Sygate firewall

[miskairal]

Hi all,
Can someone point me in the direction of a newsgroup that might help to
answer my query below, unless ome brainiac can answer it here?

I updated Opera today to v 8.52. I'm on dialup and have been connected
for 2 hours and 45 minutes, using opera during that time, and just got
the following from Sygate which is gobbledegook to me. The mention of
Paypal concerns me as I don't have a paypal account. Any ideas? I chose
No (it asked if I wanted to allow this) and seem to be still able to
open web pages.

The executable has changed since the last time you used: D:\Program
Files\Opera\Opera.exe
File Version : 8.52.7721.0
File Description : Opera Internet Browser
File Path : D:\Program Files\Opera\Opera.exe
Process ID : 0x958 (Heximal) 2392 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 211.29.223.40
Local Port : 2965
Remote Name : www.paypal.com
Remote Address : 64.4.241.32
Remote Port : 443 (HTTPS - HTTP protocol over TLS/SSL)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 02-00-20-00-02-00
Source: 00-00-02-00-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x1929 (Correct)
Source: 211.29.223.40
Destination: 64.4.241.32
Transmission Control Protocol (TCP)
Source port: 2965
Destination port: 443
Sequence number: 816727245
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xe8fc (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 02 00 20 00 02 00 00 00 : 02 00 00 00 08 00 45 00 | .. ...........E.
0010: 00 30 EE 43 40 00 80 06 : 29 19 D3 1D DF 28 40 04 | .0.C@...)....(@.
0020: F1 20 0B 95 01 BB 30 AE : 44 CD 00 00 00 00 70 02 | . ....0.D.....p.
0030: 20 00 FC E8 00 00 02 04 : 05 B4 01 01 04 02 70 61 | .............pa
0040: 6C 03 63 6F 6D 00 00 01 : 00 01 63 61 | l.com.....ca

 

[MyName]

Hi all,
Can someone point me in the direction of a newsgroup that
might help to answer my query below, unless ome brainiac
can answer it here?

I updated Opera today to v 8.52. I'm on dialup and have
been connected for 2 hours and 45 minutes, using opera
during that time, and just got the following from Sygate
which is gobbledegook to me. The mention of Paypal concerns
me as I don't have a paypal account. Any ideas? I chose No
(it asked if I wanted to allow this) and seem to be still
able to open web pages.

The executable has changed since the last time you used:
D:\Program Files\Opera\Opera.exe
File Version : 8.52.7721.0
File Description : Opera Internet Browser
File Path : D:\Program Files\Opera\Opera.exe
Process ID : 0x958 (Heximal) 2392 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 211.29.223.40
Local Port : 2965
Remote Name : www.paypal.com
Remote Address : 64.4.241.32
Remote Port : 443 (HTTPS - HTTP protocol over
TLS/SSL)

<snip>

I feel like Larry King: "What's the Question"
Is it: "Any ideas?"

 

[miskairal]

<snip>

I feel like Larry King: "What's the Question"
Is it: "Any ideas?"

Haha, sorry.
Yes. Is this a safe thing or not? Why was paypal mentioned? What is it
asking me?

 

[chrissy]

"miskairal" asked

Can someone point me in the direction of a newsgroup that might help to
answer my query below, unless ome brainiac can answer it here?

try comp.security.misc

or

grc.security.software ( news.grc.com )

 

[Art]

Hi all,
Can someone point me in the direction of a newsgroup that might help to
answer my query below, unless ome brainiac can answer it here?

I updated Opera today to v 8.52. I'm on dialup and have been connected
for 2 hours and 45 minutes, using opera during that time, and just got
the following from Sygate which is gobbledegook to me. The mention of
Paypal concerns me as I don't have a paypal account. Any ideas? I chose
No (it asked if I wanted to allow this) and seem to be still able to
open web pages.

The executable has changed since the last time you used: D:\Program
Files\Opera\Opera.exe
File Version : 8.52.7721.0
File Description : Opera Internet Browser
File Path : D:\Program Files\Opera\Opera.exe
Process ID : 0x958 (Heximal) 2392 (Decimal)

This alert was to be expected, of course, since you upgraded to a new
version .... and it has nothing to do with your mystery so far as I
can see.

