-
February 11th, 2002, 05:06 PM
#1
Is somebody accessing my comp?
Ok, This is the second time this has happened to me. I have a cable modem and a 4 port Linksys Router. Last week I noticed that my download and upload time was very slow. My upload is usually about 14kb and it was only 7kb (this is what it is usually when I am uploading 2 files at once). So I stopped all transfers, but my activity light on my modem (and router) were both still showing activity. So I rebotted (several times) but they kept blinking. I was not sure if this should happen or not. I had never noticed. Well, eventually it stopped. And when it stopped my upload/download went back to normal.
Well, here I am tonight and it is happening again.!! Right now my activity light is blinking like crazy.
I know that it is my comp (and not the other two) because when I unplug the connection to my comp it stops. Then when I plug it back in, it starts up again.
Please... Any advice would be appreciated. Should I call my ISP? Or is there something else I can do?
Thank You in advance!
-
February 11th, 2002, 05:23 PM
#2
Chat Operator
Well, I'll try and help ya out...
First thing, if your running one of the NT flavors, you can run a "netstat" from the command line.
Here is what mine looks like.
TCP rudolph:1130 63.146.109.221:http ESTABLISHED
TCP rudolph:1131 63.236.18.117:http TIME_WAIT
TCP rudolph:1132 192.0.0.1:netbios-ssn TIME_WAIT
TCP rudolph:1133 63.236.18.117:http ESTABLISHED
TCP rudolph:1134 63.146.109.221:http ESTABLISHED
Now the first name is my comp name and what local port is being used, the second section is the Remote PC's IP address and what protocol is being used. This should be a good start.
Otherwise, are you running something like Kaza or morpheous? if you are, your hosting files unless you specificly turned it off. You may also want to look into a firewall application (i hear Zonealarm is pretty good) and see what it reports.
Hope you get it sorted out
Oh, almost forgot.. For abuse issues, most ISP's won't do anything unless it's one of THEIR users that is doing the hacking.
<Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
-----------------------
Windows 7 Pro x64
Asus P5QL Deluxe
Intel Q6600
nVidia 8800 GTS 320
6 gigs of Ram
2x60 gig OCZ Vertex SSD (raid 0)
WD Black 750 gig
Antec Tri power 750 Watt PSU
Lots of fans
-
February 11th, 2002, 06:31 PM
#3
Registered User
If you are using XP, it could be the trickle service that is downloading patches...
Matt
"If you have been tempted into evil, fly from it. It is not falling into the water, but lying in it, that drowns"
-
February 11th, 2002, 06:39 PM
#4
I am using Win 2K.
I closed everything and did a netstat and this was the result.
Active Connections
Proto Local Address Foreign Address State
TCP cc146157-a:1741 olorin.azu.nl:24433 TIME_WAIT
TCP cc146157-a:1742 olorin.azu.nl:24438 ESTABLISHED
TCP cc146157-a:3000 olorin.azu.nl:19927 CLOSE_WAIT
TCP cc146157-a:3000 olorin.azu.nl:24415 ESTABLISHED
-
February 11th, 2002, 06:53 PM
#5
BTW... My Router has a firewall. I am just not that familiar with it. That is the first place i was checking.
Also, I just went and ran the netstat on the other two comps and they showed nothing at all.
Hmmmmm. I am really starting to wonder now.
Maybe I can block that address that showed up in the netstat?
No Morphious here either.
-
February 11th, 2002, 07:05 PM
#6
Chat Operator
[quote]Originally posted by PaulK:
<strong>BTW... My Router has a firewall. I am just not that familiar with it. That is the first place i was checking.
Also, I just went and ran the netstat on the other two comps and they showed nothing at all.
Hmmmmm. I am really starting to wonder now.
Maybe I can block that address that showed up in the netstat?
No Morphious here either.</strong><hr></blockquote>
Wish it was XP, it would tell you what app.. either way. Those ports seem odd... i would suspect a Virus. Get Zonealarm and see what is accessing out. Your firewall is only blocking incomming traffic, not outgoing. You may also want to do a tracert to that host to get an IP(or a nestat -n).I suspect it will be an IRC server that you'll find.
<Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
-----------------------
Windows 7 Pro x64
Asus P5QL Deluxe
Intel Q6600
nVidia 8800 GTS 320
6 gigs of Ram
2x60 gig OCZ Vertex SSD (raid 0)
WD Black 750 gig
Antec Tri power 750 Watt PSU
Lots of fans
-
February 11th, 2002, 07:23 PM
#7
Sorry, but its long............
