Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

newbie question - intruders or trojans, or just normal

3 views
Skip to first unread message

Scott

unread,
Aug 20, 2002, 10:01:22 PM8/20/02
to
Hi....am a newbie to network security.

I have noticed alot of network traffic when there should be none so I
ran netstat -an and it reported the following:

netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3190 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3191 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3823 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3824 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3826 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3079 0.0.0.0:0 LISTENING
TCP xxx.168.1.xxx:139 0.0.0.0:0 LISTENING
TCP xxx.168.1.xxx:3190 xxx.239.51.101:80 CLOSE_WAIT
TCP xxx.168.1.xxx:3191 xxx.239.51.101:80 CLOSE_WAIT
TCP xxx.168.1.xxx:3823 xxx.112.96.138:80 ESTABLISHED
TCP xxx.168.1.xxx:3824 xxx.112.96.138:80 ESTABLISHED
TCP xxx.168.1.xxx:3826 xxx.42.81.253:80 ESTABLISHED
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1027 *:*
UDP 127.0.0.1:3175 *:*
UDP xxx.168.1.xxx:137 *:*
UDP xxx.168.1.xxx:138 *:*
UDP xxx.168.1.xxx:491 *:*
UDP xxx.168.1.xxx:500 *:*

xxx - removed to protect IP address

I really don't understand what this all means. I am running Windows
2000 SPx with IE6 using a NAT firewall and zonealarm pro. Is this
"normal" W2k traffic or do I have to be worried. Is ok to post results
from netstat or did I provide valuable information to hackers? I have
check known port values and trojan port lists and come up empty.

TIA,

concerned and worried home user.

P.S. Sorry for the newbie question, but I did not want to take the
time on the 'net to find the answer to this question, in case I have
been hacked and should not use this connection.

Anony Mous

unread,
Aug 21, 2002, 12:07:56 AM8/21/02
to
I'll even bet it's a Linksys Hub! Not to worry, if your as anal as most of
the people subscribing to this
thread - with keeping your OS patched and going through the trouble of using
NAT and running
ZA you wont have too much to worry about unless you surf those warez/hacker
sites with your
working (Business) PC... Don't forget to keep your AV signatures up to date!
LOL

"Just because I'm paranoid doesn't mean they aren't out to get me!"
SS


"Scott" <sel...@attbi.com> wrote in message
news:3d62f214....@netnews.attbi.com...

HC

unread,
Aug 21, 2002, 7:05:34 AM8/21/02
to

> Hi....am a newbie to network security.
>
> I have noticed alot of network traffic when there should be none so I
> ran netstat -an and it reported the following:


The traffic you're looking at could very well be normal for your system.
At first glance, I don't see anything particularly unusual in the
netstat listing...but then, that doesn't show the whole picture.

Here's what you do...go to FoundStone's site and get fport.exe...this is
a process-to-port mapping utility. Then, go to SysInternals.com and get
handle.exe, listdlls.exe, and pslist.exe (part of the PSToolkit). Run
each of these commands, plus "netstat -a", and redirect the output of
each to a file:

c:\>netstat -a > netstat.log

Pretty easy. But how do we correlate the output of each of these files?
I wrote a Perl script to do just that, called procdmp.pl, located at
http://patriot.net/~carvdawg/perl.html. If you don't have or want to
install Perl, that's okay...get the archive "pd.zip" for a standalone
EXE w/ a GUI.

What these utilities do is correlate information from each of the files
you created and build a consolidated snapshot of full process
information. An example HTML output file is located here:

http://patriot.net/~carvdawg/pd.html

I've used this in IR investigations to determine what's happening on a
box...

Dannielle Judd

unread,
Aug 21, 2002, 9:10:05 PM8/21/02
to
Norton Disk Doctor will recover anything that is still recoverable on the
disk.

"HC" <keyd...@yahoo.com> wrote in message
news:3D6373FE...@yahoo.com...

the Pull

unread,
Aug 22, 2002, 11:34:00 PM8/22/02
to

Only connections there are to port 80, assume websites, check
em out. (Type in the IP address in your browser, if in doubt,
use samspade.org to do whois).

I am not sure what is running on port 3175:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=port+3175

Or on 3079...

Go to www.foundstone.com, go to Tools, grab the tool called
fport, and run it at the command line. Look at every app bound
to every port, and check up on each binary file. (Find out
what it is).

the Pull

unread,
Aug 22, 2002, 11:42:26 PM8/22/02
to

HC wrote:
>
> > Hi....am a newbie to network security.
> >
> > I have noticed alot of network traffic when there should be none so I
> > ran netstat -an and it reported the following:
>
> The traffic you're looking at could very well be normal for your system.
> At first glance, I don't see anything particularly unusual in the
> netstat listing...but then, that doesn't show the whole picture.
>
> Here's what you do...go to FoundStone's site and get fport.exe...this is
> a process-to-port mapping utility.

Heh, that is what I just posted, looks like some people here
know their shit. :)

>Then, go to SysInternals.com and get
> handle.exe, listdlls.exe, and pslist.exe (part of the PSToolkit). Run
> each of these commands, plus "netstat -a", and redirect the output of
> each to a file:
>
> c:\>netstat -a > netstat.log
>
> Pretty easy. But how do we correlate the output of each of these files?
> I wrote a Perl script to do just that, called procdmp.pl, located at
> http://patriot.net/~carvdawg/perl.html. If you don't have or want to
> install Perl, that's okay...get the archive "pd.zip" for a standalone
> EXE w/ a GUI.
>
> What these utilities do is correlate information from each of the files
> you created and build a consolidated snapshot of full process
> information. An example HTML output file is located here:
>
> http://patriot.net/~carvdawg/pd.html
>
> I've used this in IR investigations to determine what's happening on a
> box...