Connection origin : local initiated
Protocol : TCP
Local Address : 211.29.223.40
Local Port : 2965
Remote Name : www.paypal.com
Remote Address : 64.4.241.32

Remote Port : 443 (HTTPS - HTTP protocol over TLS/SSL)

A secure remote server, no less The remote address is indeed
Paypal. Doesn't your traffic log tell you which app or what the source
of the callout attempt was/is? The "local initiated" connection origin
doesn't tell me much. There are tools such as SysInternal's TCP View:

http://www.sysinternals.com/Utilities/TcpView.html

which are helpful in tracking down the source.

I've tried to speculate on the idea of known malware connected
with PayPal spoofs and DNS confusion, but since the callout endpoint
IP address is PayPal and not some spoofed endpoint address
(apparently) it's a mystery to me as well. I suppose you've scanned
your drive(s) with good up to date antivirus and antispyware products?

Insofar as newsgroups go, it's hard to say whether a firewall or
general security group would be any better than the virus newsgroups
I haunt. Try posting on alt.comp.virus and alt.comp.anti-virus
There are experts there who have knowledge of malware, networking
and general security.

Art
http://home.epix.net/~artnpeg

 

[Slarty]

Hi all,
Can someone point me in the direction of a newsgroup that might help to
answer my query below, unless ome brainiac can answer it here?

Connection origin : local initiated
Protocol : TCP
Local Address : 211.29.223.40
Local Port : 2965

If that's your IP, and it would seem so from your headers, then you may be
interested in this.

================================================
Here is the result of your query:

211.29.223.40 is listed in dynablock.njabl.org.

211.29.223.40 resolves to marax3-040.dialup.optusnet.com.au

================================================

I've no idea if there's a connection.

Cheers,

Roy

 

[miskairal]

This alert was to be expected, of course, since you upgraded to a new
version .... and it has nothing to do with your mystery so far as I
can see.

Exactly but almost 3 hours after I start using the programme seems a bit
ridiculous?

A secure remote server, no less The remote address is indeed
Paypal. Doesn't your traffic log tell you which app or what the source
of the callout attempt was/is? The "local initiated" connection origin
doesn't tell me much. There are tools such as SysInternal's TCP View:

http://www.sysinternals.com/Utilities/TcpView.html

which are helpful in tracking down the source.

Well I think it was trying to tell me the app was Opera but I'm afraid I
don't much understand all this stuff. I was opening gmail when this
popped up, but after clicking no I was unable to get into gmail - I got
a server error message. This morning I've tried again to get into gmail
and got the same popup with one difference that I noticed. It says
google instead of paypal...
Local Port : 3581
Remote Name : www.google.com
Remote Address : 66.102.7.99
Remote Port : 443 (HTTPS - HTTP protocol over TLS/SSL)

I've tried to speculate on the idea of known malware connected
with PayPal spoofs and DNS confusion, but since the callout endpoint
IP address is PayPal and not some spoofed endpoint address
(apparently) it's a mystery to me as well. I suppose you've scanned
your drive(s) with good up to date antivirus and antispyware products? Yes

Insofar as newsgroups go, it's hard to say whether a firewall or
general security group would be any better than the virus newsgroups
I haunt. Try posting on alt.comp.virus and alt.comp.anti-virus
There are experts there who have knowledge of malware, networking
and general security.

Thanks. I did a brief look at the groups provided by my ISP but there
are so many and I know from past experience you can spend hours finding
a group that isn't just spam and porn.

 

[Art]

Well I think it was trying to tell me the app was Opera but I'm afraid I
don't much understand all this stuff. I was opening gmail when this
popped up, but after clicking no I was unable to get into gmail - I got
a server error message. This morning I've tried again to get into gmail
and got the same popup with one difference that I noticed. It says
google instead of paypal...
Local Port : 3581
Remote Name : www.google.com
Remote Address : 66.102.7.99

That's Google all right.

Dump gmail

Art
http://home.epix.net/~artnpeg

 

[Weezel]

Paranoia Strikes Deep, Into Your Life
It will creep if you pay too much attention
to your computer's security profile and
keep eyeballing every little thing that
Sygate does.

weezel

 

[miskairal]

I only use it for forum registrations and to have large emails sent to
so I can download them when it suits me.

Cheers