-
January 30th, 2004, 05:58 AM
#11
amn, cheyenne1212..135, 137,138, 139 and 445 open.....you do have a hardware firewall...right?
Those ports are open because I have a network. File sharing is disabled though on my net connection (dial up).
And yes I do have a firewall up. lol
-
January 30th, 2004, 06:05 AM
#12
OK I cut some of the fat, But. The first one is without Mozilla running and the second one is with it. You tell me what you think.
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 192.168.0.52:139 0.0.0.0:0 LISTENING
TCP 192.168.0.52:3006 0.0.0.0:0 LISTENING
TCP 192.168.0.52:3006 192.168.0.20:139 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3004 *:*
UDP 127.0.0.1:123 *:*
UDP 192.168.0.52:123 *:*
UDP 192.168.0.52:137 *:*
UDP 192.168.0.52:138 *:*
C:\Documents and Settings\>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3008 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3035 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3036 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3007 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3007 127.0.0.1:3008 ESTABLISHED
TCP 127.0.0.1:3008 127.0.0.1:3007 ESTABLISHED
TCP 192.168.0.52:139 0.0.0.0:0 LISTENING
TCP 192.168.0.52:3033 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3035 63.146.109.210:80 LAST_ACK
TCP 192.168.0.52:3036 63.146.109.210:80 LAST_ACK
TCP 192.168.0.52:3046 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3073 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3075 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3077 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3095 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3102 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3107 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3114 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3130 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3131 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3132 63.146.109.210:80 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3004 *:*
UDP 127.0.0.1:123 *:*
UDP 192.168.0.52:123 *:*
UDP 192.168.0.52:137 *:*
UDP 192.168.0.52:138 *:*
I have 315 relays and 118 switches and have all the power of a calculator.
-
January 30th, 2004, 06:06 AM
#13
No this is scary (really it is)
WTF?
I ran netstat -an just for the hell of it...here's what I get:
(I changed the prompt, but it is a WinXP box)
#netstat -an
Active Connections
Proto Local Address Foreign Address Status
TCP 67.30.50.XXX:3184 64.136.26.104:7000 Established
WTF?
#Ping 64.136.26.104
Pinging 64.136.26.104 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 64.136.26.104:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
DNS Servers are on same class B subnet as this mystery machine....
Not the DHCP server, would be no need for constant communications
Port number is wrong for DHCP.
ApogeeX?
You guys thinking what I'm thinking?
-
January 30th, 2004, 06:12 AM
#14
Funny I get the same thing, I am not becoming happy here.
I have 315 relays and 118 switches and have all the power of a calculator.
-
January 30th, 2004, 06:13 AM
#15
You tell me what you think.
well looks normal to me, when you ran mozilla all new connection are through port 80, normal http port.
-
January 30th, 2004, 06:42 AM
#16
OK....I do netstat without the switches to see if the fqdn is listed:
accel94.lax.untd.com
whois turns this up:
untd.com is registered with NETWORK SOLUTIONS, INC. - redirecting to whois.networksolutions.com
Registrant:
United Online, Inc. (YCIWJTNJKD)
2555 Townsgate Rd.
WESTLAKE VILLAGE, CA 91361
US
Domain Name: UNTD.COM
Administrative Contact:
Hostmaster, United Online (3274437I) hostmaster@noc.untd.com
United Online, Inc.
2555 Townsgate Road
Westlake Village, CA 91361
US
805-418-2000 fax: 805-418-2002
Technical Contact:
Hostmaster, United Online ContactMiddleName (15716256I) hostmaster@noc.untd.com
United Online, Inc.
2555 Townsgate Road
Westlake Village, CA 91361
US
805-418-2000 fax: 805-418-2002
Record expires on 16-Dec-2004.
Record created on 16-Dec-1999.
Database last updated on 30-Jan-2004 00:40:38 EST.
Domain servers in listed order:
AUTHNS.LAX.UNTD.COM 64.136.28.21
AUTHNS.NYC.UNTD.COM 64.136.20.21
AUTHNS.WLV.UNTD.COM 64.136.16.21
Traceroute looks like this:
3 67.30.130.65 9.663 ms DNS error [AS3356] Level 3 Communications North America
4 209.244.27.165 9.071 ms so-6-0-0.mpls2.Tustin1.Level3.net [AS3356] Level 3 Communications North America
5 209.247.8.113 10.047 ms so-6-2-0.bbr2.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
6 209.247.10.206 8.700 ms so-9-0.core2.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
7 209.244.10.130 9.931 ms ge-4-0.ipcolo1.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
8 63.214.153.106 6.671 ms ge2-0.core1.lax.netzero.net [AS3356] Level 3 Communications North America
9 *
Tracert times out here...gonna try a BGP trace next.
-
January 30th, 2004, 06:50 AM
#17
OK..I telnet in to Looking Glass
here's what I get.
route-views.oregon-ix.net>accel94.lax.untd.com
Translating "accel94.lax.untd.com"...domain server (128.233.32.35) [OK]
Trying accel94.lax.untd.com (64.136.26.104)...
% Connection timed out; remote host not responding
Any Ideas Yet?
-
January 30th, 2004, 07:01 AM
#18
you behind a hardware firewall 57686974?
I run a Linksy Firewalled router on my DSL, and it blocks all ping replies. So whenever I try to ping a server I get a "request timed out" message.
-
January 30th, 2004, 07:10 AM
#19
I am, but it's configured to allow ICMP type 0 both inbound and outbound to this PC, so pinging and tracert shouldnt be a problem. Of course, if the other system is behind a firewall that doesn't allow ICMP ping.....
That would explain why a ping using Border Gateway Protocol works (router to router) and a standard host to host ICMP ping does not!
Here's another strange twist...absolutely no log entries in the system security log...and I do mean none, not even from netlogon from when I logged in this afternoon. the log is NOT set to overwrite events....I export them weekly to floppy and archive them for analysis.
At this point, I'm thinking trojan, so I guess the best thing to do is to disconnect it from the net and start snooping.
Good night....If you guys think of anything, let me know. I'll post the firewall logs if they haven't suffered the same fate as the system logs to see if there's anything you guys see that I miss.
It's kinda funny.....I built a honeypot for this kinda stuff, and it turns out I just wasted the $350.00 for the toy......I've been using one this whole time and didn't even know it.
-
January 30th, 2004, 07:15 AM
#20
What kind of router you got?
Also your firewall if you have one on your PC could be blocking the pings.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|