-
What Is This?????
Hi everyone.....
I will start off by stating, that I'm using WinXP Home Edition and regular dial-up for internet access.
Today, I was using the internet when I noticed the following connection/activity under netstat:
TCP Unknown:microsoft-ds ADijon-xxx-x-xx-xxx.abo.wanadoo.fr:3069 ESTABLISHED
I was wondering if anyone could tell me what this is? Should I be concerned? More importantly, how can I correct this? This is the first time I've ever seen this occur on my computer before. I did a search for it, but couldn't find any info concerning it.
I should also add, that from the time that this happened, I have not yet seen this type of connection/activity again since then.
Also, a friend of mine thinks that someone might have established a connection with SMB on my machine? I was also told it might have been some type of DoS attack? :confused:
Much thanks in advance!
-
Are you behind a firewall? If not, disconnect NOW
-
Looks to me that someone may have mapped a drive to your machine. I would promptly disconnect of the Internet, as previously advised...
-
Well, since your on dial-up do the following.
Disconnect, then reconnect, and see if the connection is still there. If it is, then that means there is something on your computer causing the connection. When using dial up your ip changes each time you connect to the internet (dynamic IP). So this means that the attacker would need to know which ip your on at any given time.
If you find that your computer is still establishing this connection, then get a trojan cleaner (www.moosoft.com 's the cleaner works well), and see if you have any trojans on your box. Then get an updated virus program and run that just in case. If that doesn't help, then get a firewall and block that port completely. I'm sure by following these steps you may be able to narrow down exactly what is going on.
good luck.
xmaddness
-
Whats Up!
My "snort" logs keep getting like 20-30 "ICMP PING ALERTS" from "wanadoo" domain too: here is the IP ADDRESS
80.14.15.166
And a traceroute gives me:
3 130.152.180.21 7.107 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
4 198.172.117.161 9.232 ms ge-2-3-0.a02.lsanca02.us.ra.verio.net [AS2914] Verio
5 129.250.29.120 7.408 ms xe-1-0-0.r20.lsanca01.us.bb.verio.net [AS2914] Verio
6 129.250.5.97 14.004 ms p16-1-1-2.r21.mlpsca01.us.bb.verio.net [AS2914] Verio
7 129.250.4.2 16.072 ms p16-0-1-1.r20.plalca01.us.bb.verio.net [AS2914] Verio
8 129.250.3.79 15.053 ms p16-0-0-0.r00.plalca01.us.bb.verio.net [AS2914] Verio
9 129.250.9.134 14.508 ms p4-0.francetelecom.plalca01.us.bb.verio.net [AS2914] Verio
10 193.251.242.93 23.804 ms P10-0.SJOCR1.San-jose.opentransit.net [AS5511] Worldwide IP Backbone
11 193.251.242.1 94.871 ms P14-0.NYKCR2.New-york.opentransit.net [AS5511] Worldwide IP Backbone
12 193.251.241.133 170.930 ms P4-0.PASCR1.Pastourelle.opentransit.net [AS5511] Worldwide IP Backbone
13 193.251.126.53 174.430 ms P15-0.ntaub201.Aubervilliers.francetelecom.net [AS3215] Domestic IP Backbone
14 193.252.161.54 170.655 ms P6-0.ntaub301.Aubervilliers.francetelecom.net [AS3215] Domestic IP Backbone
15 193.251.126.173 174.511 ms P9-0.nrlil101.VilleneuveDAscq.francetelecom.net [AS3215] Domestic IP Backbone
16 193.252.160.197 182.657 ms P6-0.nclil301.VilleneuveDAscq.francetelecom.net [AS3215] Domestic IP Backbone
17 80.10.164.105 177.809 ms DNS error
18 80.14.15.166 261.034 ms ALille-107-1-13-166.abo.wanadoo.fr [AS3215] Domestic IP Backbone
-
Maybe my mind has not completely disintegrated.... I recalled the Wanadoo name from a previous thread but a search didn't turn it up. With a bit more digging I found the thread here
You might find some info in that thread that will convince you to firewall yourself if you aren't already.....<s>
-
Hi guys maybe a frenchy could be helpful.
Wannadoo is a french ISP it is owned by France-Telecom-Orange.
I've heard there are massive hacking activities over here!
abo. means personnal computer
=> Maybe the attacker is stupid enough to use its own PC (a stupid kid)
ADijon. means that the ISP switch is located in Bourgogne in Dijon city.
Hope this will be harmless to your system
-
Like xmaddness said. Do a virus/trojan check, enable a firewall, and forget about it. Also, I'm pretty sure it wasn't a DoS attack - if it was, your dialup connection wouldn't have lasted long.
-
Looks like you'v been rooted, some one might be using you machine as a packet bot...a dial up doesn't really packa punch so I don't think it's a Server....how ever...200 dial up connections can quickly kill of a fast connection...get a port blocker or a firewall and kill that port...I would also search your hard-drive for unknown files....try looking for mIRC type files...since packet bot's are often commanded through mIRC, there was a thread not long ago that dealt with some one who got rooted, and it was from the same host area. if you don't want to install a firewall, then I suggest using foundstone attacker...it can be configd to block one or many ports, and alert you if a connection is made to them.....a dummy server would also work :)
- Noia
-
I would also highly suggest right-clicking on 'My Computer' and selecting Manage and goto the 'Local Users and Groups > Users' area and check if there are any unusual accounts (besides administrator, your login name, guest, etc. and delete any suspicious ones and set passwords for BOTH the administrator and your account since they are both administrative accounts and from what I know about XP are usually left un-passworded by default (BAD BAD BAD, you just gotta love m$ and their *ahem* security) otherwise, a hacker can just waltz straight into your computer and take over. I know of too many 2000/XP home users that leave their accounts un passworded.
-
get your restore disks. Format and re-install. if you look you might catch a trojan. then again you might miss it. the fact of the matter is you don't know what has been done to your system. after you format and reinstall get a firewall and listen to all the sound advice given above.
-
Much thanks to everyone, for your help and wisdom. I greatly appreciate it. :)
To answer some of your questions...
I disconnected/re-connected to the net, but I haven't seen that same connection yet. However, whenever I do a netstat -an /o, I get the following:
Code:
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 708
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 764
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING 1612
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 496
UDP 0.0.0.0:1030 *:* 932
UDP 0.0.0.0:1035 *:* 932
UDP 127.0.0.1:1029 *:* 876
I don't know if the above is normal for an XP machine or not(?).
I also did a comprehensive virus scan (with current definitions/updates), and manual search for unusual files, but yielded no results.
I also checked for any unusual accounts, and found nothing. Guest and Admin accounts are also password protected. All of my other security settings are properly configured too (as far as i know)...such as restricted anonymous logins, restricted sam access, etc, etc...
I also don't use any p2p or download/use any weird progs from the net or anywhere else.
I'm thinking of just taking Tedob1's advice, but it sure would be nice if I didn't have to resort to that.
-
man you are so right, MS has a lot to answer for. without a password your system can be net worked by anyone not just a hacker, or wose still remote desktop connections. MS should advise all its customers to protect themselves, with a strong password. and do not forget the MS Motto, "F**K the customer.
-
reply
i have noticed that you still have your guest account.why that?if you don't need it,why don't you delete it?
-
I wasn't aware that it's possible to delete the Guest account. How do you delete it?
Also, I want the Admin account to remain password protected...but I dont wan't to be prompted for a password each time I start up my computer. Is there a way to get around this?
Thanks! :)
-
You cant delete the guest account, you just turn it off. :)
