[RESOLVED] Is somebody accessing my comp?
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 17

Thread: [RESOLVED] Is somebody accessing my comp?

  1. #1
    PaulK
    Guest

    Post Is somebody accessing my comp?

    Ok, This is the second time this has happened to me. I have a cable modem and a 4 port Linksys Router. Last week I noticed that my download and upload time was very slow. My upload is usually about 14kb and it was only 7kb (this is what it is usually when I am uploading 2 files at once). So I stopped all transfers, but my activity light on my modem (and router) were both still showing activity. So I rebotted (several times) but they kept blinking. I was not sure if this should happen or not. I had never noticed. Well, eventually it stopped. And when it stopped my upload/download went back to normal.
    Well, here I am tonight and it is happening again.!! Right now my activity light is blinking like crazy.
    I know that it is my comp (and not the other two) because when I unplug the connection to my comp it stops. Then when I plug it back in, it starts up again.
    Please... Any advice would be appreciated. Should I call my ISP? Or is there something else I can do?

    Thank You in advance!

  2. #2
    Chat Operator Matridom's Avatar
    Join Date
    Jan 2002
    Location
    Ontario, Canada
    Posts
    3,778

    Post

    Well, I'll try and help ya out...

    First thing, if your running one of the NT flavors, you can run a "netstat" from the command line.
    Here is what mine looks like.

    TCP rudolph:1130 63.146.109.221:http ESTABLISHED
    TCP rudolph:1131 63.236.18.117:http TIME_WAIT
    TCP rudolph:1132 192.0.0.1:netbios-ssn TIME_WAIT
    TCP rudolph:1133 63.236.18.117:http ESTABLISHED
    TCP rudolph:1134 63.146.109.221:http ESTABLISHED

    Now the first name is my comp name and what local port is being used, the second section is the Remote PC's IP address and what protocol is being used. This should be a good start.

    Otherwise, are you running something like Kaza or morpheous? if you are, your hosting files unless you specificly turned it off. You may also want to look into a firewall application (i hear Zonealarm is pretty good) and see what it reports.

    Hope you get it sorted out

    Oh, almost forgot.. For abuse issues, most ISP's won't do anything unless it's one of THEIR users that is doing the hacking.
    <Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
    -----------------------
    Windows 7 Pro x64
    Asus P5QL Deluxe
    Intel Q6600
    nVidia 8800 GTS 320
    6 gigs of Ram
    2x60 gig OCZ Vertex SSD (raid 0)
    WD Black 750 gig
    Antec Tri power 750 Watt PSU
    Lots of fans

  3. #3
    Registered User ShadowKing's Avatar
    Join Date
    Dec 1999
    Location
    WA
    Posts
    743

    Post

    If you are using XP, it could be the trickle service that is downloading patches...
    Matt

    "If you have been tempted into evil, fly from it. It is not falling into the water, but lying in it, that drowns"

  4. #4
    PaulK
    Guest

    Post

    I am using Win 2K.
    I closed everything and did a netstat and this was the result.

    Active Connections

    Proto Local Address Foreign Address State
    TCP cc146157-a:1741 olorin.azu.nl:24433 TIME_WAIT
    TCP cc146157-a:1742 olorin.azu.nl:24438 ESTABLISHED
    TCP cc146157-a:3000 olorin.azu.nl:19927 CLOSE_WAIT
    TCP cc146157-a:3000 olorin.azu.nl:24415 ESTABLISHED

  5. #5
    PaulK
    Guest

    Post

    BTW... My Router has a firewall. I am just not that familiar with it. That is the first place i was checking.

    Also, I just went and ran the netstat on the other two comps and they showed nothing at all.
    Hmmmmm. I am really starting to wonder now.

    Maybe I can block that address that showed up in the netstat?

    No Morphious here either.

  6. #6
    Chat Operator Matridom's Avatar
    Join Date
    Jan 2002
    Location
    Ontario, Canada
    Posts
    3,778

    Post

    [quote]Originally posted by PaulK:
    <strong>BTW... My Router has a firewall. I am just not that familiar with it. That is the first place i was checking.

    Also, I just went and ran the netstat on the other two comps and they showed nothing at all.
    Hmmmmm. I am really starting to wonder now.

    Maybe I can block that address that showed up in the netstat?

    No Morphious here either.</strong><hr></blockquote>


    Wish it was XP, it would tell you what app.. either way. Those ports seem odd... i would suspect a Virus. Get Zonealarm and see what is accessing out. Your firewall is only blocking incomming traffic, not outgoing. You may also want to do a tracert to that host to get an IP(or a nestat -n).I suspect it will be an IRC server that you'll find.
    <Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
    -----------------------
    Windows 7 Pro x64
    Asus P5QL Deluxe
    Intel Q6600
    nVidia 8800 GTS 320
    6 gigs of Ram
    2x60 gig OCZ Vertex SSD (raid 0)
    WD Black 750 gig
    Antec Tri power 750 Watt PSU
    Lots of fans

  7. #7
    PaulK
    Guest

    Post

    Sorry, but its long............

    Ok. I ran a Netsta -n and a tracert. This is what I got. I am posting it, because I am not sure what to make of it, and hope that someone else can.

    I did run a complete scan with Nortons and came up with nothing. Although, I did have something show up about 2 weeks ago and it seemed to disapear. It was...... JS.Exception.exploit virus
    I don't know what ever happened to it though. It seemed to disapear. Hmmm I will go and get Zone Alarm also.

    Here is what happened with netstat -n & tracert

    C:\>netstat

    Active Connections

    Proto Local Address Foreign Address State
    TCP cc146157-a:1742 olorin.azu.nl:24438 ESTABLISHED
    TCP cc146157-a:3000 olorin.azu.nl:19927 CLOSE_WAIT
    TCP cc146157-a:3000 olorin.azu.nl:24415 ESTABLISHED

    C:\>netstat -n

    Active Connections

    Proto Local Address Foreign Address State
    TCP 192.168.1.101:1742 143.121.254.4:24438 ESTABLISHED
    TCP 192.168.1.101:3000 143.121.254.4:19927 CLOSE_WAIT
    TCP 192.168.1.101:3000 143.121.254.4:24415 ESTABLISHED

    C:\>tracert 143.121.254.4

    Tracing route to olorin.azu.nl [143.121.254.4]
    over a maximum of 30 hops:

    1 571 ms 521 ms 480 ms 10.109.96.1
    2 <10 ms 10 ms 20 ms 172.30.113.209
    3 10 ms 430 ms 491 ms 172.30.113.238
    4 450 ms 501 ms 501 ms 172.30.113.186
    5 10 ms 10 ms 10 ms 172.30.113.59
    6 20 ms 421 ms 521 ms 172.30.112.177
    7 500 ms 501 ms 501 ms 172.30.112.174
    8 490 ms 501 ms 491 ms 172.30.111.122
    9 581 ms 501 ms 491 ms 68.39.224.50
    10 651 ms 952 ms 601 ms 12.124.179.81
    11 90 ms 100 ms 90 ms gbr6-p80.n54ny.ip.att.net [12.123.1.206]
    12 120 ms 270 ms 571 ms tbr1-p013201.n54ny.ip.att.net [12.122.11.9]
    13 501 ms 140 ms 360 ms tbr1-p013701.cgcil.ip.att.net [12.122.10.58]
    14 401 ms 481 ms 450 ms tbr2-p012501.cgcil.ip.att.net [12.122.9.134]
    15 540 ms 521 ms 471 ms tbr2-p012501.sl9mo.ip.att.net [12.122.10.10]
    16 631 ms 501 ms 491 ms tbr2-p013701.la2ca.ip.att.net [12.122.10.14]
    17 541 ms 510 ms 501 ms ggr1-p3100.la2ca.ip.att.net [12.122.11.222]
    18 491 ms 170 ms 831 ms att-gw.la.teleglobe.net [192.205.32.222]
    19 521 ms 530 ms 501 ms if-5-0.core2.LosAngeles.Teleglobe.net [207.45.2
    3.61]
    20 521 ms 511 ms 481 ms if-5-0.core3.NewYork.Teleglobe.net [64.86.83.17
    ]
    21 621 ms 961 ms 1012 ms if-9-0.core1.Frankfurt2.Teleglobe.net [66.110.8
    153]
    22 1022 ms 1041 ms 942 ms if-6-0.core1.Amsterdam2.teleglobe.net [195.219.
    5.230]
    23 581 ms 961 ms 1002 ms 195.219.15.130
    24 600 ms 491 ms 501 ms 195.219.153.90
    25 500 ms 501 ms 491 ms PO1-0.AR5.Utrecht1.surf.net [145.145.165.50]
    26 811 ms 541 ms 470 ms uu-router.Customer.surf.net [145.145.16.6]
    27 260 ms 260 ms 271 ms MFU-router.net.uu.nl [131.211.0.82]
    28 * * * Request timed out.
    29 * * * Request timed out.
    30 * * * Request timed out.

  8. #8
    Chat Operator Matridom's Avatar
    Join Date
    Jan 2002
    Location
    Ontario, Canada
    Posts
    3,778

    Post

    22 1022 ms 1041 ms 942 ms if-6-0.core1.Amsterdam2.teleglobe.net [195.219.
    5.230]
    23 581 ms 961 ms 1002 ms 195.219.15.130
    24 600 ms 491 ms 501 ms 195.219.153.90
    25 500 ms 501 ms 491 ms PO1-0.AR5.Utrecht1.surf.net [145.145.165.50]
    26 811 ms 541 ms 470 ms uu-router.Customer.surf.net [145.145.16.6]
    27 260 ms 260 ms 271 ms MFU-router.net.uu.nl [131.211.0.82]

    Well, this looks like it's going somewhere in europe/russia also there is a firewall running at the remote location..

    Get zonealarm and see what is going out..
    <Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
    -----------------------
    Windows 7 Pro x64
    Asus P5QL Deluxe
    Intel Q6600
    nVidia 8800 GTS 320
    6 gigs of Ram
    2x60 gig OCZ Vertex SSD (raid 0)
    WD Black 750 gig
    Antec Tri power 750 Watt PSU
    Lots of fans

  9. #9
    PaulK
    Guest

    Post

    UPDATE:: It wont let me delete the file

    Well. I have downloaded and installed ZoneAlarm. This software if great. It has stopped this from acceccing my comp 4 times in the 5 minutes I have had it installed. I am not sure how it got here. But it seems to be an FTP file. I did download CuteFTP, maybe it is from that. I have since uninstalled the program. I am going to get rid of this exe file and see what happens. (WOW) 6 alerts now!!!

    I love this software though.. THANK YOU!! I will keep ZoneAlarm. I'll let ya know how it works out, after I delete that EXE file

    Results::::

    Alert Summary

    From To
    IP Address: 143.121.254.4 IP Address: 192.168.1.xxx
    Host Name: Who is this?
    ZoneAlarm Pro feature Host Name: Who is this?
    ZoneAlarm Pro feature
    Port: 26905 Port: 3000
    Program: SlimFTPd 2.2 by WhitSoft Development File Name: tasksrv.exe

  10. #10
    Chat Operator Matridom's Avatar
    Join Date
    Jan 2002
    Location
    Ontario, Canada
    Posts
    3,778

    Post

    For your info..

    "SlimFTPd is a small FTP server that supports passive transfers and resumes. SlimFTPd is a highly efficient low-profile FTP server daemon for the Windows operating environment. It is small, does not require any installation routine, and won't take over your system, yet it boasts some of the same features commonly found in the larger retail products. SlimFTPd is a fully multithreaded, 32-bit program that supports passive-mode data transfers, multiple user accounts, per-user file permissions, and resuming of interrupted transfers. This version has been rebuilt from the ground up for added security and reliability and to conform rigidly to the RFC 959 specifications, so you should never experience any incompatibility with FTP client software. This program is written in non-MFC Win32 C++, and should not need any additional files to run."

