More from a “how sockets work” perspective. I understand one computer opening a socket to connect to another computer, and I understand how either an incoming or outgoing connection from my computer would be listed, as long as one end of the connection (either sending or receiving) is on my system.
I would have expected that every connection listed would have one end on my computer. I don’t get what’s going on when a connection is listed where neither end is my system. If my computer’s not involved, why is that connection even listed?
Obviously my computer must be involved, so there’s something I don’t understand, I’m just trying to figure out what it is.
Yeah, that’s what I meant. I’ll need to look up the specific ports on grc.com and try and figure out what it’s in relation to. I know that port 139 is NETBIOS but when I get into work, I might have a spare minute or two.
You can look up specific ports on grc.com by going here:
GRC | Port Authority, for Internet Port 4156 (Change teh Port Number at athe end of that string to look up a specific one. Unfortunatley grc.com doesn’t have any information on these ports. . I’m not coming up with much either in checking teh whois listing for those IP Addresses.
Ip Addresses could be related to some sort of mail server:
Yeah, several times over the last three weeks, most recently two days ago when I first installed CFP3, by CFP itself.
Here’s my situation:
I’m 75% sure I’m the victim of a hack, but I haven’t been able to find anything for sure.
About a month ago, someone posted a link on a forum. The text displayed for the link looked legit and pointed to a site for someone who is also apparently legit, although probably capable of perpetrating a hack if they wanted to. The displayed link had the form “http://www.example.com/somedirectory/?”, ending with a question mark. Also, I didn’t check if that actual URL for the link was the same as displayed as text in the forum post. I had about a half second of nagging feeling before I told myself not to be paranoid and clicked anyway. Which I now very much regret.
Not long afterward (a few minutes at most, if that much) my mouse started acting funny – the pointer moved to the bottom of the screen and stayed there, jumping around at the bottom, as if I were scrolling it even though it was sitting still on my desk. It stayed that way until I rebooted.
I can’t recall for sure, but I think it was the same way until I rebooted a second time, after which it started working normally again.
My paranoia is interpreting this as malware adding something to the “install on next boot cycle” list then horking the mouse so the user would reboot … after which I obligingly rebooted. There are other signs that I was hacked, mainly from social context on that forum. Circumstantial, but highly suggestive.
One Saturday night a couple weeks ago my system was running extremely slowly. I checked the task list and saw an 80MB SVCHOST.EXE process. This seemed odd to me.
Almost all of my outgoing mail is now rejected most of the time (but not all the time). I’ve tried multiple accounts with different SMTP hosts (gmail, comcast, and earthlink) and outgoing mail is rejected 95% of the time. This makes me think my system has been spamming and has gotten on a blacklist. But then why would sending mail sometimes work?
EDIT: Could this be because my dialup IP is assigned by DHCP, so it changes each time I connect, and it takes a while for that new IP to be blacklisted? Could you be blacklisted in the space of a couple minutes? Is there a way to tell if you’re on a blacklist? Isn’t there a server where you can look up stuff like that?
I use Thunderbird as my e-mail client. I’ve been using McAfee for my firewall, which I installed about three weeks ago. Before that it was PC-Cillin. My email problems started around the time I installed McAfee, so that could be the cause, but that would also be around the time of the suspected attack, so that’s not conclusive.
Trying to get email working again, I uninstalled McAfee and instead am trying CFP3. There’s no change in sending email (still blocked almost all the time) but I’m loving the CFP popup notifications of connection attempts. That feature is a real winner.
Like I said, I’ve run several scans:
full virus scan with McAfee
full scan with Microsoft/SysInternals RootkitRevealer.
full scan with AVG rootkit checker
full scan when installing CFP3
A couple things were found, but they were in files I never use (like a mirror of some directory from last year, and I’ve reinstalled windows since that time). One was reported as potential spyware, the other was a potential trojan, but like I said these were way old files and they don’t launch themselves.
So now I’m focusing on svchost and things loaded during the boot process. I’ve seen a couple rpc connection attempts that (if I’m not mistaken) were initiated from my end, from something hidden by svchost.
Question: Is there a way to see which file is being run by svchost when you get a CFP popup about a connection attempt?
That’s where I am. Any ideas very much appreciated.