May 29th, 2003, 10:33 PM
Weird stuff, even after a reformat.
Last night I reformatted Windows XP because the computer was dirty as a vegas whore.
This morning I noticed all sorts of people attempting to connect to all different ports, firewall was blocking them, no biggie I guessed.
First question- If I do a netstat -a -o what ports are listening by default? I remembered from the last time I reformatted that everything listened as "localhost". and the stuff I remembered seeing was MS related (Netbios, 137,138, 445, etc) This time around its either my loopback, or network addy 192.168.... and some stuff on ports 123, 1900, 1152, 500, 1026/27, 1043, 1025, 1031, etc both TCP and UDP.
Second question. Whats the deal with the NDIS User mode I/O driver. It chatters more than anything. Upon opening IE some computer tries to connnect to it on my local port 1026 (Remote network login or something of that nature).
Third- If there is still something dirtyy on here, would it be possible for them to open a channel through my netgear MR314. In other words, would they be able to change the config file (dont know the exact name) of the quasi router enabaling an open channel to the internet? Can I do anything to cleanse it if that is possible?
Fourth- I've noticed that every thirty seconds on my network here theres a request from 192.168.0.1 (gateway) to 192.168.0.255 on port 520, both remote and local. That in itself is not what worries me. What worries me is that in my firewall log viewer its catching those packets, lists one application as ....\system32\drivers\ndisuio.sys. but just as that happens every thirty seconds theres another happening with an application that is not listed.
I'm sure I'll think of more, but if you all could help me out here it would be greatly appreciated. soon I'm going to deploy a WAN side IDS just for shits and giggles, and also to see what is originating on my network, and what isnt.
Thanks in advance