Something odd is happening. - Page 2
Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: Something odd is happening.

  1. #11
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    amn, cheyenne1212..135, 137,138, 139 and 445 open.....you do have a hardware firewall...right?
    Those ports are open because I have a network. File sharing is disabled though on my net connection (dial up).

    And yes I do have a firewall up. lol
    =

  2. #12
    Member
    Join Date
    Jan 2004
    Posts
    40
    OK I cut some of the fat, But. The first one is without Mozilla running and the second one is with it. You tell me what you think.

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
    TCP 192.168.0.52:139 0.0.0.0:0 LISTENING
    TCP 192.168.0.52:3006 0.0.0.0:0 LISTENING
    TCP 192.168.0.52:3006 192.168.0.20:139 ESTABLISHED
    UDP 0.0.0.0:445 *:*
    UDP 0.0.0.0:500 *:*
    UDP 0.0.0.0:3004 *:*
    UDP 127.0.0.1:123 *:*
    UDP 192.168.0.52:123 *:*
    UDP 192.168.0.52:137 *:*
    UDP 192.168.0.52:138 *:*

    C:\Documents and Settings\>netstat -an

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:3008 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:3035 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:3036 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3007 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3007 127.0.0.1:3008 ESTABLISHED
    TCP 127.0.0.1:3008 127.0.0.1:3007 ESTABLISHED
    TCP 192.168.0.52:139 0.0.0.0:0 LISTENING
    TCP 192.168.0.52:3033 63.146.109.212:80 TIME_WAIT
    TCP 192.168.0.52:3035 63.146.109.210:80 LAST_ACK
    TCP 192.168.0.52:3036 63.146.109.210:80 LAST_ACK
    TCP 192.168.0.52:3046 63.146.109.210:80 TIME_WAIT
    TCP 192.168.0.52:3073 63.146.109.212:80 TIME_WAIT
    TCP 192.168.0.52:3075 63.146.109.212:80 TIME_WAIT
    TCP 192.168.0.52:3077 63.146.109.212:80 TIME_WAIT
    TCP 192.168.0.52:3095 63.146.109.210:80 TIME_WAIT
    TCP 192.168.0.52:3102 63.146.109.210:80 TIME_WAIT
    TCP 192.168.0.52:3107 63.146.109.210:80 TIME_WAIT
    TCP 192.168.0.52:3114 63.146.109.210:80 TIME_WAIT
    TCP 192.168.0.52:3130 63.146.109.210:80 TIME_WAIT
    TCP 192.168.0.52:3131 63.146.109.210:80 TIME_WAIT
    TCP 192.168.0.52:3132 63.146.109.210:80 TIME_WAIT
    UDP 0.0.0.0:445 *:*
    UDP 0.0.0.0:500 *:*
    UDP 0.0.0.0:3004 *:*
    UDP 127.0.0.1:123 *:*
    UDP 192.168.0.52:123 *:*
    UDP 192.168.0.52:137 *:*
    UDP 192.168.0.52:138 *:*
    I have 315 relays and 118 switches and have all the power of a calculator.

  3. #13
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397

    Exclamation No this is scary (really it is)

    WTF?

    I ran netstat -an just for the hell of it...here's what I get:
    (I changed the prompt, but it is a WinXP box)

    #netstat -an

    Active Connections

    Proto Local Address Foreign Address Status
    TCP 67.30.50.XXX:3184 64.136.26.104:7000 Established

    WTF?

    #Ping 64.136.26.104

    Pinging 64.136.26.104 with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 64.136.26.104:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    DNS Servers are on same class B subnet as this mystery machine....

    Not the DHCP server, would be no need for constant communications
    Port number is wrong for DHCP.

    ApogeeX?

    You guys thinking what I'm thinking?

  4. #14
    Member
    Join Date
    Jan 2004
    Posts
    40
    Funny I get the same thing, I am not becoming happy here.
    I have 315 relays and 118 switches and have all the power of a calculator.

  5. #15
    Banned
    Join Date
    Apr 2003
    Posts
    3,840
    You tell me what you think.
    well looks normal to me, when you ran mozilla all new connection are through port 80, normal http port.

  6. #16
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    OK....I do netstat without the switches to see if the fqdn is listed:

    accel94.lax.untd.com

    whois turns this up:

    untd.com is registered with NETWORK SOLUTIONS, INC. - redirecting to whois.networksolutions.com

    Registrant:
    United Online, Inc. (YCIWJTNJKD)
    2555 Townsgate Rd.
    WESTLAKE VILLAGE, CA 91361
    US

    Domain Name: UNTD.COM

    Administrative Contact:
    Hostmaster, United Online (3274437I) hostmaster@noc.untd.com
    United Online, Inc.
    2555 Townsgate Road
    Westlake Village, CA 91361
    US
    805-418-2000 fax: 805-418-2002

    Technical Contact:
    Hostmaster, United Online ContactMiddleName (15716256I) hostmaster@noc.untd.com
    United Online, Inc.
    2555 Townsgate Road
    Westlake Village, CA 91361
    US
    805-418-2000 fax: 805-418-2002

    Record expires on 16-Dec-2004.
    Record created on 16-Dec-1999.
    Database last updated on 30-Jan-2004 00:40:38 EST.

    Domain servers in listed order:

    AUTHNS.LAX.UNTD.COM 64.136.28.21
    AUTHNS.NYC.UNTD.COM 64.136.20.21
    AUTHNS.WLV.UNTD.COM 64.136.16.21


    Traceroute looks like this:

    3 67.30.130.65 9.663 ms DNS error [AS3356] Level 3 Communications North America
    4 209.244.27.165 9.071 ms so-6-0-0.mpls2.Tustin1.Level3.net [AS3356] Level 3 Communications North America
    5 209.247.8.113 10.047 ms so-6-2-0.bbr2.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
    6 209.247.10.206 8.700 ms so-9-0.core2.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
    7 209.244.10.130 9.931 ms ge-4-0.ipcolo1.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
    8 63.214.153.106 6.671 ms ge2-0.core1.lax.netzero.net [AS3356] Level 3 Communications North America
    9 *


    Tracert times out here...gonna try a BGP trace next.

  7. #17
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    OK..I telnet in to Looking Glass
    here's what I get.
    route-views.oregon-ix.net>accel94.lax.untd.com
    Translating "accel94.lax.untd.com"...domain server (128.233.32.35) [OK]
    Trying accel94.lax.untd.com (64.136.26.104)...
    % Connection timed out; remote host not responding

    Any Ideas Yet?

  8. #18
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    you behind a hardware firewall 57686974?

    I run a Linksy Firewalled router on my DSL, and it blocks all ping replies. So whenever I try to ping a server I get a "request timed out" message.
    =

  9. #19
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    I am, but it's configured to allow ICMP type 0 both inbound and outbound to this PC, so pinging and tracert shouldnt be a problem. Of course, if the other system is behind a firewall that doesn't allow ICMP ping.....

    That would explain why a ping using Border Gateway Protocol works (router to router) and a standard host to host ICMP ping does not!

    Here's another strange twist...absolutely no log entries in the system security log...and I do mean none, not even from netlogon from when I logged in this afternoon. the log is NOT set to overwrite events....I export them weekly to floppy and archive them for analysis.

    At this point, I'm thinking trojan, so I guess the best thing to do is to disconnect it from the net and start snooping.

    Good night....If you guys think of anything, let me know. I'll post the firewall logs if they haven't suffered the same fate as the system logs to see if there's anything you guys see that I miss.

    It's kinda funny.....I built a honeypot for this kinda stuff, and it turns out I just wasted the $350.00 for the toy......I've been using one this whole time and didn't even know it.


  10. #20
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    What kind of router you got?

    Also your firewall if you have one on your PC could be blocking the pings.
    =

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides