to talk to "Netrouting Telecom". Normally I'd ignore it but whatever wants to phone home is trying literally every port in the book, rapidly.

I've narrowed it down to utorrent, since as soon as I kill that process it stops. I have to kill the process too, closing it is not enough.

Does this happen to anyone else? Does anyone know what is going on?

I'm going to post about this on the utorrent forum as well.
Re: Peerblock detecting something odd
December 03, 2010 10:41PM
avatar
It could be the tracker your connected to on a particular torrent that's currently leeching or sedding.




This business is binary. You're either a one or a zero.
Re: Peerblock detecting something odd
December 15, 2010 02:19AM
I'm getting the same thing from Kungliga Tekniska Hogskolan. No torrent program running. attached is a pic of the listing.
Attachments:
open | download - Capture.JPG (99.4 KB)
Re: Peerblock detecting something odd
December 20, 2010 06:35PM
dedokta Wrote:
-------------------------------------------------------
> I'm getting the same thing from Kungliga Tekniska
> Hogskolan. No torrent program running. attached is
> a pic of the listing.


Same here but uTorrent is runnig although I also got the same IP atttepting access when it is temporarily off. Running PeerBlock 1.1 and I'm a neophyte so no flaming please.
Attached is my own screen shot showing 192.121.121.30 (Kungliga Tekniska Hogskolan)..

I am running XP SP3 and patches and have

1) a modem/router with hardware firewall (TG585v7). I have since also set its Parental Control to block access to 192.121.121.30. As I understand it, the scheme of the built in router/firewall is to disallow all incoming connections except those requested on my machine. Needless to say I have expressly not requested any connection save as stated below for testing.
2) Sunbelt Personal Firewall is running with packet filters for uTorrent in/out on UDP and TCP.
3) uTorrent 2.02 running with port forwarding to a static fixed IP/port. (The ISP has allocated a static IP). For purposes of port forwarding I created a static IP on the PC to use for port forwarding. NO local network. There is an exception created allowing UDP and TCP traffic both ways in the software firewall via packet filtering rules I made. Also in the hardware firewall for this app but similarly not otherwise.
4) I can't understand the activity shown in the screen shot because the uTorrent traffic is set up to be directed to my port **977 but in PeerBlock the Source is shown as my IP (partly blanked out) but on various OTHER ports, not the one assigned to uTorrent, and the Destination is shown as 192.121.121.30 on port 80 (http) - so why the heck would data on one or more of my ports which is/are not assigned to uTorrent on my machine apparently be trying to reach a http port on the remote machine? I have not connected to 192.121.121.30 except to test it and it declined to display any page (that was also before I tweaked the router/firewall to block outgoing connections to it).
5) malware scans in three applications (Sunbelt/Vipre, Malwarebytes and Spybot) all negative.
I did a DNS check on 192.121.121.30 and emailed what appeared to be the abuse address for the IP range covering 192.121.121.30. I have received the following somewhat snotty reply from that admin:

"Please learn how to use the RIPE database properly. You cannot just spam someone you find in a changed-line.
...
The important thing is the line "origin: AS13214".

S/he indicates the abuse address is one instead in the domain dcpnetworks.net.

HDD is thrashing.

Can someone review the screen capture attached and please tell me what their analysis of it is? I suppose it shows PB is blocking outward traffic to the listed entity which is good, but my router/firewall is doing that now anyhow; what confounds me is why the heck traffic should apparently be wanting to go there in the first place given all the factors summarised in 1-5 above i.e. Iam not requesting these inward connections and my firewalls are supposed to block inward traffic as a default unless it is requested by me. If some remote computer is port scanning me, how the heck can it be getting past the hardware firewall and the software firewall? Or is it using the assigned uTorrent port forwarding port and then trying to send home data on others of my ports? If so doesn't that mean the hardware and software firewalls are not working?

Grateful for any input as armed with it I may also pose this one to the s/w firewall developer.

tia,
Attachments:
open | download - PortScan192.121.121.30_v2.jpg (79.6 KB)
Re: Peerblock detecting something odd
December 20, 2010 06:43PM
skooma Wrote:
-------------------------------------------------------
> Sometimes when I look at peerblock I see something
> is trying to talk to "Netrouting Telecom".
> Normally I'd ignore it but whatever wants to phone
> home is trying literally every port in the book,
> rapidly.
>
> I've narrowed it down to utorrent, since as soon
> as I kill that process it stops. I have to kill
> the process too, closing it is not enough.
>
> Does this happen to anyone else? Does anyone know
> what is going on?
>
> I'm going to post about this on the utorrent forum
> as well.



