dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
59298
gogregor6
join:2002-09-26
Bethlehem, PA

gogregor6

Member

persistent connection to qw-in-f113.1e100.net on boot

I've recently noticed a TCP (port 1030-1033) connection (netstat -a) to the addr qw-in-f113.1e100.net (74.125.93.113) right after boot and before starting any applications. ARIN reports this is a google addr, and google reports this is a mail server. I've run SpyBot and AVG anti-vir apps and found nothing. I see a google update service when checking installed services, but it is not started? Any ideas?

thanx!
greg
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers

Member

Run TCP view to see what process (PID) has that connection open. If it is svchost.exe use process explorer, right click on the PID > Properties > TCP/IP will tell you where it's connecting and the service tab will tell you everything that svchost is running. It's probably harmless but does seem odd.

»technet.microsoft.com/en ··· 027.aspx

Looks like it might pertain to google-anatalitic.com

»www.robtex.com/dns/www.g ··· com.html
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned) to gogregor6

Member

to gogregor6
Yes it is Google something.
redwolfe_98
Premium Member
join:2001-06-11

1 edit

redwolfe_98 to gogregor6

Premium Member

to gogregor6
i think that there might be something fishy going on..

when i look up the ip address for "www.gmer.net", at "samspade", samspade shows the ip address as being "74.125.53.121", which is "google", and, further, "samspade" shows ip address 74.125.53.121 as being "pw-in-f121.1e100.net"..

if i look up the ip address for "www.gmer.net" at "hpHosts", here is what it shows:

Host: www.gmer.net ( H )
Current IP*: 74.125.77.121 ( 24 H )
IP PTR: ew-in-f121.1e100.net
ASN: 15169 74.125.76.0/23 GOOGLE - Google Inc.

when i actually go to "www.gmer.net", using my computer, the ip address that i get is "85.128.230.45".. so why does "samspade" and "hpHosts" show a different ip address for "www.gmer.net", both relating to "1e100.net", which gogregor6 mentioned in the original post?

gogregor6, how did you manage to notice that your computer was "phoning home" to "qw-in-f113.1e100.net"?
gogregor6
join:2002-09-26
Bethlehem, PA

gogregor6

Member

Redwolf, I have an older desktop that was running very slow. Did the usual check for spyware, etc. and found nothing. Just a guess - did a netstat -a to check connections right after boot and the google addr showed up. I'm mostly just a blind chicken who finds some corn once in a while! Thanks!
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers to gogregor6

Member

to gogregor6
Google analitics is everywhere. Even dslr uses it. You can safely add these to your host file and your connection will appear as local host.

127.0.0.1 google-analytics.com
127.0.0.1 ssl.google-analytics.com
127.0.0.1 googlesyndication.com
127.0.0.1 sb.google.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 pagead.googlesyndication.com
127.0.0.1 www.google-analytics.com/urchin.js
127.0.0.1 eh-in-f191.google.com
127.0.0.1 www.google-analytics.com
127.0.0.1 sb.google.com

Add five spaces between 127.0.0.1 and the URL. I could not get it to display correctly. There are probably others that can be added. If you are running any google applications (google toolbar, gmail, ect.) they may be taking you there at start up. Google analitics is largely harmless but the crap that tracks you today is unbelievable.

Another solution is Firefox with No Script and Add Block Plus. Highly recommended. Google analytics is a privacy issue and not a malware issue.
gogregor6
join:2002-09-26
Bethlehem, PA

gogregor6

Member

I cannot querry this processs (PID 0 ) using tcpview, tcpvcon returns the following:

C:\Documents and Settings\Owner\My Documents\Install>tcpvcon

TCPView v2.54 - TCP/UDP endpoint viewer
Copyright (C) 1998-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

[TCP] [System Process]
PID: 0
State: TIME_WAIT
Local: faith.cable.rcn.com:1032
Remote: qw-in-f139.1e100.net:http
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers to gogregor6

Member

to gogregor6
Tcpvcon.exe is the command line version of the utiility. It looks like you running it from my documents. Tcpview does connect to the internet and is not a problem. Try running the GUI version which is TCPview.exe. Consider running it from somewhere on your root drive, perhaps C:\program files\sysinternals. You can run it from anywhere so if you are comfortable running an execute from my documents by all means do so.

Anything that appears as time wait has been closed but because it takes time to properly close the connection Tcpview indicates it is handed off to system 0. That is not exactly correct but as long as you understand the connection is closed and waiting to finish you should still be able to right click the connection > properties > and get the path to the executable if you do it before it completely closes out. Sometimes there will be more than one time wait and it will be a WAG to determine the correct one. Click on view > update speed > 5 seconds. This gives you five seconds to find the correct closed wait. The default is one second.

If your connection happens really early in the boot sequence it may not be possible to capture the path because it may already be completely closed out. If that is happening you might try putting Tcpview in your start up folder so it comes up with your boot.

You appear to be using a third party firewall. Are there any logs that might help explain what is using this connection? Some firewalls allow you to establish different levels of logging. Is that an option for you? What is the exact name of the google service you have installed? Have you tried setting the service to disable, not manual but disable? Are there any other google applications installed?

There is no boot logging associated with Tcpview so that is not an option. Process monitor does do boot logging but you really need to set a filter or you will be faced with pages and pages of logs that do not apply to this connection.
gogregor6
join:2002-09-26
Bethlehem, PA

gogregor6

Member

First of all - thank you for a very complete reply! And all the help. I've run both the GUI and command line of tcpview, and from several locations. I've watched the connection go from WAIT to ESTABLISHED, then dissappear, then return later. When I right click on the connection in tcpview I always get an error that states it cannot query PROC ID 0. The only Google app I have installed (that I'm aware of) is Google Earth, and that was installed about 3 years ago - this is a relatively new issue. I have some technical background - and this one has me stumped right now. Also - no third party firewall??? What is the indication for that??

thanks again!
greg

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

NetFixer

Premium Member

If Google Earth is truly the only Google app that is running on your PC, then Google Earth is a likely source of the connection to qw-in-f113.1e100.net.

That connection is certainly to a Google server as verified by nslookup, whois and by simply putting http://qw-in-f113.1e100.net into a browser address bar.




Since you have already used TCPView, you might also want to try Process Explorer to be absolutely sure that there are no other Google processes running on your PC.
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers to gogregor6

Member

to gogregor6
Netfixer is correct.

OK, I just started the latest version 2.54, right clicked on a closed wait and it gave me the path and command line. I am unsure what is happening but your experience is not the usual behavior.

I am living in the dark ages, still running XP. If it's Vista it may need administrator rights. I don't have access to a Vista box right now. I do know that on the Vista box process explorer needs administrative rights to reveal any meaningful information. Try run as administrator, not from a shortcut, right click the actual file > run as. UAC drives me up the wall.

Currports at: »www.nirsoft.net/utils/cp ··· rts.html is often recommended but I have never used it.

You stated, "Also - no third party firewall??? What is the indication for that??" Normally when something calls home the first indication is a firewall alert. Rereading your post I see you stumbled into it with a netstat. My bad. Installing a third party firewall would catch it but they frequently don't clean uninstall.

If it's Vista try run as administrator and see if that works. I don't think this is malacious but it is a good mystery.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

NetFixer

Premium Member

said by dsilvers:

OK, I just started the latest version 2.54, right clicked on a closed wait and it gave me the path and command line. I am unsure what is happening but your experience is not the usual behavior.
That depends on from what process you are attempting to obtain the properties.

A normal application will show its properties, but TCPView will not show the properties for a System process:





dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers

Member


@netfixer

You are right. I had not noticed that before. Any ideas on how to catch it short of a firewall. I am out of aces.

moo0000
@verizon.net

moo0000 to gogregor6

Anon

to gogregor6
its google notifier most likely

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to dsilvers

Premium Member

to dsilvers
said by dsilvers:

@netfixer

You are right. I had not noticed that before. Any ideas on how to catch it short of a firewall. I am out of aces.
I already suggested Process Explorer. It sees all and tells all.




