What application is connecting to a remote site?

AdiGri asked:

I can see with Wireshark that every 5 minutes I have a connection from my computer to ip 165.254.162.243 on udp/8253. This has been going for months. I cannot identify what application or process is making this connection. I used Wireshark to capture the traffic and all I can see is this:

User Datagram Protocol, Src Port: 62841, Dst Port: 8253
Data (20 bytes)
Data: a67c010000010000000000000269700000010001
[Length: 20]

followed by a reply from 165.254.162.243:

User Datagram Protocol, Src Port: 8253, Dst Port: 62841
Data (36 bytes)
Data: a67c810000010001000000000269700000010001c00c0001…
[Length: 36]

I tried killing processes and seeing if the traffic stopped without any luck. The IP address seems to be a dynamically assigned one in Englewood, CO.

I am running now a Perl script recording the output of “netstat -a -n -p tcp -b” every 0.1 seconds, hoping to record the culprit. So far no luck, the 0.1 seconds interval seems to miss the connection (recorded by Wireshark).

Any suggestions on how can I narrow down what application is making these connections?

My answer:


Let us see…

The IP address 165.254.162.243 is on AS14627, which is a company named Vitalwerks. WHOIS tells me that they have the entire /24.

A brief look at Google tells me Vitalwerks is the business name of NoIP.com, a dynamic DNS provider.

Have you installed a dynamic DNS update tool, or any other software, from this company? If so, you’ll likely find it is the source.

If you have not, then you may find the source is malware. A few years ago, you may recall, Microsoft got a US federal court to authorize an extremely overbroad seizure of noip.com’s domains in order to stop a botnet that was using some subdomains.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.