@skooma - further to my post just now, did you get any meangingful feedback from the uTorrent forum? Has an external hacker hijacked the incoming uTorrent port and tried sending data back on other ports of your machine? Also do you have any feedback/ideas on how the incoming traffic is getting past your firewall(s)? Has anyone on uTorrent forums addressed that?
Re: Peerblock detecting something odd
December 21, 2010 04:17AM
Replying to one's own posts - the heights of solecism smiling smiley

I do however have something mildly interesting which may explain the apparent port scanning type symptoms presented in PB by at least 192.121.121.30 (Kungliga Tekniska Hogskolan) and which reflects one prior post.

First, I looked further into exactly *what* 192.121.121.30 is, having had nothing from a http request and found this bittorrent tracker compendium:

[www.robtex.com]
which says in material part:
"tracker.istole.it is hosted on a server in Sweden even though the hostname implies Italy.
It is not listed in any blacklists.[sic] Search for istole.it.
tracker.istole.it has one IP number (192.121.121.30)."

It's identified as a bittorrent tracker. So I look in my uTorrent seeding torrents' trackers and find among others,

[tracker.istole.it]
and
udp://tracker.istole.it:80/announce

So I removed [tracker.istole.it] from the seeding torrents to see if the continual http requests showing up in PB stopped and indeed they did. I left in place in the seeding torrents udp://tracker.istole.it:80/announce (which at the time of writing is reported in uTorrent as "connection timed out" - presumably as PB is blocking it smiling smiley ).

So what does this mean? Why is this torrent tracker on the PB blocked list? Has there been some past abuse from 192.121.121.30 although maybe on another port/service? And second, what does the continual level of http blocked requests signify? Presumably this is [tracker.istole.it] at work, but what does that signify? A misconfigured tracker which is sending continual update requests - or some http port 80 exploit hidden under the guise of a bittorrent tracker? I notice that the udp requests from 192.121.121.30 for a connection on its port 80 don't seem nearly as frequent as were the requests to connect on its port 80 via TCP, so presumably it's a misconfiguration of the machine/service on the http (not udp) address(?)

All very confusing for the neophtye winking smiley
Re: Peerblock detecting something odd
February 20, 2011 04:53AM
i had the same thing, the problem is caused by tracker ( I STOLE IT ...) look for it in your list of trackers on uttorent, after removing it the problems stops. I think this is what is called a denial of service attack, Maybe ? t is similar to the method used in response to the wikileaks attack, using loic tool. ultra rapid requests bogin to down your access. I think someone is using the same method against downloaders. I can tell you what i did... I used loic to bombard the ip 192.121.121.30 to give them a bit of their own medicine... ha ha....
Re: Peerblock detecting something odd
February 22, 2011 07:27PM
Sounds like a tracker used to torrent pirated stuff.
[tracker.istole.it]
udp://tracker.istole.it:80/announce
PeerBlock does NOT support copyright infringement, and can NOT guarantee 100% protection. [www.peerblock.com]


Also,
Originally posted by mmmmmooooo - [forums.peerblock.com]
Quote

I used loic to bombard the ip 192.121.121.30 to give them a bit of their own medicine... ha ha....
If I recall correctly, this is classified as a DoS ( Denial of Service ) Attack, and those are illegal depending on where you live.



Edited 1 time(s). Last edit at 02/23/2011 01:44AM by ineedalifetoday.
Re: Peerblock detecting something odd
June 20, 2011 11:47AM
Solution / Fix

192.121.121.30 a.k.a. (Kungliga Tekniska Hogskolan) looked to be Port Scanning me and I'm somewhere near 54000+ at the moment.

I was not running uTorrent but when I had a look in the task manager there was a uTorrent process.
I then launched a second uTorrent and received the expected uTorrent error of there being a process running already.
I then task killed the remaining single instance of uTorrent
and at the same time I did this the port scanning stopped immediately.
Looked to be caused by hung software.
 
June 21, 2011 09:00PM
avatar
That KTH range was obsolete so I removed it from the Education list.

That tracker is a popular open tracker so I whitelisted it. Being an open tracker,
it is used for all purposes, many of which are definitely legal, so don't mess with it.
Re: Peerblock detecting something odd
July 01, 2011 10:22AM
I had the same experience as MrCyberdude. Utorrent process was still running even though I had shut the program down. I found the problem to be the istole.it tracker so deleted it. However every time I boot up my PC and start Utorrent the istole.it tracker has reappeared in the list of trackers. I cannot permanently delete it.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 40
Record Number of Guests: 215 on November 08, 2012