Ok. I ran a Netsta -n and a tracert. This is what I got. I am posting it, because I am not sure what to make of it, and hope that someone else can.
I did run a complete scan with Nortons and came up with nothing. Although, I did have something show up about 2 weeks ago and it seemed to disapear. It was...... JS.Exception.exploit virus
I don't know what ever happened to it though. It seemed to disapear. Hmmm I will go and get Zone Alarm also.
Here is what happened with netstat -n & tracert
C:\>netstat
Active Connections
Proto Local Address Foreign Address State
TCP cc146157-a:1742 olorin.azu.nl:24438 ESTABLISHED
TCP cc146157-a:3000 olorin.azu.nl:19927 CLOSE_WAIT
TCP cc146157-a:3000 olorin.azu.nl:24415 ESTABLISHED
C:\>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.101:1742 143.121.254.4:24438 ESTABLISHED
TCP 192.168.1.101:3000 143.121.254.4:19927 CLOSE_WAIT
TCP 192.168.1.101:3000 143.121.254.4:24415 ESTABLISHED
C:\>tracert 143.121.254.4
Tracing route to olorin.azu.nl [143.121.254.4]
over a maximum of 30 hops:
1 571 ms 521 ms 480 ms 10.109.96.1
2 <10 ms 10 ms 20 ms 172.30.113.209
3 10 ms 430 ms 491 ms 172.30.113.238
4 450 ms 501 ms 501 ms 172.30.113.186
5 10 ms 10 ms 10 ms 172.30.113.59
6 20 ms 421 ms 521 ms 172.30.112.177
7 500 ms 501 ms 501 ms 172.30.112.174
8 490 ms 501 ms 491 ms 172.30.111.122
9 581 ms 501 ms 491 ms 68.39.224.50
10 651 ms 952 ms 601 ms 12.124.179.81
11 90 ms 100 ms 90 ms gbr6-p80.n54ny.ip.att.net [12.123.1.206]
12 120 ms 270 ms 571 ms tbr1-p013201.n54ny.ip.att.net [12.122.11.9]
13 501 ms 140 ms 360 ms tbr1-p013701.cgcil.ip.att.net [12.122.10.58]
14 401 ms 481 ms 450 ms tbr2-p012501.cgcil.ip.att.net [12.122.9.134]
15 540 ms 521 ms 471 ms tbr2-p012501.sl9mo.ip.att.net [12.122.10.10]
16 631 ms 501 ms 491 ms tbr2-p013701.la2ca.ip.att.net [12.122.10.14]
17 541 ms 510 ms 501 ms ggr1-p3100.la2ca.ip.att.net [12.122.11.222]
18 491 ms 170 ms 831 ms att-gw.la.teleglobe.net [192.205.32.222]
19 521 ms 530 ms 501 ms if-5-0.core2.LosAngeles.Teleglobe.net [207.45.2
3.61]
20 521 ms 511 ms 481 ms if-5-0.core3.NewYork.Teleglobe.net [64.86.83.17
]
21 621 ms 961 ms 1012 ms if-9-0.core1.Frankfurt2.Teleglobe.net [66.110.8
153]
22 1022 ms 1041 ms 942 ms if-6-0.core1.Amsterdam2.teleglobe.net [195.219.
5.230]
23 581 ms 961 ms 1002 ms 195.219.15.130
24 600 ms 491 ms 501 ms 195.219.153.90
25 500 ms 501 ms 491 ms PO1-0.AR5.Utrecht1.surf.net [145.145.165.50]
26 811 ms 541 ms 470 ms uu-router.Customer.surf.net [145.145.16.6]
27 260 ms 260 ms 271 ms MFU-router.net.uu.nl [131.211.0.82]
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
-
February 11th, 2002, 07:38 PM
#8
Chat Operator
22 1022 ms 1041 ms 942 ms if-6-0.core1.Amsterdam2.teleglobe.net [195.219.
5.230]
23 581 ms 961 ms 1002 ms 195.219.15.130
24 600 ms 491 ms 501 ms 195.219.153.90
25 500 ms 501 ms 491 ms PO1-0.AR5.Utrecht1.surf.net [145.145.165.50]
26 811 ms 541 ms 470 ms uu-router.Customer.surf.net [145.145.16.6]
27 260 ms 260 ms 271 ms MFU-router.net.uu.nl [131.211.0.82]
Well, this looks like it's going somewhere in europe/russia also there is a firewall running at the remote location..
Get zonealarm and see what is going out..
<Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
-----------------------
Windows 7 Pro x64
Asus P5QL Deluxe
Intel Q6600
nVidia 8800 GTS 320
6 gigs of Ram
2x60 gig OCZ Vertex SSD (raid 0)
WD Black 750 gig
Antec Tri power 750 Watt PSU
Lots of fans
-
February 11th, 2002, 07:48 PM
#9
-
February 11th, 2002, 09:11 PM
#10
Chat Operator
For your info..
"SlimFTPd is a small FTP server that supports passive transfers and resumes. SlimFTPd is a highly efficient low-profile FTP server daemon for the Windows operating environment. It is small, does not require any installation routine, and won't take over your system, yet it boasts some of the same features commonly found in the larger retail products. SlimFTPd is a fully multithreaded, 32-bit program that supports passive-mode data transfers, multiple user accounts, per-user file permissions, and resuming of interrupted transfers. This version has been rebuilt from the ground up for added security and reliability and to conform rigidly to the RFC 959 specifications, so you should never experience any incompatibility with FTP client software. This program is written in non-MFC Win32 C++, and should not need any additional files to run."
By the looks of it, your running a FTP site, and i guess someone is transfering to/from you. Kill the process in your taskmanager and you should be good to go. but you should be able to "uninstall" it. To stop it, you may need to look into your "services"
Glad to see you having sorted it out.
<Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
-----------------------
Windows 7 Pro x64
Asus P5QL Deluxe
Intel Q6600
nVidia 8800 GTS 320
6 gigs of Ram
2x60 gig OCZ Vertex SSD (raid 0)
WD Black 750 gig
Antec Tri power 750 Watt PSU
Lots of fans
-
February 11th, 2002, 09:34 PM
#11
Registered User
One firmware upgrade for a linksys 4 port DSL router i came across included a log viewer with it and can be found <a href="http://home.epix.net/~angrytek/pppoe/linksys.htm" target="_blank">here</a> though I wouldn't recommend using the firmware as it is probably older than the version your router is on, you could check out the log viewer.
It logs incoming and outgoing access, to a local machine that you install it on. Then you enable logging on the router and point it to the IP address of the PC with the log viewer software.
"And just when I thought today couldn't get anymore poo-like." -Outcoded
-
February 12th, 2002, 05:26 AM
#12
It's still trying to get out.
Maybe I should contact the person?
or
Should I re-format hard drive?
Alert Summary
From To
IP Address: 143.121.254.4 IP Address: 192.168.1.xxx
Host Name: Who is this?
ZoneAlarm Pro feature Host Name: Who is this?
ZoneAlarm Pro feature
Port: 5759 Port: 3000
Program: File Name:
Whois Lookup of 143.121.254.4
Academic Hospital Utrecht (NET-AZUTRECHT)
Postbus 85500
3508GA Utrecht
NL
Netname: AZUTRECHT
Netblock: 143.121.0.0 - 143.121.255.255
Coordinator:
Opdebeke, Roger (RO84-ARIN) [No mailbox]
+31-030-507182
Domain System inverse mapping provided by:
NIC.AZU.NL 143.121.1.236
NS3.UU.NL 131.211.16.32
Record last updated on 17-Nov-1994.
Database last updated on 11-Feb-2002 19:56:34 EDT.
I am not sure what to do next?
-
February 12th, 2002, 06:14 AM
#13
Chat Operator
Just stop the service from running. I suspect though that you may have a Virus, try scanning..
In your case, i would uninstall the app, if you can't go to you admin tools, services, and stop it there. You can also look in your /run and /runonce keys in your registry (Hkey_localmachine¤t_current_user/software/microsoft/windows/current version, also check your startup folder.
Reinstalling is one option, though extrem.
<Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
-----------------------
Windows 7 Pro x64
Asus P5QL Deluxe
Intel Q6600
nVidia 8800 GTS 320
6 gigs of Ram
2x60 gig OCZ Vertex SSD (raid 0)
WD Black 750 gig
Antec Tri power 750 Watt PSU
Lots of fans
-
February 12th, 2002, 07:23 AM
#14
-
February 12th, 2002, 12:20 PM
#15
You may wish to copy the file and submit it to the sarc, it may be an as yet undiscovered virus or the payload of one that isnt well documented. I'll be looking for this sort of thing on my servers asap!
p.s.
the JS.Exception.exploit virus sounds like it could be used to deploy just such a concept, drop the ftpserver program, then get 'found' and eliminated, yet leave the payload, very shrewd if this is the case....
"give a man a fish, and he will eat a meal, teach a man to fish...."
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks