Strange connections
Results 1 to 8 of 8

Thread: Strange connections

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    20

    Strange connections

    My computer has been running slow lately. So I go to the command prompt and see what connections I have: I find a bunch of TCP connections to weird IPs which are changing every ten seconds or so:

    first: i get 12-217-246-149.client.mchsi.com:1804
    10 seconds later: mr-elansing-238-248.dmisinetworks.com:3740
    10 seconds later: dhcp1718.hrn.resnet.group.upenn.edu:3541
    10 seconds later: syru230-064.syr.edu:1399

    I have zone alarms installed and allow the following programs access to the internet:
    svcpack.exe
    spooler subsystem app
    mozilla
    aim (as both access and server)
    Generic Host Process for Win32 Services
    Adobe Reader 6.0

    I also have Norton Antivirus installed and have run a check. Is there anyway to find which program or process is using these ports?

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Ummm.. svcpack.exe might be a trojan. Might want to deny access out for that one and see if those connections die. Sophos has some info on it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    client.mchsi.com:1804
    dmisinetworks.com
    hrn.resnet.group.upenn.edu
    syru230-064.syr.edu:
    I ran a google search on these, and even broke them down and researched them. They all came up blank.
    If it is not a trojan as MsMittens suggests, then I would get some spyware removale tools and start there.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    Junior Member
    Join Date
    Jan 2004
    Posts
    20
    I wouldn't think that spyware would cycle through different connections, my guess is a trojan. I do get a connection to mjxads.internet.com with no browsers open.

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    Originally posted here by newinnash
    I wouldn't think that spyware would cycle through different connections, my guess is a trojan. I do get a connection to mjxads.internet.com with no browsers open.
    ^^^^^ :P

    >> get pstools (sysinternals.com), fport (foundstone.com) and a commandline
    let fport map procs' IDs to the listenig ports
    something you do not know ??
    pskill #pid

    check with netstat -an for the unwanted connections
    if still there kill the next


    and for that mjxads.internet.com:
    i like the line:
    63.146.109.212 mjxads.internet.com
    in /etc/hosts


  6. #6
    Senior Member
    Join Date
    Dec 2003
    Posts
    137
    MsMittens is correct and check the link to remove it
    http://www.computing.net/security/ww...orum/7160.html
    Life is a shipwreck but we must not forget to sing in the lifeboats. ~Voltaire

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    better you do new install, 'cos yoou can't be shure that there aren't no more compromisations like new admins, or new services...
    it could be possible that your passwords ad been stolen.
    Industry Kills Music.

  8. #8
    Junior Member
    Join Date
    Jan 2004
    Posts
    20
    Yes svcpack.exe was a trojan, removed the registry key that loaded it. thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •