Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: What Is This?????

  1. #1

    Question What Is This?????

    Hi everyone.....

    I will start off by stating, that I'm using WinXP Home Edition and regular dial-up for internet access.

    Today, I was using the internet when I noticed the following connection/activity under netstat:

    TCP Unknown:microsoft-ds ADijon-xxx-x-xx-xxx.abo.wanadoo.fr:3069 ESTABLISHED


    I was wondering if anyone could tell me what this is? Should I be concerned? More importantly, how can I correct this? This is the first time I've ever seen this occur on my computer before. I did a search for it, but couldn't find any info concerning it.

    I should also add, that from the time that this happened, I have not yet seen this type of connection/activity again since then.

    Also, a friend of mine thinks that someone might have established a connection with SMB on my machine? I was also told it might have been some type of DoS attack?

    Much thanks in advance!

  2. #2
    Member
    Join Date
    Mar 2003
    Posts
    99
    Are you behind a firewall? If not, disconnect NOW

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Looks to me that someone may have mapped a drive to your machine. I would promptly disconnect of the Internet, as previously advised...
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  4. #4
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Well, since your on dial-up do the following.

    Disconnect, then reconnect, and see if the connection is still there. If it is, then that means there is something on your computer causing the connection. When using dial up your ip changes each time you connect to the internet (dynamic IP). So this means that the attacker would need to know which ip your on at any given time.

    If you find that your computer is still establishing this connection, then get a trojan cleaner (www.moosoft.com 's the cleaner works well), and see if you have any trojans on your box. Then get an updated virus program and run that just in case. If that doesn't help, then get a firewall and block that port completely. I'm sure by following these steps you may be able to narrow down exactly what is going on.

    good luck.

    xmaddness

  5. #5
    Whats Up!

    My "snort" logs keep getting like 20-30 "ICMP PING ALERTS" from "wanadoo" domain too: here is the IP ADDRESS
    80.14.15.166
    And a traceroute gives me:

    3 130.152.180.21 7.107 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
    4 198.172.117.161 9.232 ms ge-2-3-0.a02.lsanca02.us.ra.verio.net [AS2914] Verio
    5 129.250.29.120 7.408 ms xe-1-0-0.r20.lsanca01.us.bb.verio.net [AS2914] Verio
    6 129.250.5.97 14.004 ms p16-1-1-2.r21.mlpsca01.us.bb.verio.net [AS2914] Verio
    7 129.250.4.2 16.072 ms p16-0-1-1.r20.plalca01.us.bb.verio.net [AS2914] Verio
    8 129.250.3.79 15.053 ms p16-0-0-0.r00.plalca01.us.bb.verio.net [AS2914] Verio
    9 129.250.9.134 14.508 ms p4-0.francetelecom.plalca01.us.bb.verio.net [AS2914] Verio
    10 193.251.242.93 23.804 ms P10-0.SJOCR1.San-jose.opentransit.net [AS5511] Worldwide IP Backbone
    11 193.251.242.1 94.871 ms P14-0.NYKCR2.New-york.opentransit.net [AS5511] Worldwide IP Backbone
    12 193.251.241.133 170.930 ms P4-0.PASCR1.Pastourelle.opentransit.net [AS5511] Worldwide IP Backbone
    13 193.251.126.53 174.430 ms P15-0.ntaub201.Aubervilliers.francetelecom.net [AS3215] Domestic IP Backbone
    14 193.252.161.54 170.655 ms P6-0.ntaub301.Aubervilliers.francetelecom.net [AS3215] Domestic IP Backbone
    15 193.251.126.173 174.511 ms P9-0.nrlil101.VilleneuveDAscq.francetelecom.net [AS3215] Domestic IP Backbone
    16 193.252.160.197 182.657 ms P6-0.nclil301.VilleneuveDAscq.francetelecom.net [AS3215] Domestic IP Backbone
    17 80.10.164.105 177.809 ms DNS error
    18 80.14.15.166 261.034 ms ALille-107-1-13-166.abo.wanadoo.fr [AS3215] Domestic IP Backbone


  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Maybe my mind has not completely disintegrated.... I recalled the Wanadoo name from a previous thread but a search didn't turn it up. With a bit more digging I found the thread here

    You might find some info in that thread that will convince you to firewall yourself if you aren't already.....<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Hi guys maybe a frenchy could be helpful.
    Wannadoo is a french ISP it is owned by France-Telecom-Orange.
    I've heard there are massive hacking activities over here!

    abo. means personnal computer
    => Maybe the attacker is stupid enough to use its own PC (a stupid kid)

    ADijon. means that the ISP switch is located in Bourgogne in Dijon city.

    Hope this will be harmless to your system
    [shadow] SHARING KNOWLEDGE[/shadow]

  8. #8
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Like xmaddness said. Do a virus/trojan check, enable a firewall, and forget about it. Also, I'm pretty sure it wasn't a DoS attack - if it was, your dialup connection wouldn't have lasted long.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  9. #9
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Looks like you'v been rooted, some one might be using you machine as a packet bot...a dial up doesn't really packa punch so I don't think it's a Server....how ever...200 dial up connections can quickly kill of a fast connection...get a port blocker or a firewall and kill that port...I would also search your hard-drive for unknown files....try looking for mIRC type files...since packet bot's are often commanded through mIRC, there was a thread not long ago that dealt with some one who got rooted, and it was from the same host area. if you don't want to install a firewall, then I suggest using foundstone attacker...it can be configd to block one or many ports, and alert you if a connection is made to them.....a dummy server would also work

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  10. #10
    Member
    Join Date
    Jul 2002
    Posts
    41
    I would also highly suggest right-clicking on 'My Computer' and selecting Manage and goto the 'Local Users and Groups > Users' area and check if there are any unusual accounts (besides administrator, your login name, guest, etc. and delete any suspicious ones and set passwords for BOTH the administrator and your account since they are both administrative accounts and from what I know about XP are usually left un-passworded by default (BAD BAD BAD, you just gotta love m$ and their *ahem* security) otherwise, a hacker can just waltz straight into your computer and take over. I know of too many 2000/XP home users that leave their accounts un passworded.
    -Those are my principles. If you don\'t like them, I have others.
    --Groucho Marx

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •