Sign in to follow this  
Followers 0
Skitty

SciTE keeps trying to access internet at 209.18.47.61:DNS

22 posts in this topic

#1 ·  Posted (edited)

Every time I use SciTE.exe it tries to access the internet every now and then. I never realized this up until I started using zonealarm

Why is it contacting the internet with functions like

#RequireAdmin
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_icon=..\Pictures\Icons\G-key.ico
#AutoIt3Wrapper_outfile=Safe.exe
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include<Misc.au3>
#include<File.au3>
#include <String.au3>
If _Singleton(@ScriptName,1) = 0 Then
    Exit
EndIf
HotKeySet("{F2}","_Select")

While 1
    Sleep(360000)
WEnd

Func _Select()
    Local $I = InputBox("Command Center", " ", "", "", 200, 100)
    Switch $I
    Case "kill", "exit", "stop", "Kill", "Exit", "Stop", "KILL", "EXIT", "STOP"
        Exit
    Case "create", "Create", "CREATE"
        _create()
    Case "lock", "Lock", "LOCK"
        _lock()
    Case "unlock", "Unlock", "UNLOCK", "un-lock", "Un-lock", "UN-LOCK", _
        "un lock", "Un lock", "UN LOCK", "Un Lock", "Un-Lock"
        _unlock()
    Case "google", "Google", "GOOGLE"
            ShellExecute("http://www.google.com")
        Case "au3"
            ShellExecute("http://www.autoitscript.org")
        Case Else
            MsgBox(0, "Syntax error", "'" & $I & "'" & " is not recognized as an internal or external command." & _
                    @LF & "Correct your syntax and try again.")
    EndSwitch
EndFunc


Func _create()
$folder = @ScriptDir & "\Archive"
DirCreate(@ScriptDir & "\Archive")
_FileCreate(@ScriptDir & "\Archive\desktop.ini")
FileInstall("C:\W7\lock.ico",@ScriptDir & "\Archive\lock.ico")
IniWriteSection($folder & "\" & "Desktop.ini", ".ShellClassInfo", _
                "IconFile=" & "lock.ico" & @LF & _
                "IconIndex=0" & @LF & _
                "InfoTip=Folder ready for archiving!")
FileSetAttrib($folder & "\" & "Desktop.ini", "+HS")
FileSetAttrib($folder, "+R")
FileSetAttrib($folder & "\lock.ico", "+SHR")
EndFunc

Func _lock()
$KB29 = InputBox("Enter password"," ","","*",200,75)
_TalkOBJ("Processing.")
$Encrypt = _StringEncrypt(1, $KB29 , " ", 7)
FileInstall("C:\W7\Rar.exe",@TempDir & "\Rar.exe")
FileChangeDir(@TempDir)
RunWait("rar a Data.rar -k -ow -dw -m5 -hp" & $KB29 & " " & @ScriptDir & "\Archive",@TempDir,@SW_HIDE)
$Rar = _TempFile(@ScriptDir, "DATA_", ".rar", 7)
FileMove(@TempDir & "\Data.rar",$Rar)
ProcessClose("Rar.exe")
$Get = ( _GetNameByFullPath ( $Rar ))
If FileExists(@ScriptDir & "\$~settings.ini") Then
    iniWriteSection(@ScriptDir & "\$~settings.ini", $Get,"KB29=" & $Encrypt)
Else
    _FileCreate(@ScriptDir & "\$~settings.ini")
    iniWriteSection(@ScriptDir & "\$~settings.ini", $Get,"KB29=" & $Encrypt)
EndIf
_TalkOBJ("Archiving complete.")
EndFunc

Func _unlock()
$message = "Select your archive file."
$archive = FileOpenDialog($message, @WindowsDir & "\", "Archives (*.rar)", 1 + 4 )
If @error Then
    MsgBox(4096,"","No File(s) chosen")
    Exit
Else
    $archive = StringReplace($archive, "|", @CRLF)
EndIf
$message2 = "Select your ini file."
$ini = FileOpenDialog($message2, @WindowsDir & "\", "Images (*.ini)", 1 + 4 )
If @error Then
    MsgBox(4096,"","No File(s) chosen")
    Exit
Else
    $ini = StringReplace($ini, "|", @CRLF)
EndIf
$Geta = ( _GetNameByFullPath ( $archive ))
$G = IniRead ( $ini, $Geta, "KB29", " " )
$Uc = _StringEncrypt(0, $G, " ", 7)
FileInstall("C:\W7\UnRAR.exe",@TempDir & "\UnRAR.exe")
DirCreate(@ScriptDir & "\Data")
FileChangeDir(@TempDir)
RunWait("unrar e -y -p" & $Uc & " " & $archive & " " & @ScriptDir & "\Data",@TempDir,@SW_HIDE)
ProcessClose("UnRAR.exe")
Sleep(500)
FileDelete(@ScriptDir & "\UnRAR.exe")
_TalkOBJ("Task completed.")
EndFunc