If you walk the process trees, you can find out about all active processes including any network sessions.

jashsu
@comcast.net

jashsu to gogregor6

Anon

to gogregor6
1E100 is exponent notation for one googol. Hope that helps explain the url.

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121 to gogregor6

Premium Member

to gogregor6
Ran into this today, and traced the PID to GoogleToolbarNotifyer.exe.

For some unknown reason, it was using a full T1's worth of bandwidth for the entire day, connecting to ".1e100.net".

It's back to normal so far, I'll do some more monitoring in MRTG and see what happens tomorrow.

Martinus
Premium Member
join:2001-08-06
EU

1 recommendation

Martinus to gogregor6

Premium Member

to gogregor6
This thread shows up as a link in an article at The Register.

Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus to gogregor6

Premium Member

to gogregor6
Thanks for the info. Stumbled upon this thread. Was curious myself when I saw these addresses, but never cared to research it.

cyb3rl0g
@comcast.net

cyb3rl0g to gogregor6

Anon

to gogregor6
We started noticing this too early 10/1/09 and starting calling it "Big G, Phone Home". Around the same time, we learned that Google (Big G) was buying up enormous amounts of bandwidth on a global scale. This transmission capacity they were buying we figured was Big G building their own seperate 'Internet'. We dubbed the new capacity as 'GooglePlanet'. We put MAC's PC's, couple of cell phones, into a controlled test environment and in every single case, each electronic device "AT BOOT" phones home to Big G. We then separated all the devices to different locations and the same result - all devices phoned home to Big G. We concluded that our suspicions that Big G Phone home was indeed establishing a new world 'Google Planet' where everything is run by, connected to, and dependent on Google. Since we're FOSS folks, and we recognize that Google runs on Linux, we didn't see this as necessarily bad. We were happy to see that an open source planet is coming into a new dawn. We did, however, sell all our Microsoft stock shortly thereafter even though WindowsXP still has 70% of the world's installed user base. If Big G is making a move to build their own internet, we suspect that soon thereafter, their internet will become THE internet. What if all 'Big G Phone Home Machines' decide they no longer want to talk to Microsoft powered devices? 1e100.net came from out of nowhere to land on the list of the top traffic domains in the country in a few months. Next it could be their OS, or anything else. I would conclude that at the least, Big G is getting to KNOW YOU, getting to know all about you.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD

Premium Member

said by cyb3rl0g :

We started noticing this too early 10/1/09 and starting calling it "Big G, Phone Home". Around the same time, we learned that Google (Big G) was buying up enormous amounts of bandwidth on a global scale. This transmission capacity they were buying we figured was Big G building their own seperate 'Internet'. We dubbed the new capacity as 'GooglePlanet'. ...
I like to use the terms GoogleGod and TheGoogleMatrix..
19579823 (banned)
An Awesome Dude
join:2003-08-04

1 edit

19579823 (banned) to gogregor6

Member

to gogregor6
said by dsilvers :
Add five spaces between 127.0.0.1 and the URL.
Not needed,i have mine as 127.0.0.1 xxxxxx and it is fine... (1 space is all thats required)
sbkansas
Actual Example
Premium Member
join:2001-05-10
Hays, KS

1 edit

sbkansas to gogregor6

Premium Member

to gogregor6
Just a little FYI for those that don't know, that is 1e1OO.net , ( one e one oh oh dot net , not one e one hundred dot net )

Ignore this info, I have been corrected

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

You are correct that there is a 1e1oo.net.

Domain Name: 1E1OO.NET
Registrar: MONIKER
Registrant [1530176]:
Xander Jeduyu info@ALGEBRALIVE.COM
ALGEBRALIVE
P.O. Box 523
7480 Praesent Ave
Praesent Ave
BE
1154AU
BE


However, that is not the domain being discussed in this thread.

Registrant:
DNS Admin
Google Inc.
1600 Amphitheatre Parkway
Mountain View CA 94043
US
dns-admin@google.com +1.6502530000 Fax: +1.6506188571
Domain Name: 1e100.net
Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: »www.markmonitor.com
sbkansas
Actual Example
Premium Member
join:2001-05-10
Hays, KS

sbkansas

Premium Member

I beleive you are correct, i've been spending some time trying to find out what to block (Blackhole DNS). If I ping 1e100, i get 'Ping request could not find host 1e100.net', if I ping 1e1oo.net the result is 208.73.210.27 - Oversee.net, not matching your results?

