February 18th, 2004, 05:38 AM
Strange Connections Part II
I have been using netstat fairly frequently because I had a trojan (svchost.exe) on my machine a week ago and check if there are any backdoors, crap, etc. Nothing shows up other than http connections but the strangest things are two connections to the localhost (me) on two consecutive ports(usually 1035, 1036). When I first login these two connections are always there, sometimes they switch ips(4451,4450). I ran fport and could not find any processes attached to these ports. What is opening the connection?
edit: ran netstat -ao and found the PID to be mozilla's, why is it creating a connection to me?
February 18th, 2004, 11:06 AM
If the PID (Process ID) is Mozilla, then wouldn't that indicate you are running Netscape/mozilla browser? Sounds like it might be the ports the browser is using?
February 18th, 2004, 01:20 PM
newinnash, svchost.exe is not a trojan, that is the service host process that allows processes to load from .dll libraries. It's a Windows system process. Now if what you meant was svchosts.exe or scvhost.exe, then yes, these are trojans.
svchosts.exe and scvhost.exe are the backdoor.sdbot trojan and it listens fior connections on 6667 (IRC).
Hope that clears that up. As for the ports, look at the entries for your loopback IP (127.0.0.1)
There should be several ports used by your browser that loop to your IP address on those ports. Mozilla (Internet Explorer) is most likely making the connections automatically via loopback. Remember that IE is integrated into the shell, therefore it will do this even if a browser window is not active.
BTW, IE is based on Mosaic (Developed by NSCA and licensed by Netscape, which was later renamed Navigator), as was Mozilla. Therefore you will see similar port loopback behavior with any Netscape, Mozilla, or IE version, as they all share Mosaic as a common ancestor.
Windows 9x: n.
A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
February 18th, 2004, 06:41 PM
Thanks, I was confused because those connections had never appeared while I was running IE. Much thanks. The trojan I had was named svchost.exe, I know there are legimate processes with the same name run under SYSTEM, but this one was run under my user name and tried to connect to the internet as a server and a client. I removed it, and its evil registry key.
February 18th, 2004, 07:09 PM
how do you cross a PID to an application's name?
February 18th, 2004, 07:20 PM
Tempest: You can use fport to identify PIDS and app's that own them
February 18th, 2004, 07:39 PM
thanks a lot! thats great
February 18th, 2004, 08:09 PM
Another way is to execute netstat -ao and cross reference the pids with the ones in your task manager