For using an online free scanner try this (very good) one, https://www.eset.com/ca/home/online-scanner/
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
Inbound traffic from a specific domain appears to be unblockable
Started by
TanyaC
, Mar 06 2024 05:46 AM
22 replies to this topic
#16
0lds0d
-
- Members
- 4,649 posts
- ONLINE
- Gender:Male
- Location:Canada
- Local time:12:49 AM
Back to top
#17
TanyaC
- Topic Starter
-
- Members
- 75 posts
- OFFLINE
- Gender:Female
- Location:Australia
- Local time:04:49 PM
Posted 07 March 2024 - 09:25 PM
You really shouldn't be using a hosts file you'll essentially going to stop the internet from working on your computer.
The hosts file is greatly depreciated as it was primarily used for computers to do name to ip and ip to host name lookups prior to the invention of the Domain Name System and does not block incoming requests at all.
What is that you are trying to do and prevent from happening?
There are many opinions on the use of the hosts file. Many see it as essential, even critical. Some, such as yourself see it as redundant. Given my limited knowledge which experts should I follow? I respect your views of course. It's like the opinions on whether to use 0.0.0.0 or 127.0.0.1 in the hosts file. Some say one is correct others say the other one is correct.
With the hosts file? Block outbound access to malicious websites, services and domains. If an entry is present then I see it as malicious. I am aware it doesn't work for inbound connections.
Right now? Find out why I am getting connections from suspicious websites that are making persistent inbound connections.
The issue presents when I run openVPN versions 2.6.6 or 2.6.9 and when connected to a VPN server
I suspect this issue has been around for a very long time and the only reason I noticed it is because my ISP is claiming I am uploading 20GB of data a day. That's just not possible unless something malevolent is active in my system.
When connected I see a connection from naj.sk to port 25360 or 25240, depending on what VPN server I connect to.
Interestingly, the OpenVPN configuration specifies a port offset of 25340.
netstat -ab shows a connection to thunderbird on port 25340/25360 remote address and OpenVPN 25340/25360 on the local address.
If I disconnect from the server leaving Thunderbird and OpenVPN running the connection is closed.
Microsoft Windows [Version 10.0.19044.4046] (c) Microsoft Corporation. All rights reserved. C:\Users\Tanya>netstat -ab [thunderbird.exe] TCP 127.0.0.1:1026 www:1025 ESTABLISHED [thunderbird.exe] TCP 127.0.0.1:1222 www:25360 ESTABLISHED [openvpn-gui.exe] TCP 127.0.0.1:25360 pipe:0 LISTENING [openvpn.exe] TCP 127.0.0.1:25360 www:1222 ESTABLISHED [openvpn.exe] TCP 192.168.1.2:139 pipe:0 LISTENING
So, my question is, do I go after OpenVPN, Mozilla or the VPN provider?
Or, and perhaps I shouldn't ask this, but might I be on a wild goose chase?
Edited by TanyaC, 07 March 2024 - 09:31 PM.
#18
cryptodan
-
- Members
- 34,434 posts
- OFFLINE
Bleepin Madman
- Gender:Male
- Location:USA
- Local time:05:49 AM
Posted 07 March 2024 - 09:40 PM
Well when you make dns queries this is the process
hosts > lmhosts > dns cache > isp dns server > root dns server
Then coming back it's reversed but stops at lmhosts.
If you wanna block something setup pihole and stop using the depreciated way you are doing it.
Google, Bing, Netflix, and some others are not malicious.
Also can you run
netstat -ano
And share the result connected to openvpn and and without.
hosts > lmhosts > dns cache > isp dns server > root dns server
Then coming back it's reversed but stops at lmhosts.
If you wanna block something setup pihole and stop using the depreciated way you are doing it.
Google, Bing, Netflix, and some others are not malicious.
Also can you run
netstat -ano
And share the result connected to openvpn and and without.
US Navy Veteran from 2002 to 2006
Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015
Arch Desktop - https://termbin.com/epij
Arch Laptop - https://www.termbin.com/dnwk
Ubuntu Server - https://termbin.com/zvra
#19
TanyaC
- Topic Starter
-
- Members
- 75 posts
- OFFLINE
- Gender:Female
- Location:Australia
- Local time:04:49 PM
Posted 07 March 2024 - 10:21 PM
Well when you make dns queries this is the process
hosts > lmhosts > dns cache > isp dns server > root dns server
Then coming back it's reversed but stops at lmhosts.
If you wanna block something setup pihole and stop using the depreciated way you are doing it.
Google, Bing, Netflix, and some others are not malicious.
Also can you run
netstat -ano
And share the result connected to openvpn and and without.
Can we please leave the DNS side of things until later. I meant no offense, quite the opposite. And I certainly appreciate you steering me in the right direction.
Google, Bing, Netflix, Intel and Microsoft are all extremely malicious and/or untrustworthy in my opinion. As are ALL social networking sites, and anything that requires a cell phone to register (Telegram and Signal for example). this is my opinion and we are all entitled to that. I'm happy never having used social networking, and I don't find a lack of access to google or bing to be a limitation. I don't and will never voluntarily own a cell phone and I never consume any fictional content. Non-fiction books and documentaries only. I'm happy living my life that way. Each to his or her own.
And, as I said, I respect your views.
Anyway, sticking to the issue at hand;
Connected;
Microsoft Windows [Version 10.0.19044.4046] (c) Microsoft Corporation. All rights reserved. C:\Users\Tanya>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 868 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1024 0.0.0.0:0 LISTENING 568 TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 624 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 972 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1400 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1308 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 3068 TCP 10.8.0.12:139 0.0.0.0:0 LISTENING 4 TCP 10.8.0.12:1336 104.20.60.209:443 ESTABLISHED 888 TCP 10.8.0.12:1346 34.107.243.93:443 ESTABLISHED 888 TCP 127.0.0.1:1025 127.0.0.1:1026 ESTABLISHED 5200 TCP 127.0.0.1:1026 127.0.0.1:1025 ESTABLISHED 5200 TCP 127.0.0.1:1224 127.0.0.1:25340 ESTABLISHED 3700 TCP 127.0.0.1:1230 127.0.0.1:1231 ESTABLISHED 888 TCP 127.0.0.1:1231 127.0.0.1:1230 ESTABLISHED 888 TCP 127.0.0.1:1232 127.0.0.1:1233 ESTABLISHED 1940 TCP 127.0.0.1:1233 127.0.0.1:1232 ESTABLISHED 1940 TCP 127.0.0.1:1234 127.0.0.1:1235 ESTABLISHED 3964 TCP 127.0.0.1:1235 127.0.0.1:1234 ESTABLISHED 3964 TCP 127.0.0.1:1236 127.0.0.1:1237 ESTABLISHED 4260 TCP 127.0.0.1:1237 127.0.0.1:1236 ESTABLISHED 4260 TCP 127.0.0.1:1242 127.0.0.1:1243 ESTABLISHED 2720 TCP 127.0.0.1:1243 127.0.0.1:1242 ESTABLISHED 2720 TCP 127.0.0.1:25340 0.0.0.0:0 LISTENING 5064 TCP 127.0.0.1:25340 127.0.0.1:1224 ESTABLISHED 5064 TCP 192.168.1.2:139 0.0.0.0:0 LISTENING 4 TCP 192.168.1.2:1043 192.168.1.1:445 ESTABLISHED 4 TCP [::]:135 [::]:0 LISTENING 868 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:1024 [::]:0 LISTENING 568 TCP [::]:5357 [::]:0 LISTENING 4 TCP [::]:49664 [::]:0 LISTENING 624 TCP [::]:49665 [::]:0 LISTENING 972 TCP [::]:49666 [::]:0 LISTENING 1400 TCP [::]:49667 [::]:0 LISTENING 1308 TCP [::]:49668 [::]:0 LISTENING 3068 UDP 0.0.0.0:3702 *:* 3500 UDP 0.0.0.0:3702 *:* 3500 UDP 0.0.0.0:5353 *:* 2788 UDP 0.0.0.0:49664 *:* 3500 UDP 0.0.0.0:57552 *:* 5064 UDP 10.8.0.12:137 *:* 4 UDP 10.8.0.12:138 *:* 4 UDP 192.168.1.2:137 *:* 4 UDP 192.168.1.2:138 *:* 4 UDP [::]:3702 *:* 3500 UDP [::]:3702 *:* 3500 UDP [::]:49665 *:* 3500
disconnected;
C:\Users\Tanya>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 868 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1024 0.0.0.0:0 LISTENING 568 TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 624 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 972 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1400 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1308 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 3068 TCP 127.0.0.1:1025 127.0.0.1:1026 ESTABLISHED 5200 TCP 127.0.0.1:1026 127.0.0.1:1025 ESTABLISHED 5200 TCP 127.0.0.1:1230 127.0.0.1:1231 ESTABLISHED 888 TCP 127.0.0.1:1231 127.0.0.1:1230 ESTABLISHED 888 TCP 127.0.0.1:1232 127.0.0.1:1233 ESTABLISHED 1940 TCP 127.0.0.1:1233 127.0.0.1:1232 ESTABLISHED 1940 TCP 127.0.0.1:1234 127.0.0.1:1235 ESTABLISHED 3964 TCP 127.0.0.1:1235 127.0.0.1:1234 ESTABLISHED 3964 TCP 127.0.0.1:1236 127.0.0.1:1237 ESTABLISHED 4260 TCP 127.0.0.1:1237 127.0.0.1:1236 ESTABLISHED 4260 TCP 127.0.0.1:1242 127.0.0.1:1243 ESTABLISHED 2720 TCP 127.0.0.1:1243 127.0.0.1:1242 ESTABLISHED 2720 TCP 192.168.1.2:139 0.0.0.0:0 LISTENING 4 TCP 192.168.1.2:1043 192.168.1.1:445 ESTABLISHED 4 TCP 192.168.1.2:1348 34.107.243.93:443 ESTABLISHED 888 TCP 192.168.1.2:1349 104.20.59.209:443 ESTABLISHED 888 TCP [::]:135 [::]:0 LISTENING 868 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:1024 [::]:0 LISTENING 568 TCP [::]:5357 [::]:0 LISTENING 4 TCP [::]:49664 [::]:0 LISTENING 624 TCP [::]:49665 [::]:0 LISTENING 972 TCP [::]:49666 [::]:0 LISTENING 1400 TCP [::]:49667 [::]:0 LISTENING 1308 TCP [::]:49668 [::]:0 LISTENING 3068 UDP 0.0.0.0:3702 *:* 3500 UDP 0.0.0.0:3702 *:* 3500 UDP 0.0.0.0:5353 *:* 2788 UDP 0.0.0.0:49664 *:* 3500 UDP 192.168.1.2:137 *:* 4 UDP 192.168.1.2:138 *:* 4 UDP [::]:3702 *:* 3500 UDP [::]:3702 *:* 3500 UDP [::]:49665 *:* 3500
Anyway, I'm about to reinstall Windows again to get back to another fresh start, I won't be able to respond again until tomorrow.
#20
cryptodan
-
- Members
- 34,434 posts
- OFFLINE
Bleepin Madman
- Gender:Male
- Location:USA
- Local time:05:49 AM
Posted 07 March 2024 - 10:37 PM
https://forums.openvpn.net/viewtopic.php?t=32334 port 25340
Google, Bing, Netflix, Intel, and others you listed are not social networking sites. They are far from it, and whoever you're listening to or reading about this you need to stop.
You could be preventing access yo many sites using Azure, Google Web Services, Amazon, and others
Google, Bing, Netflix, Intel, and others you listed are not social networking sites. They are far from it, and whoever you're listening to or reading about this you need to stop.
You could be preventing access yo many sites using Azure, Google Web Services, Amazon, and others
US Navy Veteran from 2002 to 2006
Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015
Arch Desktop - https://termbin.com/epij
Arch Laptop - https://www.termbin.com/dnwk
Ubuntu Server - https://termbin.com/zvra
#21
Dominique1
-
- Members
- 916 posts
- ONLINE
- Gender:Not Telling
- Local time:12:49 AM
Posted 08 March 2024 - 12:52 PM
So, my question is, do I go after OpenVPN, Mozilla or the VPN provider?
OpenVPN and Mozilla have nothing to do with this unless they have vulnerabilities, but you'd have to prove it, and alien traffic is not a proof of concept.
It could be an issue with the VPN provider, nothing is impossible, but again, you'd have to prove it.
The most plausible possibility is a Merlin zero-day or malware already in your Windows system or both. You've got to at least isolate these. Searching elsewhere is just wasting time.
#22
TanyaC
- Topic Starter
-
- Members
- 75 posts
- OFFLINE
- Gender:Female
- Location:Australia
- Local time:04:49 PM
Posted 10 March 2024 - 10:22 PM
https://forums.openvpn.net/viewtopic.php?t=32334 port 25340
Google, Bing, Netflix, Intel, and others you listed are not social networking sites. They are far from it, and whoever you're listening to or reading about this you need to stop.
You could be preventing access yo many sites using Azure, Google Web Services, Amazon, and others
I'm absolutely fine with that. If I've managed to "de-google" my life, even better
I'm quite senior. I don't like or want to use social networking. Most of the people I know have shuffled off this mortal coil. I have absolutely no need of mobile technologies.
I have very simple needs. I don't need access to much, and if I can't access it I could care less. I never watch any streaming services. There is more to life than watching a steaming pile of dung.
But like I said, this post is about stopping that inbound traffic. Suggesting I'm foolish, or doing myself some sort of disservice by not using things I don't want to use doesn't help solve the issue at hand.
If I don't want to use those services, or websites or whatever, isn't that my choice?
All I want is to stop this inbound traffic.
The online scanner did not detect anything.
Thanks for the link to openvpn, but it was not relevant to my situation.
Edited by TanyaC, 10 March 2024 - 10:27 PM.
#23
cryptodan
-
- Members
- 34,434 posts
- OFFLINE
Bleepin Madman
- Gender:Male
- Location:USA
- Local time:05:49 AM
Posted 11 March 2024 - 08:52 AM
It actually is relevant to your issue and post it provides an explanation of what port 25340 is it is likely the port in which you are using to use OpenVPN services.
Are you still exhibiting the same issue after reinstalling windows?
Are you still exhibiting the same issue after reinstalling windows?
US Navy Veteran from 2002 to 2006
Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015
Arch Desktop - https://termbin.com/epij
Arch Laptop - https://www.termbin.com/dnwk
Ubuntu Server - https://termbin.com/zvra
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
