Results 1 to 8 of 8

Thread: Strange Connections Part II

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    20

    Strange Connections Part II

    Hello,

    I have been using netstat fairly frequently because I had a trojan (svchost.exe) on my machine a week ago and check if there are any backdoors, crap, etc. Nothing shows up other than http connections but the strangest things are two connections to the localhost (me) on two consecutive ports(usually 1035, 1036). When I first login these two connections are always there, sometimes they switch ips(4451,4450). I ran fport and could not find any processes attached to these ports. What is opening the connection?

    edit: ran netstat -ao and found the PID to be mozilla's, why is it creating a connection to me?

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    If the PID (Process ID) is Mozilla, then wouldn't that indicate you are running Netscape/mozilla browser? Sounds like it might be the ports the browser is using?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    newinnash, svchost.exe is not a trojan, that is the service host process that allows processes to load from .dll libraries. It's a Windows system process. Now if what you meant was svchosts.exe or scvhost.exe, then yes, these are trojans.

    svchosts.exe and scvhost.exe are the backdoor.sdbot trojan and it listens fior connections on 6667 (IRC).

    Hope that clears that up. As for the ports, look at the entries for your loopback IP (127.0.0.1)
    There should be several ports used by your browser that loop to your IP address on those ports. Mozilla (Internet Explorer) is most likely making the connections automatically via loopback. Remember that IE is integrated into the shell, therefore it will do this even if a browser window is not active.

    BTW, IE is based on Mosaic (Developed by NSCA and licensed by Netscape, which was later renamed Navigator), as was Mozilla. Therefore you will see similar port loopback behavior with any Netscape, Mozilla, or IE version, as they all share Mosaic as a common ancestor.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  4. #4
    Junior Member
    Join Date
    Jan 2004
    Posts
    20
    Thanks, I was confused because those connections had never appeared while I was running IE. Much thanks. The trojan I had was named svchost.exe, I know there are legimate processes with the same name run under SYSTEM, but this one was run under my user name and tried to connect to the internet as a server and a client. I removed it, and its evil registry key.

  5. #5
    hey,

    how do you cross a PID to an application's name?

  6. #6
    Junior Member
    Join Date
    Feb 2004
    Posts
    4
    Tempest: You can use fport to identify PIDS and app's that own them

    http://www.foundstone.com/index.htm?...desc/fport.htm

  7. #7
    hey,

    thanks a lot! thats great

  8. #8
    Junior Member
    Join Date
    Jan 2004
    Posts
    20
    Another way is to execute netstat -ao and cross reference the pids with the ones in your task manager

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •