I have like 5 or 6(around there, changes all the time) ips connected to me( i used "netstat") and i want to know if this is normal... And if not what exactly can i do lol! I have a firewall and antivirus and they are on all the time.
Printable View
I have like 5 or 6(around there, changes all the time) ips connected to me( i used "netstat") and i want to know if this is normal... And if not what exactly can i do lol! I have a firewall and antivirus and they are on all the time.
Are you running any P2P applications i.e kazza, morpheus?
You have any messenger services?
I to have some IPs connected to me all the time but these are my loopback ones 127.0.0.1 but on different ports.
A little more info would probably get you a more detailed answer....what OS are we dealing with? What kind of connection? The more you tell the more we can assess and assist.
It's useful to play around with 'nslookup' [preferably 'host' if you're running *nix] to see exactly what's the deal with them... but most likely, you have messenging/P2P apps connected. ANy decent firewall should give you some information on what program launched those connections, info ab the IPs etc.
What ports are they connecting on?
May sound like a stupit question, but do you have any applications open.
Like maybe 5 instances of Ineternet Explorer to 5 different web sites?
If not, you have a problem, otherwise dont panick your more than likely
seeing connections that yoyu initiated out to the internet
it would really be helpfull if you could post a netstat...with your ip addy Xed out of course
Best thing would be to provide us with more info. Some of the information you might want to provide would be...
1-any programs open?
2-OS used
3-the list of ip addresses if possible and the ports they are connected to
with these info, we might be able to provide u with a better answer rather than just guessing it.
sorry i couldn't reply i was away for a few days(out of town). I'll send you the netstat if(when) they connect. And no i don't have any P2P networks open and i'm not running 5 different internet explorers :). I had my internet connection and aol instant messenger running(with nobody direct connected) and that was all.
heres my netstat(as close as i can get it beause i can't copy/paste)
Proto Local Address Foreign Address State
TCP xxxxxxxxxxxx 207.46.107.16:1863 ESTABLISHED
TCP xxxxxxxxxxxx 64.12.25.153:5190 ESTABLISHED
TCP xxxxxxxxxxxx 64.12.24.105:5190 ESTABLISHED
TCP xxxxxxxxxxxx 205.188.6.218:5190 ESTABLISHED
TCP xxxxxxxxxxxx 205.188.4.112:5190 ESTABLISHED
I hope someone can give me more information :)
um, ctrl + enter to resize your command prompt window, at the top of the window there are the copy/paste buttons
heh =)
ctrl-enter does nothing...
207.46.107.16 = microsoft.com (auto-update?)
64.12.25.153= Aol (not an account but an aol server)
64.12.24.105 = another AOL server
205.188.6.218 another
205.188.4.112 and another
their all aol servers!
one is a proxy another is DNS. one is probably for the buddy list but their all direct assignment ips. none belong to members
Port Number 5190
Port Number 1863Quote:
aol 5190/tcp America-Online
aol 5190/udp America-Online
MSNP= Microsoft Instant Messaging ProtocolQuote:
msnp 1863/tcp MSNP
msnp 1863/udp MSNP
[edit]
guess I posted to late. But these are what the ports are that you should on those IPs
what about 61.94.190.9?
and what the hecks epmap?
emap
sourceQuote:
Microsoft DCE Locator service aka. end-point mapper. It works like Sun RPC portmapper, except that end-points can also be named pipes. Microsoft relies upon DCE RPC to remotely manage services. Some services that use port 135 of end-point mapping are:
DHCP server
DNS server
WINS server
AKA NCS local location broker
http://www.iss.net/security_center/a...35/default.htm
5190 is AIM. Were you chatting with someone when you checked the netstat? If yes... how many?
i wasn't talking to anyone at the time... i got connections from some place called level3.net, what exactly is that? :confused:
you dont have to be chatting...its a part of aol they keep looking to see if your there. its on as soon as you go on line. it nothing to worry about.
C:\>netstat
Active Connections
Proto Local Address Foreign Address State
TCP <my Computer>:1672 berp-cn19.dial.aol.com:13784 ESTABLISHED
TCP <my Computer>:1674 205.188.49.120:5190 ESTABLISHED
TCP <my Computer>:1834 cache02.ns.uu.net:domain ESTABLISHED
TCP <my Computer>:1838 cache02.ns.uu.net:domain ESTABLISHED
TCP <my Computer>:1842 cache02.ns.uu.net:domain ESTABLISHED
TCP <my Computer>:1844 cache02.ns.uu.net:domain ESTABLISHED
if you do the netstat without any flags you get names instead of IPs
http://www.level3.com/
go to http://samspade.org down load sam spade. it free and will allow you to learn allot
If I remembered correctly, I had traces that led to that DNS. It was an OS Fingerprinting
attempt. I contacted them but had no help. Seemed like everyone there all had their heads up their asses. But it seemed to have work cause I didn't get anymore attempts =) This might not be the case but I hope it helps.
Goodluck
Level3 is one of major ISPs
We here in NY city use it for a big financial company/online web trading...
+=+=+=+=+=+=+=+=+
what about 61.94.190.9?
and what the hecks epmap?
+=+=+=+=+=+=+=+=+=
Sorry i didn't notice this before. this could be dns or dhcp or it could be someone trying to exploit the big new hole in ms's os using the rpc exploit. coming from apnic (asia pacific network) the chances are good.
have you been keeping up on all your patches? Install a firewall.
do you get any messages the svchost has crashed or does your computer reboot by itself?
i have antivirus firewall and everything... i don't see any other way to protect myself(and Norton Internet Security better be good because it cost me $70!)