Func _GetNameByFullPath ( $_FullPath )
    If Not FileExists ( $_FullPath ) Then Return 0
    $_FileName = StringSplit ( $_FullPath, '\' )
    Return $_FileName[$_FileName[0]]
EndFunc ;==> _GetNameByFullPath ( )

Func _TalkOBJ($s_text)
  Local $o_speech = ObjCreate("SAPI.SpVoice")
  $o_speech.Speak($s_text)
  $o_speech = ""EndFunc

Do I have an infected copy or something? lol

Edited by xJSLRx

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites



Just ran your script on mine and im not getting anything happening. checked out the TCP/IP connections in ProcessExplorer.

As to your question its kinda unlikely, but best to prob run a scan through and try downloading and installing it again.

As far as im aware it doesnt have an update function in scite either. strange.....


http://twentylinesofcode.blogspot.comLittle apps n crap. can be fun

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

As far as im aware it doesnt have an update function in scite either. strange.....

Scite Help Menu, About

and you see Check the SciTE4AutoIt3 Homepage for Updates http://www.autoitscript.com/autoit3/scite

where you can find http://www.autoitscript.com/autoit3/scite/downloads.shtml ! Posted Image

Last Update : 2/28/2010

Edited by wakillon

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

Scite Help Menu, About

aah touche :)

Maybe this is the source?

But just running the script without going to the about dialog box doesn't make any TCP/IP connections is what I was saying.


http://twentylinesofcode.blogspot.comLittle apps n crap. can be fun

Share this post


Link to post
Share on other sites

aah touche :)

Maybe this is the source?

But just running the script without going to the about dialog box doesn't make any TCP/IP connections is what I was saying.

You're right, i don't see any attempt to access internet !

xJSLRx should show ZA message to be sure...


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

You're right, i don't see any attempt to access internet !

xJSLRx should show ZA message to be sure...

It's basically what I put as the topic title. something about SciTE attempting to access the trusted zone and making repeated requests to my dns server.

I'm beginning to think I might have a modified udf.... And that it's probably spyware but then again who wan't to see me fiddle with a script editor for hours on end?


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Here's the image of the warning I keep getting.

Edited by xJSLRx

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

It's basically what I put as the topic title. something about SciTE attempting to access the trusted zone and making repeated requests to my dns server.

I'm beginning to think I might have a modified udf.... And that it's probably spyware but then again who wan't to see me fiddle with a script editor for hours on end?

Ip : 209.18.47.61 is located to :

OrgName: Road Runner HoldCo LLC

OrgId: RRMA

Address: 13241 Woodland Park Road

City: Herndon

StateProv: VA

PostalCode: 20171

Country: US

RegDate:

Updated: 2011-01-05

Comment: Allocations for this OrgID serve Road Runner residential customers out of the Columbus, OH, Herndon, VA and Raleigh, NC RDCs.

9.1209.18.47.618.47.61

Posted Image

May be your Internet Service Providers ?


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

Weird.. I live in south texas and my dns server is only 17-18 miles away. Why would SciTE try to make contact to the area in your image...Posted Image

Edited by xJSLRx

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

Weird.. I live in south texas and my dns server is only 17-18 miles away. Why would SciTE try to make contact to the area in your image...Posted Image

yes it's strange !

Where have you got scite installer ? Posted Image


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

yes it's strange !

Where have you got scite installer ? Posted Image

SciTE came from here but a lot of my udf's came from shady sites. I wouldn't doubt my PC is pretty much just plain "INFECTED" Posted Image cause I can just imagine how easy It would be writing a script what mod's udf's to do stuff you wouldn't wan't.

I'll have download a brand spankin new copy of scite and make a copy of my "Includes" before replacing them, then I can test to see if it really was my udf's or something even BIGGER Posted Image

Edit: bunch of spelling errors...

Edited by xJSLRx

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

In worst case, block internet access to scite and scan your PC ! Posted Image


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Even the script obfuscater tries to make contact. This definitely rules out the udf theory and opens a whole new spectrum of though...

Did scite recently come out with a usage monitoring feedback system?