I thought Blackhole DNS would work with 1e100.net, but it wasn't working so that's when I thought it was with the O's (still didn't work)

any advice?

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

NetFixer

Premium Member

I am not sure exactly what you are trying to do, so I am not able to provide any advice.

I think, however, that you may not understand the difference between a domain name and a host name. A domain name is the registered name for a domain, and a domain may contain many subdomains and host names. The domain name itself does not have to have any specific host associated with it, nor is there any requirement for any domain or host to be pingable.

Examples:

C:\>ping 1e100.net
Ping request could not find host 1e100.net. Please check the name and try again.

C:\>ping qw-in-f113.1e100.net

Pinging qw-in-f113.1e100.net [74.125.93.113] with 32 bytes of data:

Reply from 74.125.93.113: bytes=32 time=48ms TTL=44
Reply from 74.125.93.113: bytes=32 time=52ms TTL=47
Reply from 74.125.93.113: bytes=32 time=48ms TTL=44
Reply from 74.125.93.113: bytes=32 time=50ms TTL=47

Ping statistics for 74.125.93.113:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 48ms, Maximum = 52ms, Average = 49ms

C:\>nslookup 1e100.net
Server: dcs-srv.dcs-net
Address: 192.168.10.2

Name: 1e100.net

C:\>nslookup qw-in-f113.1e100.net
Server: dcs-srv.dcs-net
Address: 192.168.10.2

Non-authoritative answer:
Name: qw-in-f113.1e100.net
Address: 74.125.93.113

C:\>ping 1e1oo.net

Pinging 1e1oo.net [208.73.210.27] with 32 bytes of data:

Reply from 208.73.210.27: bytes=32 time=66ms TTL=236
Reply from 208.73.210.27: bytes=32 time=68ms TTL=239
Reply from 208.73.210.27: bytes=32 time=65ms TTL=236
Reply from 208.73.210.27: bytes=32 time=68ms TTL=239

Ping statistics for 208.73.210.27:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 65ms, Maximum = 68ms, Average = 66ms

C:\>nslookup 1e1oo.net
Server: dcs-srv.dcs-net
Address: 192.168.10.2

Non-authoritative answer:
Name: 1e1oo.net
Address: 208.73.210.27


You will note that the domain/host name 1e100.net does not have a DNS record that defines an IP address. The host name qw-in-f113.1e100.net does have an IP address defined in DNS.

OTOH, the domain name 1e1oo.net also has a host name with an IP address defined in DNS. However, that domain is totally unrelated to the Google owned 1e100.net (as I thought I made clear in my previous post).

Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus

Premium Member

Maybe you should try using the letter O instead of zeros (0).

one e one o o dot net

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD

Premium Member

oh oh

Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus

Premium Member

qw-in-f113.1e1oo.net resolves to 208.73.210.27.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by Exodus:

qw-in-f113.1e1oo.net resolves to 208.73.210.27.
That is because the domain 1e1oo.net uses a wild card DNS as shown below. It is also totally irrelevant since the domain 1e1oo.net has absolutely nothing to do with the Google owned 1e100.net.


C:\>nslookup 1e1oo.net
Server: dcs-srv.dcs-net
Address: 192.168.10.2

Non-authoritative answer:
Name: 1e1oo.net
Address: 208.73.210.27

C:\>nslookup qw-in-f113.1e1oo.net
Server: dcs-srv.dcs-net
Address: 192.168.10.2

Non-authoritative answer:
Name: qw-in-f113.1e1oo.net
Address: 208.73.210.27

C:\>nslookup stuff.it.where.the.sun.does.not.shine.1e1oo.net
Server: dcs-srv.dcs-net
Address: 192.168.10.2

Non-authoritative answer:
Name: stuff.it.where.the.sun.does.not.shine.1e1oo.net
Address: 208.73.210.27