questionable IP on log files...

[SoggyBottom]

FYI,

The domain lookup I used can be found here:

http://www.alertsite.com/

I asked the FTP question because, although FTP does use port 21 to CONNECT, data is not transferred on this port (it used ports >1024 for data), and depending on whether it is Active or Passive FTP, will determine the direction of these high ports.

What a screwed up protocol!!!

You can read about it here:

http://www.slacksite.com/other/ftp.html

[t2k2]

Good link Soggy Bottom.

I asked the FTP question because, although FTP does use port 21 to CONNECT, data is not transferred on this port (it used ports >1024 for data), and depending on whether it is Active or Passive FTP, will determine the direction of these high ports.

Here, I think you may also mean that in Active FTP, port 20 is used for Data - as specified by your link. Passive uses the ports greater than 1024. At least, I think that's part of what you meant. I just didn't read it that way.

[thehorse13]

Who is your ISP? Sometimes you will see inbound traffic from your provider. Also, what are the source and destination ports?

[kiowa-mike]

phite if it is a trojan you can notify the isp at [email protected]

[phite]

thanks for all the responses guys, as I look more and more at my log files, I see more stuff that looks questionable and peaks my interest. Also, lately I have found some very unusual traffic that will have to be looked into. I think with all the good links you guys have provided, I should be able to do the research.

Something unusual happened yesterday though, I saw a whole bunch of traffic outbound from my computer going to a few different IP addresses but on ports that kept going up.. (ie.. outbound to 66.94.xx.xxx on port 1066, then outbound to 209.54.xxx.xxx on port 1067, etc. etc..). My Link Logger was going nuts with all the traffic, so I did a netstat and an fport to find out what was going on, I had a whole bunch of 1000 number ports open ("established"), like 12 or 15 open ports in total, not including the "listening" ones (I had already closed all IM programs and anything else that would open a port). At this point I got a bit nervous and hit the Zonealarm "stop all internet traffic". I gave it a minute and did a netstat again and still had maybe 5 ports open. I ran netstat to see who these destination IP's belonged to, and I saw "gamespy" quite a bit, for those of you that don't know, gamespy is a program that many online games use to connect to their game servers and keep track of online players. I have used them in the past but when I upgraded to 2000 pro, I deleted the gamespy directory. When I ran an fport to see which program had these ports open, I saw "PC-illin" which is my antivirus software. I have run "the cleaner" and it did not locate any trojans.

Anyway, the main question here is how can I have ports open (in the "established" mode), after I told zonealarm to shut down all traffic?

[t2k2]

phite, I have never used ZA at home before, but if it works the same as Outpost does with respect to denying all internet traffic, then it would mean that it is now blocking any new connections from occurring. The reason why you saw a decrease in active ports after doing this could have been due to the sessions either timing out or ending normally. Afterwards, however, they should not have been able to establish any new sessions when you enabled the "block all traffic" setting.


t2k2

[phite]

Ok, that makes more sense, but that also means that if a trojan has an established connection/port with the hacker at the destination IP, then I can't shut it down (aside from shutting the computer down or unplugging the cat5 cable)? There must be a way to manually close ports.

How long does it take sessions to time out (I assume they time out due to inactivity)?