    By the looks of it, your running a FTP site, and i guess someone is transfering to/from you. Kill the process in your taskmanager and you should be good to go. but you should be able to "uninstall" it. To stop it, you may need to look into your "services"

    Glad to see you having sorted it out.
    <Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
    -----------------------
    Windows 7 Pro x64
    Asus P5QL Deluxe
    Intel Q6600
    nVidia 8800 GTS 320
    6 gigs of Ram
    2x60 gig OCZ Vertex SSD (raid 0)
    WD Black 750 gig
    Antec Tri power 750 Watt PSU
    Lots of fans

  11. #11
    Registered User craigmodius's Avatar
    Join Date
    Sep 2001
    Location
    Hellmira, NY, USA
    Posts
    1,572

    Post

    One firmware upgrade for a linksys 4 port DSL router i came across included a log viewer with it and can be found <a href="http://home.epix.net/~angrytek/pppoe/linksys.htm" target="_blank">here</a> though I wouldn't recommend using the firmware as it is probably older than the version your router is on, you could check out the log viewer.

    It logs incoming and outgoing access, to a local machine that you install it on. Then you enable logging on the router and point it to the IP address of the PC with the log viewer software.
    "And just when I thought today couldn't get anymore poo-like." -Outcoded

  12. #12
    PaulK
    Guest

    Post

    It's still trying to get out.

    Maybe I should contact the person?
    or
    Should I re-format hard drive?

    Alert Summary

    From To
    IP Address: 143.121.254.4 IP Address: 192.168.1.xxx
    Host Name: Who is this?
    ZoneAlarm Pro feature Host Name: Who is this?
    ZoneAlarm Pro feature
    Port: 5759 Port: 3000
    Program: File Name:


    Whois Lookup of 143.121.254.4
    Academic Hospital Utrecht (NET-AZUTRECHT)
    Postbus 85500
    3508GA Utrecht
    NL

    Netname: AZUTRECHT
    Netblock: 143.121.0.0 - 143.121.255.255

    Coordinator:
    Opdebeke, Roger (RO84-ARIN) [No mailbox]
    +31-030-507182

    Domain System inverse mapping provided by:

    NIC.AZU.NL 143.121.1.236
    NS3.UU.NL 131.211.16.32

    Record last updated on 17-Nov-1994.
    Database last updated on 11-Feb-2002 19:56:34 EDT.


    I am not sure what to do next?

  13. #13
    Chat Operator Matridom's Avatar
    Join Date
    Jan 2002
    Location
    Ontario, Canada
    Posts
    3,778

    Post

    Just stop the service from running. I suspect though that you may have a Virus, try scanning..

    In your case, i would uninstall the app, if you can't go to you admin tools, services, and stop it there. You can also look in your /run and /runonce keys in your registry (Hkey_localmachine&current_current_user/software/microsoft/windows/current version, also check your startup folder.

    Reinstalling is one option, though extrem.
    <Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
    -----------------------
    Windows 7 Pro x64
    Asus P5QL Deluxe
    Intel Q6600
    nVidia 8800 GTS 320
    6 gigs of Ram
    2x60 gig OCZ Vertex SSD (raid 0)
    WD Black 750 gig
    Antec Tri power 750 Watt PSU
    Lots of fans

  14. #14
    PaulK
    Guest

    Post

    Ok. I am at work now, so I will not be able to try anything until later. I appreciate all of your help.

    I think that it is definatly a virus. As I said earlier, I deleted the file that Zone Alarm was pointing to, but it is still running. I looked to see what was running, but nothing stood out. I have already ran a scan with Nortons, but nothing showed up. I believe that it may be related to the virus that Nortons picked up 2 weeks ago. The virus was not removed by Nortons and seemed to just disappear.

    In all the years with computers, This is the first time that I have gotten a virus that is affecting anything. hmmmm It sux

    I will post again later tonight, with either more questions or (hopefully) some good results.


    Thanks again

  15. #15
    Registered User
    Join Date
    Dec 2000
    Location
    Atlanta Ga USA
    Posts
    507

    Post

    You may wish to copy the file and submit it to the sarc, it may be an as yet undiscovered virus or the payload of one that isnt well documented. I'll be looking for this sort of thing on my servers asap!

    p.s.
    the JS.Exception.exploit virus sounds like it could be used to deploy just such a concept, drop the ftpserver program, then get 'found' and eliminated, yet leave the payload, very shrewd if this is the case....
    "give a man a fish, and he will eat a meal, teach a man to fish...."

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •