Computer contacting wildernesskarnataka.org by itself

[Rod Miller]

I recently installed a squid transparent proxy on a firewall / gateway on my
small home network (2 computers and the router). I was watching the traffic
monitored by the proxy and noticed that one of my XP Professional computers
contacted www.wildernesskarnataka.org by itself. I was also watching the
computer in question and there was no browser open but I watched the traffic
as it occurred. To my knowledge, nobody in this house has visited that
website until after I saw the traffic go through. I continued to monitor the
traffic and noticed that about 2 hours later, it contacted the same website
again. I have not yet determined what kind of a schedule it is on. I
monitored it all night and this morning and have not noticed it contacting
it again.

After it happened the first time, I ran msconfig and removed several items
in question from the startup and rebooted. It still happened about an hour
after reboot.

I have also ran adaware and spybot (with current updates) and have found
nothing of significance.

My big question is how can I find out what program or process is contacting
this website. Is there something I can set up in XP to monitor what programs
are initiating contact to other sites without my consent?

Here is the traffic that my proxy server logged:

484 OPTIONS http://www.wildernesskarnataka.org/ - DIRECT/202.71.129.55 -
1065836905.593 1169 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836907.257 1663 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836937.659 2107 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836938.950 1675 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836939.534 1113 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/wl-downloads - DIRECT/202.71.129.55
text/xml
1065836940.642 1106 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/wl-downloads - DIRECT/202.71.129.55
text/xml
1065836941.274 592 voyager2 TCP_MISS/404 777 PROPFIND
http://www.wildernesskarnataka.org/wl-downloads/Desktop.ini - DIRECT/202
..71.129.55 text/html

If anyone has any ideas, I would appreciate it.

Thanks,

Rod Miller

 

[davetest]

I recently installed a squid transparent proxy on a firewall / gateway on my
small home network (2 computers and the router). I was watching the traffic
monitored by the proxy and noticed that one of my XP Professional computers
contacted www.wildernesskarnataka.org by itself. I was also watching the
computer in question and there was no browser open but I watched the traffic
as it occurred. To my knowledge, nobody in this house has visited that
website until after I saw the traffic go through. I continued to monitor the
traffic and noticed that about 2 hours later, it contacted the same website
again. I have not yet determined what kind of a schedule it is on. I
monitored it all night and this morning and have not noticed it contacting
it again.

After it happened the first time, I ran msconfig and removed several items
in question from the startup and rebooted. It still happened about an hour
after reboot.

I have also ran adaware and spybot (with current updates) and have found
nothing of significance.

My big question is how can I find out what program or process is contacting
this website. Is there something I can set up in XP to monitor what programs
are initiating contact to other sites without my consent?

Here is the traffic that my proxy server logged:

484 OPTIONS http://www.wildernesskarnataka.org/ - DIRECT/202.71.129.55 -
1065836905.593 1169 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836907.257 1663 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836937.659 2107 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836938.950 1675 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/WL-DOWNLOADS - DIRECT/202.71.129.55
text/xml
1065836939.534 1113 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/wl-downloads - DIRECT/202.71.129.55
text/xml
1065836940.642 1106 voyager2 TCP_MISS/207 1104 PROPFIND
http://www.wildernesskarnataka.org/wl-downloads - DIRECT/202.71.129.55
text/xml
1065836941.274 592 voyager2 TCP_MISS/404 777 PROPFIND
http://www.wildernesskarnataka.org/wl-downloads/Desktop.ini - DIRECT/202
.71.129.55 text/html

If anyone has any ideas, I would appreciate it.

Thanks,

Rod Miller

Installing a software firewall such as kerio or zonealarm will tell
which program is attempting to contact the internet.

DAve

 

[Rod Miller]

Dave,

Thanks for the software firewall suggestion. I actually had a copy of Norton
Personal Firewall 2003 that I had uninstalled because it was causing some
other problems. I put it back on and I think I've solved the mystery so some
extent.

The connection to wildernesskarnataka was shown as a Microsoft webdav
connection and I think Norton showed the access as coming from the "local
subsystem". I opened up "My network places" and found a connection under
"The Internet" labeled as "WL-Downloads on www.wildernesskarnataka.org".

I think what happened was that my son had a report due at school on the
purpose of zoos. He does not remember going to that site, but the properties
of that connection showed that it was created two days before the file
creation date of his report. I am still puzzled at what he would have done
to create a connection, but I don't think it was anything as sinister as I
was originally thinking it might be. I deleted the connection so the
unauthorized web connections should now quit.

I also found and deleted some old connections to some old sharepoint portal
and team services sites that I had purposely connected to some time back.

Rod Miller