Edit: I have Microsoft security essentials but I don't think its very good.

Edited by xJSLRx

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

Even the script obfuscater tries to make contact. This definitely rules out the udf theory and opens a whole new spectrum of though...

Did scite recently come out with a usage monitoring feedback system?

Edit: I have Microsoft security essentials but I don't think its very good.

No feedback system, it must be a spyware !

Microsoft security essentials must be too light !

Take a security Suite more reliable ...like KIS...


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

Your image shows that AutoIt3.exe is trying something, not SciTE nor Obfuscator.

So how is AutoIt3.exe ran ?

By the way, SciTE4AutoIt3 has a option to check for updates but that is switched off by default. When Switched on, Autoit3Wrapper.exe will perform the check.

Jos

au3.properties that contain the switch for updates checking:

# SciTE settings for AutoIt v3

#

# February 26, 2010 - Jos

#

#

# *** Specify here your AutoIt program directory ***

autoit3dir=C:\Program Files (x86)\AutoIt3

openpath.$(au3)=$(autoit3dir)\include

openpath.beta.$(au3)=$(autoit3dir)\beta\include

au3=*.au3

filter.au3=AutoIt (au3)|$(au3)|

lexer.$(au3)=au3

#define the number of backup files you want to keep 0=none

backup.files=0

#define if you want AutoIt3Wrapper to check once every day for available updates for SciTE4AutoIt3

check.updates.scite4autoit3=0

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions  - Beta files                                How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

@Jos

I have made the change in au3.properties for check for update and restart Scite

but it doesn't try to acces internet...

Edited by wakillon

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

Just out of curiosity the OP could post a list of all the files that are #Included. I have a solid hunch the problem will be in there.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

When you have the Full installer loaded and AutoIt3Wrapper is run during a Compile-RUN etc, it will run a CheckForUpdates() udf once a day when:

If SendSciTE_GetInfo($My_Hwnd, $SciTE_hwnd, "askproperty:check.updates.scite4autoit3") = 1 Then
    If IniRead($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', '') <> _NowDate() Then
        CheckForUpdates()
        IniWrite($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', _NowDate())
    EndIf
EndIf

Which will retrieve the following file for the Website:

$rc = InetGet('http://www.autoitscript.com/autoit3/scite/download/scite4autoit3version.ini', $SciTE_Dir & "\scite4autoit3versionWeb.ini", 16, 1)

Jos

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions  - Beta files                                How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

#19 ·  Posted (edited)

When you have the Full installer loaded and AutoIt3Wrapper is run during a Compile-RUN etc, it will run a CheckForUpdates() udf once a day when:

If SendSciTE_GetInfo($My_Hwnd, $SciTE_hwnd, "askproperty:check.updates.scite4autoit3") = 1 Then
    If IniRead($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', '') <> _NowDate() Then
        CheckForUpdates()
        IniWrite($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', _NowDate())
    EndIf
EndIf

Which will retrieve the following file for the Website:

$rc = InetGet('http://www.autoitscript.com/autoit3/scite/download/scite4autoit3version.ini', $SciTE_Dir & "\scite4autoit3versionWeb.ini", 16, 1)

Jos

Im sorry for the late reply but last night after I compiled my program, every time I run any compiled program I make, It automatically tries to access the IP address I mentioned earlier! This is very strange, I'm not concerned about my privacy because my PC is not very private. On another note, This morning I have noticed that the balloon's that popup warning about the internet connection just go away after about half a second, What I think may be happening is there may be another program waiting for these popups and then just clicking accept. I think it may be possible that I have a "RAT" on my PC.

RAT = Remote administration tool.

I've been trying to take a screen shot of the popup that say's Scite, a centilla (Not sure how its spelled...) based script editor is trying to access the internet which is a different popup than the one in my picture above, not only that but it says the obfuscater and any program I make keeps doing the same thing.. It may be very possible that 209.18.47.61 is using my PC to DDoS sites etc, I say this because I have been fire-walled from HF and several msc sites. So my conclusion is I "AM" infected.

I am going to boot into Maverick and use V-box to investigate my SciTE install, It would be nice if there were a program that could tell you the difference between two similar files. Like file size etc.

I'll just have to download a fresh SciTE and compare them manually.

Edited by xJSLRx

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

http://forums.majorgeeks.com/showthread.php?t=208856

check post 16 (and 17 for the MVP answer, naturally). If those keys are there I would not think it is your exe or Scite, just your browser and when something invokes it the calls are being made.

but I have been wronger.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0