Something odd is happening.

Printable View

January 30th, 2004, 04:26 AM
MemorY

Something odd is happening.

Ok this is creepy. look at this

netstat -an

Quote:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1084 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1500 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1501 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1101 127.0.0.1:1458 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1460 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1462 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1464 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1474 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1476 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1480 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1490 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1492 TIME_WAIT
TCP 127.0.0.1:1101 127.0.0.1:1494 TIME_WAIT
TCP 127.0.0.1:1470 127.0.0.1:1101 TIME_WAIT
TCP 127.0.0.1:1478 127.0.0.1:1101 TIME_WAIT
TCP 127.0.0.1:1482 127.0.0.1:1101 TIME_WAIT
TCP 127.0.0.1:1484 127.0.0.1:1101 TIME_WAIT
TCP 127.0.0.1:1486 127.0.0.1:1101 TIME_WAIT
TCP 127.0.0.1:1488 127.0.0.1:1101 TIME_WAIT
TCP 127.0.0.1:11523 0.0.0.0:0 LISTENING
TCP 127.0.0.1:11523 127.0.0.1:1453 TIME_WAIT
TCP 127.0.0.1:11523 127.0.0.1:1459 TIME_WAIT
TCP 127.0.0.1:11523 127.0.0.1:1465 TIME_WAIT
TCP 127.0.0.1:11523 127.0.0.1:1495 TIME_WAIT
TCP 172.173.122.153:1035 0.0.0.0:0 LISTENING
TCP 172.173.122.153:1035 205.188.67.139:13784 ESTABLISHED
TCP 172.173.122.153:1041 64.12.24.228:5190 ESTABLISHED
TCP 172.173.122.153:1500 63.146.109.210:80 SYN_SENT
TCP 172.173.122.153:1501 63.146.109.210:80 SYN_SENT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1043 *:*
UDP 0.0.0.0:1157 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1406 *:*
UDP 127.0.0.1:1438 *:*
UDP 172.173.122.153:123 *:*

the 0.0.0.0.0 are IE connections. I run antyports and it showed me that IE,AOL,lsaas, system and svchost is going through those. And: Pictures, banners, or simple small gif's wont display on websites, AIM won't connect,(Aim service can't be reached), and i can't download anything with DAP 7.0, it won't connect to the ftp server to download ad-aware. Im gonna go thourgh my CD's and see where i can find ad-aware, install it, run it and see what i get, i also am gonna do a virus scan. I currently don't have a firewall installed, so i can't tell you guys if anything specific has been connecting to my computer.I'll give an update when i run all the scans. I also looked at all my folders, registry, start-up, and task manager, nothin unusual is running, nothin unusual has been installed.
January 30th, 2004, 04:44 AM
D0pp139an93r

Hot damn that's a weird netstat. I would run one of those programs that shows connections and the program that opened it. You running any p2p stuff?
January 30th, 2004, 05:10 AM
Tedob1

check your hosts file
January 30th, 2004, 05:11 AM
Axeman

That looks almost like mine? And mine I just rebuilt.
January 30th, 2004, 05:12 AM
576869746568617

Wait a minute...1st entry...you said that all the 0.0.0.0 are IE connections, right?

Why the hell is IE listening on port 135 and 445?

just curious
January 30th, 2004, 05:21 AM
cheyenne1212

Mines kinda like that as well.

Quote:

_
Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3024 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3120 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3122 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4134 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4245 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1027 127.0.0.1:4134 ESTABLISHED
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3012 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3120 127.0.0.1:1027 CLOSE_WAIT
TCP 127.0.0.1:3122 127.0.0.1:1027 CLOSE_WAIT
TCP 127.0.0.1:4134 127.0.0.1:1027 ESTABLISHED
TCP 192.168.0.1:139 0.0.0.0:0 LISTENING
TCP 192.168.0.1:1781 192.168.0.1:2869 TIME_WAIT
TCP 192.168.0.1:2869 192.168.0.1:30947 ESTABLISHED
TCP 192.168.0.1:24145 192.168.0.1:2869 TIME_WAIT
TCP 192.168.0.1:30947 0.0.0.0:0 LISTENING
TCP 192.168.0.1:30947 192.168.0.1:2869 ESTABLISHED
TCP 208.180.47.89:4135 207.46.106.133:1863 ESTABLISHED
TCP 208.180.47.89:4245 212.147.10.42:6667 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1028 *:*
UDP 0.0.0.0:3004 *:*
UDP 0.0.0.0:3010 *:*
UDP 0.0.0.0:3019 *:*
UDP 0.0.0.0:4141 *:*
UDP 0.0.0.0:4246 *:*
UDP 0.0.0.0:4247 *:*
UDP 0.0.0.0:6327 *:*
UDP 0.0.0.0:6459 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:2234 *:*
UDP 127.0.0.1:3005 *:*
UDP 127.0.0.1:3013 *:*
UDP 127.0.0.1:4913 *:*
UDP 192.168.0.1:53 *:*
UDP 192.168.0.1:67 *:*
UDP 192.168.0.1:68 *:*
UDP 192.168.0.1:123 *:*
UDP 192.168.0.1:137 *:*
UDP 192.168.0.1:138 *:*
UDP 192.168.0.1:1900 *:*
UDP 192.168.0.1:2234 *:*
UDP 192.168.0.1:24131 *:*
UDP 208.180.47.89:9 *:*
UDP 208.180.47.89:123 *:*
UDP 208.180.47.89:1900 *:*
UDP 208.180.47.89:2234 *:*
UDP 208.180.47.89:37890 *:*

C:\Documents and Settings\Matt>
January 30th, 2004, 05:25 AM
dublix

Here's mine:

Quote:

C:\Documents and Settings\(>netstat -an

Active Connections

Proto Local Address Foreign Address State
UDP 0.0.0.0:1025 *:*

I think some of you need to take a trip over to services.msc and 'cut the fat'. :D

.dublix
January 30th, 2004, 05:34 AM
576869746568617

Damn, cheyenne1212..135, 137,138, 139 and 445 open.....you do have a hardware firewall...right?

If not, give me your public IP :D I'll just use Matt's username.

Just Kidding
January 30th, 2004, 05:42 AM
MemorY

Quote:

Wait a minute...1st entry...you said that all the 0.0.0.0 are IE connections, right?

Some of them, i posted that some of them are from IE,AOL,lsaas, system and svchost.

It's all good now, though. I ran ad-aware, found 4 registry entries and 2 files. I deleted them and restarted. everything works fine now.
January 30th, 2004, 05:47 AM
MemorY

sorry for the dobule post but i had to attach a file. I ran antiy ports(program) again and now this is really weird. I'm only on one AIM screen name(no double AIM's running) and i only have on IE open but look at all those connections.
January 30th, 2004, 05:58 AM
cheyenne1212

Quote:

amn, cheyenne1212..135, 137,138, 139 and 445 open.....you do have a hardware firewall...right?

Those ports are open because I have a network. File sharing is disabled though on my net connection (dial up).

And yes I do have a firewall up. lol
January 30th, 2004, 06:05 AM
Axeman

OK I cut some of the fat, But. The first one is without Mozilla running and the second one is with it. You tell me what you think.

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 192.168.0.52:139 0.0.0.0:0 LISTENING
TCP 192.168.0.52:3006 0.0.0.0:0 LISTENING
TCP 192.168.0.52:3006 192.168.0.20:139 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3004 *:*
UDP 127.0.0.1:123 *:*
UDP 192.168.0.52:123 *:*
UDP 192.168.0.52:137 *:*
UDP 192.168.0.52:138 *:*

C:\Documents and Settings\>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3008 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3035 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3036 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3007 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3007 127.0.0.1:3008 ESTABLISHED
TCP 127.0.0.1:3008 127.0.0.1:3007 ESTABLISHED
TCP 192.168.0.52:139 0.0.0.0:0 LISTENING
TCP 192.168.0.52:3033 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3035 63.146.109.210:80 LAST_ACK
TCP 192.168.0.52:3036 63.146.109.210:80 LAST_ACK
TCP 192.168.0.52:3046 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3073 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3075 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3077 63.146.109.212:80 TIME_WAIT
TCP 192.168.0.52:3095 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3102 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3107 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3114 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3130 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3131 63.146.109.210:80 TIME_WAIT
TCP 192.168.0.52:3132 63.146.109.210:80 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3004 *:*
UDP 127.0.0.1:123 *:*
UDP 192.168.0.52:123 *:*
UDP 192.168.0.52:137 *:*
UDP 192.168.0.52:138 *:*
January 30th, 2004, 06:06 AM
576869746568617

No this is scary (really it is)

WTF?

I ran netstat -an just for the hell of it...here's what I get:
(I changed the prompt, but it is a WinXP box)

#netstat -an

Active Connections

Proto Local Address Foreign Address Status
TCP 67.30.50.XXX:3184 64.136.26.104:7000 Established

WTF?

#Ping 64.136.26.104

Pinging 64.136.26.104 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.136.26.104:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

DNS Servers are on same class B subnet as this mystery machine....

Not the DHCP server, would be no need for constant communications
Port number is wrong for DHCP.

ApogeeX?

You guys thinking what I'm thinking?
January 30th, 2004, 06:12 AM
Axeman

Funny I get the same thing, I am not becoming happy here.
January 30th, 2004, 06:13 AM
MemorY

Quote:

You tell me what you think.

well looks normal to me, when you ran mozilla all new connection are through port 80, normal http port.
January 30th, 2004, 06:42 AM
576869746568617

OK....I do netstat without the switches to see if the fqdn is listed:

accel94.lax.untd.com

whois turns this up:

untd.com is registered with NETWORK SOLUTIONS, INC. - redirecting to whois.networksolutions.com

Registrant:
United Online, Inc. (YCIWJTNJKD)
2555 Townsgate Rd.
WESTLAKE VILLAGE, CA 91361
US

Domain Name: UNTD.COM

Administrative Contact:
Hostmaster, United Online (3274437I) [email protected]
United Online, Inc.
2555 Townsgate Road
Westlake Village, CA 91361
US
805-418-2000 fax: 805-418-2002

Technical Contact:
Hostmaster, United Online ContactMiddleName (15716256I) [email protected]
United Online, Inc.
2555 Townsgate Road
Westlake Village, CA 91361
US
805-418-2000 fax: 805-418-2002

Record expires on 16-Dec-2004.
Record created on 16-Dec-1999.
Database last updated on 30-Jan-2004 00:40:38 EST.

Domain servers in listed order:

AUTHNS.LAX.UNTD.COM 64.136.28.21
AUTHNS.NYC.UNTD.COM 64.136.20.21
AUTHNS.WLV.UNTD.COM 64.136.16.21

Traceroute looks like this:

3 67.30.130.65 9.663 ms DNS error [AS3356] Level 3 Communications North America
4 209.244.27.165 9.071 ms so-6-0-0.mpls2.Tustin1.Level3.net [AS3356] Level 3 Communications North America
5 209.247.8.113 10.047 ms so-6-2-0.bbr2.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
6 209.247.10.206 8.700 ms so-9-0.core2.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
7 209.244.10.130 9.931 ms ge-4-0.ipcolo1.LosAngeles1.Level3.net [AS3356] Level 3 Communications North America
8 63.214.153.106 6.671 ms ge2-0.core1.lax.netzero.net [AS3356] Level 3 Communications North America
9 *

Tracert times out here...gonna try a BGP trace next.
January 30th, 2004, 06:50 AM
576869746568617

OK..I telnet in to Looking Glass
here's what I get.
route-views.oregon-ix.net>accel94.lax.untd.com
Translating "accel94.lax.untd.com"...domain server (128.233.32.35) [OK]
Trying accel94.lax.untd.com (64.136.26.104)...
% Connection timed out; remote host not responding

Any Ideas Yet?
January 30th, 2004, 07:01 AM
cheyenne1212

you behind a hardware firewall 57686974?

I run a Linksy Firewalled router on my DSL, and it blocks all ping replies. So whenever I try to ping a server I get a "request timed out" message.
January 30th, 2004, 07:10 AM
576869746568617

I am, but it's configured to allow ICMP type 0 both inbound and outbound to this PC, so pinging and tracert shouldnt be a problem. Of course, if the other system is behind a firewall that doesn't allow ICMP ping.....

That would explain why a ping using Border Gateway Protocol works (router to router) and a standard host to host ICMP ping does not!

Here's another strange twist...absolutely no log entries in the system security log...and I do mean none, not even from netlogon from when I logged in this afternoon. the log is NOT set to overwrite events....I export them weekly to floppy and archive them for analysis.

At this point, I'm thinking trojan, so I guess the best thing to do is to disconnect it from the net and start snooping.

Good night....If you guys think of anything, let me know. I'll post the firewall logs if they haven't suffered the same fate as the system logs to see if there's anything you guys see that I miss.

It's kinda funny.....I built a honeypot for this kinda stuff, and it turns out I just wasted the $350.00 for the toy......I've been using one this whole time and didn't even know it.
January 30th, 2004, 07:15 AM
cheyenne1212

What kind of router you got?

Also your firewall if you have one on your PC could be blocking the pings.
January 30th, 2004, 08:00 AM
PoSer

WTF
I looked at my netstat -an and now I feel some like all the work I've done to lock my system down is a waste. mine looks even worse than MemorYs'

Looks like it time to hunt me a trojan if I find it I will post what I get.
January 30th, 2004, 09:13 AM
PoSer

ok nothing unusual in thr registry
no processes running that should not be
nothing detected by nortan or spybot
logs are good
found an ip address that my firewall was allowing that should not have been there??wtf??
blocked it.
if it is a trojan it is hidden very well.
January 30th, 2004, 12:00 PM
ikalo

It could be very simple... is it a trojan caled MS Windows???

I'm at work now, but when I get home I'll check my box too...
January 30th, 2004, 02:20 PM
576869746568617

You guys are gonna laugh your ass off

OK, now I feel really stupid!......I figured out what's going on, after I slept on it last night.

Can you guess what it is? It uses an oddball port number. Come on... no takers? I'll give you a hint.......it routes packets...

Yep......IP proxy!
January 30th, 2004, 07:14 PM
PoSer

damn...smacks head with hand...wow i turned off my proxy server and everthing looked normal again. wow I feel dumb now.
January 30th, 2004, 07:27 PM
MemorY

I dont run a proxy server.
January 30th, 2004, 07:28 PM
MrLinus

Do you use something like Proximitron?
January 30th, 2004, 08:45 PM
576869746568617

Privoxy
January 30th, 2004, 09:02 PM
MemorY

Nope, no proxy at all. And right now the AO logo and some pictures won't display, yesterday everything was fine.
January 30th, 2004, 09:13 PM
MrLinus

What about your ISP having a web cache? (random thought on this).

What is running at the particular time of the initial netstat -na? Have you checked processes say using tlist?

I found this Developer Thread that seems to have similar characteristics. Maybe?
January 30th, 2004, 09:23 PM
Amplifiedgirl

Is it possible that someone could be connected to his computer and sneaking?
January 30th, 2004, 09:31 PM
MrLinus

Blind spoof?

Only one way to find out: fire up tcpdump
January 31st, 2004, 10:08 AM
ikalo

how about ICS?