Sygate keeps telling me that ftp is trying to connect to 69655.co-ip.com [10.10.10.10] using port 21. Do I want to allow access?

I have never seen this before and can't find anything on google. Maybe I am just trying the wrong keywords.

Any ideas

----------details------------
File Version : 5.1.2600.2180
File Description : File Transfer Program (ftp.exe)
File Path : C:\WINDOWS\system32\ftp.exe
Process ID : 0xCC8 (Heximal) 3272 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.1.102
Local Port : 2263
Remote Name : 69655.no-ip.com
Remote Address : 10.10.10.10
Remote Port : 21 (FTP - File Transfer [Control])

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 00-04-5a-2e-58-cd
Source: 00-12-3f-72-c1-66
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x5e0c (Correct)
Source: 192.168.1.102
Destination: 10.10.10.10
Transmission Control Protocol (TCP)
Source port: 2263
Destination port: 21
Sequence number: 1875923314
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xcee2 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 04 5A 2E 58 CD 00 12 : 3F 72 C1 66 08 00 45 00 | ..Z.X...?r.f..E.
0010: 00 30 58 48 40 00 40 06 : 0C 5E C0 A8 01 66 0A 0A | .0XH@.@..^...f..
0020: 0A 0A 08 D7 00 15 6F D0 : 51 72 00 00 00 00 70 02 | ......o.Qr....p.
0030: FF FF E2 CE 00 00 02 04 : 05 B4 01 01 04 02 2E 70 | ...............p
0040: 6C 67 3F 74 3D 32 26 72 : 3D 34 33 2C | lg?t=2&r=43,


[Edited on September 27, 2005 at 12:38 AM. Reason : details]

9/27/2005 12:36:47 AM

I'm gonna go out on a limb here and say that you don't want to let ftp connect to a remote site that you don't know about. no-ip.com is a ddns service, so I'm betting that 69655.no-ip.com forwards to some shithole on a cable modem or college network trying to steal personal info. You need to update your virus scan and run a scan. Also, take a look at the process list in your Task Manager and google any processes you're not familiar with.

9/27/2005 8:32:11 AM

"do I want to allow access?" is what sygate was asking me. I have not been allowing access.
I have bitdefender 9 pro plus. with the latest definitions. It is not picking anything up.

i am seeing if anyone has heard of this. Also there is an aplication "setup" running that shouldn't be. again can't get anything on google or anti-virus websites because 'setup' is such a common word I suppose.

9/27/2005 11:44:20 AM

It's almost definitly a trojan. Odd that bitdefender isn't picking it up, maybe it's a newer one. Make sure your virus definitions are up to date, and if that doesn't work, try downloading the antivirus offered by state. http://www.ncsu.edu/antivirus

Maybe it's a brand new one, in which case you could talk with bitdefender or symmantec and isolate it. I'm interested in this so let me know.

9/27/2005 11:58:10 AM

try going to trendmicro's housecall site to scan for viruses from there. Also, you might want to download the fport program so that the next time you get a popup asking you whether you want to accept the traffic, you can run fport and find out what is attempting to make the connection. Another option is to manually set the IP of 69655.no-ip.com to a FTP server you control to see what it is trying to do.

[edit] though i am not sure if fport will allow you to track back to the process that calls ftp.exe, worth a shot though

[Edited on September 27, 2005 at 12:06 PM. Reason : -]

9/27/2005 12:04:16 PM

response from abuse@no-ip.com :

Your going to want to not allow that traffic and update your virus
scanner. That host named was recently shut down because it was linked
to a virus that has been going around.

Thanks,
Kurt

---------------------

Now I got to contact Bitdefender and ask wtf is their problem?

[Edited on September 27, 2005 at 12:24 PM. Reason : .]

[Edited on September 27, 2005 at 12:24 PM. Reason : .]

9/27/2005 12:23:32 PM

OWNED

9/27/2005 3:55:37 PM

^^ You realize your name looks a lot like the impotency drug Cialis?

9/27/2005 4:20:56 PM

^ hah, know. that's so fucked up. I was pissed when I first saw that damn commercial. But I don't want to pay to get another account.

[Edited on September 27, 2005 at 7:51 PM. Reason : .]

9/27/2005 7:50:53 PM