Hi, I was looking at my connection log and I saw a connection between two IP addresses, neither of which was my system. (Not my LAN IP, also not my IP from my ISP.)
The two addresses, shown in this screenshot, are highlighted.
You can look up where the IP address is coming from here: 色婷婷综合激情中文在线,久久综合九色综合欧洲98,五月综合缴情婷婷六月,久久婷婷五月综合色精品首页
Port 139 relates to NetBios. See Here: GRC | Port Authority, for Internet Port 139
Eric
Are you on a cable internet system? They seem to pass along a lot of the housekeeping traffic to all users.
@Eric: thanks, those look very useful.
@sded:
No, actually not. In this case (at home) I’m on a LAN with a router also serving as DHCP host. The computer where I took the screenshot uses a dial-up connection.
Very basic question: what does it mean when a connection is shown between two computers and neither one is your computer?
Very basic question: what does it mean when a connection is shown between two computers and neither one is your computer?
Do you mean the 2 little icons down at the bottom off your system try that look like 2 tiny computers, flashing?
Josh
More from a “how sockets work” perspective. I understand one computer opening a socket to connect to another computer, and I understand how either an incoming or outgoing connection from my computer would be listed, as long as one end of the connection (either sending or receiving) is on my system.
I would have expected that every connection listed would have one end on my computer. I don’t get what’s going on when a connection is listed where neither end is my system. If my computer’s not involved, why is that connection even listed?
Obviously my computer must be involved, so there’s something I don’t understand, I’m just trying to figure out what it is.
Ah!
I have had this problem before, I am actually wondering my self… :-[
Josh
How are your Trusted Zones set in CPF3?
It may be that you’re connecting through some sort of Proxy but I’ve not previously come across this annomily.(Must learn to spell lol)
Eric
Is this what you mean? I don’t see Trusted Zones, I just see Zones and Blocked Zones.
It may be that you're connecting through some sort of Proxy but I've not previously come across this annomily.(Must learn to spell lol)
Yeah, that’s what I meant. I’ll need to look up the specific ports on grc.com and try and figure out what it’s in relation to. I know that port 139 is NETBIOS but when I get into work, I might have a spare minute or two.
Eric
You can look up specific ports on grc.com by going here:
GRC | Port Authority, for Internet Port 4156 (Change teh Port Number at athe end of that string to look up a specific one. Unfortunatley grc.com doesn’t have any information on these ports. . I’m not coming up with much either in checking teh whois listing for those IP Addresses.
Ip Addresses could be related to some sort of mail server:
http://www.google.co.uk/search?hl=en&q=IP+Address+4.252.&meta=
have you run a complete virus or spyware scan lately?
Eric
Yeah, several times over the last three weeks, most recently two days ago when I first installed CFP3, by CFP itself.
Here’s my situation:
I’m 75% sure I’m the victim of a hack, but I haven’t been able to find anything for sure.
About a month ago, someone posted a link on a forum. The text displayed for the link looked legit and pointed to a site for someone who is also apparently legit, although probably capable of perpetrating a hack if they wanted to. The displayed link had the form “http://www.example.com/somedirectory/?”, ending with a question mark. Also, I didn’t check if that actual URL for the link was the same as displayed as text in the forum post. I had about a half second of nagging feeling before I told myself not to be paranoid and clicked anyway. Which I now very much regret.
Not long afterward (a few minutes at most, if that much) my mouse started acting funny – the pointer moved to the bottom of the screen and stayed there, jumping around at the bottom, as if I were scrolling it even though it was sitting still on my desk. It stayed that way until I rebooted.
I can’t recall for sure, but I think it was the same way until I rebooted a second time, after which it started working normally again.
My paranoia is interpreting this as malware adding something to the “install on next boot cycle” list then horking the mouse so the user would reboot … after which I obligingly rebooted. There are other signs that I was hacked, mainly from social context on that forum. Circumstantial, but highly suggestive.
One Saturday night a couple weeks ago my system was running extremely slowly. I checked the task list and saw an 80MB SVCHOST.EXE process. This seemed odd to me.
http://i54.photobucket.com/albums/g112/mcdavis941/th_svchost80mb.png
Almost all of my outgoing mail is now rejected most of the time (but not all the time). I’ve tried multiple accounts with different SMTP hosts (gmail, comcast, and earthlink) and outgoing mail is rejected 95% of the time. This makes me think my system has been spamming and has gotten on a blacklist. But then why would sending mail sometimes work?
EDIT: Could this be because my dialup IP is assigned by DHCP, so it changes each time I connect, and it takes a while for that new IP to be blacklisted? Could you be blacklisted in the space of a couple minutes? Is there a way to tell if you’re on a blacklist? Isn’t there a server where you can look up stuff like that?
/EDIT
I use Thunderbird as my e-mail client. I’ve been using McAfee for my firewall, which I installed about three weeks ago. Before that it was PC-Cillin. My email problems started around the time I installed McAfee, so that could be the cause, but that would also be around the time of the suspected attack, so that’s not conclusive.
Trying to get email working again, I uninstalled McAfee and instead am trying CFP3. There’s no change in sending email (still blocked almost all the time) but I’m loving the CFP popup notifications of connection attempts. That feature is a real winner.
Like I said, I’ve run several scans:
A couple things were found, but they were in files I never use (like a mirror of some directory from last year, and I’ve reinstalled windows since that time). One was reported as potential spyware, the other was a potential trojan, but like I said these were way old files and they don’t launch themselves.
So now I’m focusing on svchost and things loaded during the boot process. I’ve seen a couple rpc connection attempts that (if I’m not mistaken) were initiated from my end, from something hidden by svchost.
Question: Is there a way to see which file is being run by svchost when you get a CFP popup about a connection attempt?
That’s where I am. Any ideas very much appreciated.
Have you ran a Hijack This to see what comes up let the guys there take a look there very helpful.
Matty
ps Why not give BOClean a go
I’ll check that out, thanks for the linkage.
You should still remove those old files. Trojans have a habbit of running themselves even old ones without any warning.
Try giving BoClean a go that wya if any trojan or malware tries to load itself in your memory then BoClean will remove it before it does any damage.
You might also want to think about using Comodo Memory Firewall which blocks drive-by memory Buffer attacks.
Eric