I generally just look for the proc calls in the binary (located in
plain text near the end of the file), check if
it has a signature, look up the exe name on google. Search for registry
entries of the app.

Suspicious stuff is an abundance of winsock calls, icq information,
if the top of the file says "packed with pe" (etc, packers), etc.

Definitely running a sniffer is a good deal.

the Pull (cissp, eEye, cDc-Hacktivismo)

Tracker

unread,
Nov 13, 2002, 6:17:23 PM11/13/02
to

HC wrote:

> > Hi....am a newbie to network security.
> >
> > I have noticed alot of network traffic when there should be none so I
> > ran netstat -an and it reported the following:
>
> The traffic you're looking at could very well be normal for your system.

Why is this normal?


Tracker

Tracker

unread,
Nov 13, 2002, 6:20:21 PM11/13/02
to

Your computer is already hacked/owned and everyone in the world can see
your entire hard drive.
Tracker
Scott wrote:

--
You want to learn about the elite malicious ferret
hackers, come to my Message Board. You want to learn
about possible elite malicious hackers, come to this board.
Learn how to secure your Windows Platform and much more.


http://groups.yahoo.com/group/thetrackers000/

Tracker


Mimic-

unread,
Nov 15, 2002, 8:08:38 PM11/15/02
to
"Tracker" <TheTracker...@yahoo.com> wrote in message
news:3DD2DE35...@yahoo.com...

tracker do you have any idea what that actually means ?
no so stfu.

--

Mimic

"Without knowledge you have fear, With fear you create your own nightmares"


Mimic-

unread,
Nov 15, 2002, 8:12:31 PM11/15/02
to
"Tracker" <TheTracker...@yahoo.com> wrote in message
news:3DD2DE35...@yahoo.com...
>
> Your computer is already hacked/owned and everyone in the world can see
> your entire hard drive.
> Tracker
> --
> You want to learn about the elite malicious ferret
> hackers, come to my Message Board. You want to learn
> about possible elite malicious hackers, come to this board.
> Learn how to secure your Windows Platform and much more.
>
>
> http://groups.yahoo.com/group/thetrackers000/
>
> Tracker
>
>

Heres an excerpt of 3 days...... so tell me is my computer hacked, if so
what technique and explain how you know this frm the information below.


FWIN,2002/11/14,19:16:16 +0:00
GMT,200.131.14.132:1031,217.135.191.211:137,UDP
FWIN,2002/11/14,19:16:36 +0:00
GMT,216.139.109.89:1027,217.135.191.211:137,UDP
FWIN,2002/11/14,19:16:57 +0:00
GMT,218.54.211.114:1025,217.135.191.211:137,UDP
FWIN,2002/11/14,19:17:54 +0:00
GMT,217.35.15.123:1025,217.135.191.211:137,UDP
FWIN,2002/11/14,19:18:00 +0:00
GMT,200.67.25.130:1025,217.135.191.211:137,UDP
FWIN,2002/11/14,19:18:14 +0:00
GMT,80.184.13.251:1030,217.135.191.211:137,UDP
FWIN,2002/11/15,23:31:57 +0:00
GMT,148.233.178.244:1038,62.136.213.47:137,UDP
FWIN,2002/11/15,23:33:43 +0:00 GMT,64.130.96.237:1028,62.136.213.47:137,UDP
FWIN,2002/11/16,00:06:27 +0:00 GMT,200.204.73.3:1024,62.136.213.47:137,UDP
FWIN,2002/11/16,00:26:49 +0:00
GMT,200.23.229.150:58911,62.136.213.47:137,UDP
FWIN,2002/11/16,00:31:42 +0:00 GMT,206.169.49.7:1027,62.136.213.47:137,UDP
FWIN,2002/11/16,00:37:26 +0:00 GMT,61.35.30.61:1032,62.136.213.47:137,UDP
FWIN,2002/11/16,00:39:45 +0:00 GMT,211.205.86.40:1026,62.136.213.47:137,UDP
FWIN,2002/11/16,00:43:16 +0:00 GMT,4.62.212.140:1043,62.136.213.47:137,UDP
FWIN,2002/11/16,00:46:21 +0:00 GMT,200.60.197.55:21830,62.136.213.47:137,UDP
FWIN,2002/11/16,00:58:36 +0:00
GMT,200.226.113.101:1027,62.136.213.47:137,UDP
FWIN,2002/11/16,01:00:14 +0:00 GMT,217.134.204.13:137,62.136.213.47:137,UDP
PE,2002/11/16,01:03:30 +0:00 GMT,WMPLAYER.EXE,127.0.0.1:1166,N/A
FWIN,2002/11/16,01:07:40 +0:00 GMT,62.98.211.183:1026,62.136.213.47:137,UDP

Jason

unread,
Nov 15, 2002, 8:51:02 PM11/15/02
to
Mimic- wrote:


Looks a hell of a lot like mine actually. Damn it Mimic you must have hacked
me. :)

0 new messages