Multiple entries in NAT mapping Table, Virus?

Associate
Joined
10 Jan 2005
Posts
535
Ive been keeping an eye on my router after catching a virus in XP which kept redirecting my browser. I tried multiple spyware cleaners/virus checkers and that stopped the redirect but now I keep noticing different entries being added to the NAT mapping table even when I am not doing any browsing. I think the virus is still lurking in there somewhere.

Should entries in NAT be added when doing nothing, it seems to be using port 80 and I will list IP addresses if needed.
 
port 80 is the browser port. a bit happens around there but it could be like you say the virus is still there. best thing to do is run more scan. or use a different pc and turn the infected one off and see if the nat table is still getting dodgey entries.
 
Im running out of ideas what the hell it is. I reinstalled XP, exact same problem although not as many entries added (b4 reinstall had 9 pages full of bogus NAT entries)

Index Protocol Local IP Local Port Pseudo IP Pseudo Port Peer IP Peer Port
1 TCP 192.168.2.5 1041 80.175.186.101 1041 84.45.224.15 80
2 TCP 192.168.2.5 1455 80.175.186.101 1455 84.45.224.7 80
3 TCP 192.168.2.5 1043 80.175.186.101 1043 84.45.224.15 80
4 TCP 192.168.2.5 1045 80.175.186.101 1045 84.45.224.15 80
5 TCP 192.168.2.5 1047 80.175.186.101 1047 84.45.224.15 80
6 ICMP 192.168.2.5 512 80.175.186.101 56403 84.45.224.15 0

Thats whats in there currently, the one im most concerned with is the one using ICMP. I am not running any p2p programs (clean install with just basics installed - Zonealarm, AVG. all latest XP updates applied)

Traceroute for 84.45.224.15.80:

Tracing route to akamai-cluster.enta.net [84.45.224.15]

over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms . [192.168.2.1]
2 11 ms 13 ms 11 ms redback-lb-bgp.newnet.co.uk [212.87.77.54]
3 17 ms 11 ms 11 ms th8.th.newnet.co.uk [81.3.81.8]
4 12 ms 11 ms 11 ms linx-gw0.enta.net [195.66.224.151]
5 12 ms 12 ms 11 ms te4-3.global-switch.core.enta.net [87.127.236.82]
6 13 ms 13 ms 13 ms akamai-cluster.enta.net [84.45.224.15]

Trace complete.

From last night had multiple ones for 64.233.103.103

Tracing route to www.google.co.uk [64.233.183.103]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms . [192.168.2.1]
2 12 ms 11 ms 12 ms redback-lb-bgp.newnet.co.uk [212.87.77.54]
3 11 ms 11 ms 12 ms th3.th.newnet.co.uk [81.3.81.3]
4 12 ms 11 ms 11 ms 212.113.21.65
5 23 ms 17 ms 17 ms ae-32-52.ebr2.London1.Level3.net [4.68.116.62]
6 20 ms 31 ms 20 ms ae-2.ebr2.Amsterdam1.Level3.net [4.69.132.134]
7 20 ms 19 ms 20 ms ae-21-56.car1.Amsterdam1.Level3.net [4.68.120.175]
8 21 ms 19 ms 19 ms GOOGLE-INC.car1.Amsterdam1.Level3.net [212.72.46.230]
9 53 ms 23 ms 22 ms 64.233.175.246
10 21 ms 21 ms 22 ms 72.14.233.83
11 29 ms 21 ms 22 ms 209.85.249.129
12 21 ms 22 ms 22 ms www.google.co.uk [64.233.183.103]



Trace complete.
 
I believe akamai-cluster.enta.net is used to host quite a few services, including Zone Alarm and Micrsoft updates.

The other connection is to www.google.com

Neither seem malicious.

Use netstat to see what processes are connecting to which connections if you are really worried.
 
akamai-cluster.enta.net hosts microsoft updates.....

a quick google told me that.

edit: beaten :p

edit2: btw enta is my isp, nowt to worry about. :)
 
thanks for the replies it has put my mind at rest.

Didnt know about the akamai being used for updates for Zonealarm/Microsoft but did read that some websites used them to offload hosting various parts of their sites.

The google one I only included because I was concerned that the routing went through amsterdam.level13, Im sure the last time I checked google (probably a while back) it didnt use leve13's network. Whenever I see amsterdam in anything it just catches my eye, wonder why that is lol

Also changed the routers default IP address and password and no bogus entries are in there at all now, probably just coincidence though.
 
Back
Top Bottom