Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: What Is This?????

  1. #1

    Question What Is This?????

    Hi everyone.....

    I will start off by stating, that I'm using WinXP Home Edition and regular dial-up for internet access.

    Today, I was using the internet when I noticed the following connection/activity under netstat:

    TCP Unknown:microsoft-ds ESTABLISHED

    I was wondering if anyone could tell me what this is? Should I be concerned? More importantly, how can I correct this? This is the first time I've ever seen this occur on my computer before. I did a search for it, but couldn't find any info concerning it.

    I should also add, that from the time that this happened, I have not yet seen this type of connection/activity again since then.

    Also, a friend of mine thinks that someone might have established a connection with SMB on my machine? I was also told it might have been some type of DoS attack?

    Much thanks in advance!

  2. #2
    Join Date
    Mar 2003
    Are you behind a firewall? If not, disconnect NOW

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Looks to me that someone may have mapped a drive to your machine. I would promptly disconnect of the Internet, as previously advised...

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  4. #4
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    South Florida
    Well, since your on dial-up do the following.

    Disconnect, then reconnect, and see if the connection is still there. If it is, then that means there is something on your computer causing the connection. When using dial up your ip changes each time you connect to the internet (dynamic IP). So this means that the attacker would need to know which ip your on at any given time.

    If you find that your computer is still establishing this connection, then get a trojan cleaner ( 's the cleaner works well), and see if you have any trojans on your box. Then get an updated virus program and run that just in case. If that doesn't help, then get a firewall and block that port completely. I'm sure by following these steps you may be able to narrow down exactly what is going on.

    good luck.


  5. #5
    Whats Up!

    My "snort" logs keep getting like 20-30 "ICMP PING ALERTS" from "wanadoo" domain too: here is the IP ADDRESS
    And a traceroute gives me:

    3 7.107 ms [AS226] Los Nettos origin AS
    4 9.232 ms [AS2914] Verio
    5 7.408 ms [AS2914] Verio
    6 14.004 ms [AS2914] Verio
    7 16.072 ms [AS2914] Verio
    8 15.053 ms [AS2914] Verio
    9 14.508 ms [AS2914] Verio
    10 23.804 ms [AS5511] Worldwide IP Backbone
    11 94.871 ms [AS5511] Worldwide IP Backbone
    12 170.930 ms [AS5511] Worldwide IP Backbone
    13 174.430 ms [AS3215] Domestic IP Backbone
    14 170.655 ms [AS3215] Domestic IP Backbone
    15 174.511 ms [AS3215] Domestic IP Backbone
    16 182.657 ms [AS3215] Domestic IP Backbone
    17 177.809 ms DNS error
    18 261.034 ms [AS3215] Domestic IP Backbone

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Maybe my mind has not completely disintegrated.... I recalled the Wanadoo name from a previous thread but a search didn't turn it up. With a bit more digging I found the thread here

    You might find some info in that thread that will convince you to firewall yourself if you aren't already.....<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Nov 2002
    Hi guys maybe a frenchy could be helpful.
    Wannadoo is a french ISP it is owned by France-Telecom-Orange.
    I've heard there are massive hacking activities over here!

    abo. means personnal computer
    => Maybe the attacker is stupid enough to use its own PC (a stupid kid)

    ADijon. means that the ISP switch is located in Bourgogne in Dijon city.

    Hope this will be harmless to your system
    [shadow] SHARING KNOWLEDGE[/shadow]

  8. #8
    Hi mom!
    Join Date
    Aug 2001
    Like xmaddness said. Do a virus/trojan check, enable a firewall, and forget about it. Also, I'm pretty sure it wasn't a DoS attack - if it was, your dialup connection wouldn't have lasted long.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  9. #9
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Looks like you'v been rooted, some one might be using you machine as a packet bot...a dial up doesn't really packa punch so I don't think it's a ever...200 dial up connections can quickly kill of a fast connection...get a port blocker or a firewall and kill that port...I would also search your hard-drive for unknown files....try looking for mIRC type files...since packet bot's are often commanded through mIRC, there was a thread not long ago that dealt with some one who got rooted, and it was from the same host area. if you don't want to install a firewall, then I suggest using foundstone can be configd to block one or many ports, and alert you if a connection is made to them.....a dummy server would also work

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  10. #10
    Join Date
    Jul 2002
    I would also highly suggest right-clicking on 'My Computer' and selecting Manage and goto the 'Local Users and Groups > Users' area and check if there are any unusual accounts (besides administrator, your login name, guest, etc. and delete any suspicious ones and set passwords for BOTH the administrator and your account since they are both administrative accounts and from what I know about XP are usually left un-passworded by default (BAD BAD BAD, you just gotta love m$ and their *ahem* security) otherwise, a hacker can just waltz straight into your computer and take over. I know of too many 2000/XP home users that leave their accounts un passworded.
    -Those are my principles. If you don\'t like them, I have others.
    --Groucho Marx

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts