Question

Have I been hacked?

Asked by: lizzieluvsyou

The other day, I was playing around with the command prompt, and did a "netstat".

I wasn't expecting anything unsual, but I stumbled upon a connection to hotmail.se. A little research and I found out that .se is an extension for Sweden, and the port belonged to something called "Autodesk Liscense Manager".

I was quite worrried, but I put it out of my head figuring that it might have been from some spyware or something.

However, when I logged onto my computer tonight and started surfing the internet. I got a login-box, like the type you get when you're trying to log into an FTP site, seemingly out of nowhere. It asked for a username and password.
I did a netstat, and this was the result:
http://www.geocities.com/stormy_chan/what.txt

After that, I immediately unplugged my laptop from my home network.
I did some research and found that, again, the port is used by Autodesk License Manager.
Does anyone have any idea what is going on? I'm sure it's bad, whatever it is. I can't seem to find any information on exploits regarding this port...

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-03-25 at 20:42:49ID20932862
Tags

netstat

Topic

Miscellaneous Security

Participating Experts
6
Points
500
Comments
23

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. hacking
    Hello, This may be an uncomfortable question to answer for some, but I need to ask anyway. I have until monday to learn how to hack. The purpose of this is to pass tests, and gain generall knowledge of computer security to get into a certain unit which deals with computer s...
  2. Exploit virus
    I am receiving a virus through Outlook Express (Exploit something or other), on my home PC. I went to Symantec and downloaded their tool, and it did not find the virus on my machine. I delete these e-mails as soon as they come in. Basically, they are in the form of "L...
  3. Have I been hacked?
    Have I been hacked, and if so, how do I fix it. When I log onto microsoft messenger, it tells me that I'm already logged on at another location, which I'm not. When I check my AOL instant messenger, it has a name that I didn't put there (but it is the name of a relative tha...
  4. Just Been Hacked! Mironov Backdoor on Linux 2.4.x …
    Hi - well if you've read the header you'll know I've had one of our Linux servers hacked by someone called "Mironov" and it's possibly due to the exploit in PROFTPD. There are files in the /tmp folder... one called 'miro' (executable) and a new directory containing ...
  5. Spyware,
    I would like to know more about spyware. What is the detection/prevention methodology to fight with spyware in a typical enterprise organization. 2) Tool that many big organization (enterprise level) use to fight with spyware

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: CrazyOnePosted on 2004-03-25 at 20:46:48ID: 10684324

 

by: CrazyOnePosted on 2004-03-25 at 20:48:59ID: 10684337

http://techfee.washington.edu/proposals/page8/2004-42
In the spring of 2004, Autodesk will release a new version, Architectural Desktop/Neon – AutoCAD 2004. This version represents a major advance in AutoCAD’s 3D design capacity, as well as significant user interface and productivity improvements. We skipped one AutoCAD upgrade because the improvements didn’t justify the expense. But this new version contains enough improvements to make an upgrade worthwhile. Since AutoCAD uses a network licensing model, we would be able to offer the new version for CAUP students to install on their own computers. The proposed number of licenses is sufficient to meet the anticipated demand.

 

by: lizzieluvsyouPosted on 2004-03-25 at 20:57:00ID: 10684362

I've honestly never heard of Autodesk License Manager or AutoCad till today.
Actually, AutoCad sounds distantly familiar, but I still assume that if I had it on my computer, it looks like it would be something I'd know about.

 

by: CrazyOnePosted on 2004-03-25 at 21:00:53ID: 10684376

It may be attached to something other than Autocad. It could be attachet ot some other proccess that uses Autodesk License Manager

 

by: CrazyOnePosted on 2004-03-25 at 21:03:33ID: 10684387

here use this free utility to see if you can finde which process it may be attachet to

Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Note when you open the program go to the menu View and make sure there is a check mark next to View > Lower Pane View > DLL's if there isn't then click on it.

just click each process one at a time and look at the bottom window note if that file is listed and if it is kill the process that had the files open.

Also do this

Try this

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.


If you have Win2000 then
MSCONFIG for Win 2000
http://www.insideproject.com/showguide.cfm?guideid=31
http://www.insideproject.com/downloads/msconfig2k/msconfig.zip

StartupCop
http://www.pcmag.com/article2/0,4149,2173,00.asp

AutoRuns
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns

Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
and
StartupMonitor
http://www.mlin.net/StartupMonitor.shtml

 

by: richrumblePosted on 2004-03-25 at 21:18:34ID: 10684443

Autodesk is AutoCAD... 1422, 2080  (1538 too?) are supposidly reservered, however M$ will typicall use anything above 1024 for ephemeral ports. What you have there is a False-Positive (maybe). With M$ they are generally between 1024 and 5000, if you look here you can see that there are many port's "reserved" for other applications within that range of port numbers-  http://www.iana.org/assignments/port-numbers
Ephemeral are port's that windows binds to as the source- when you connect to www.example.com and you do a "netstat -a" you'll typically see your pc with a source port above 1024 and below 5000, connecting to DESTINATION www.example.com:http (port 80) or https (port 443)

I don't know what that geocities garbage is... doesn't look promissing

If you'v been hacked... those could be statically bound ports, you can do this with many back-door programs. To keep yourself safe, you need a firewall, like zonealarm. You also need anti-virus, with M$ there is practically no getting around it. ZA has a free FW that will suit your needs just fine. You should also turn off certain services on your PC.
Remote Registry service needs to be disabled, and stopped.
If you do not connect to a windows network, you can disable the Server service, and NO-ONE can connect remotely to your pc- but don't touch it if you take your laptop to work and plug into a windows domain, you'll need the server service. Also the messenger service can be disabled, this does not affect anything except your ability to get "net send" messages.

If you have XP pro turn on it's firewall, it is a decent step FWD for M$. http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp
if no XP Pro, then get ZoneAlarm. You'll need to scan you PC for viri and backdoors, mcafee has great detection definitions for most of the popular tools and viri out there, notron does well with viri, however I do not think they do as well with detecting "malicious" programs. Ad-aware also can detect some trojans and other annoyances...

ZA has the added benefit of helping you track down and or stop new programs from running. If you install ZA, and all of a sudden got the newest virus out there, no company had made a virus definition for it yet it's sooo new, you get this virus- then it tries to spread to other machines via the internet- ZA will prompt you asking "would you like to allow "new-vir.exe" to access the internet?" You would say no, and you could put a check mark for "remember this response" for that program. Then track down that program and delete it.  ZA is a port firewall and a process firewall also. It is "chatty" at first, but once you've got it set up, there is hardly ever a need to change much.
GL!
-rich

 

by: mattisflonesPosted on 2004-03-25 at 21:18:57ID: 10684444

Hi lizzieluvsyou,
You have some kind of software from Autodesk, thats why.. no problem!
the txis.com i do not know what is, but it seems harmless.. You have not been hacked 99% sure!

If youre afraid of spyware run:
spybot: http://beam.to/spybotsd
adaware: http://www.lavasoftusa.com/support/download/
Coolwebshredder: http://www.spychecker.com/program/coolwebshredder.html
These three tools take everything!

Mattis

 

by: mattisflonesPosted on 2004-03-25 at 21:23:13ID: 10684459

sorry Crazy, my QP is acting up again...

 

by: CrazyOnePosted on 2004-03-25 at 21:26:33ID: 10684477

:)

 

by: richrumblePosted on 2004-03-25 at 21:27:11ID: 10684478

AutoCad is a 3d Computer Aided Design program- making floor plans, 3d modeling and such.... it's for very specific uses. you can serach your HD for "auto*" (auto then astricks) and see if it's there or not. I doubt it- sounds like FP of the empherial ports. Run windows update also- open internet explorer, tools, windows update, click scan then review and install updates.  http://www.microsoft.com/technet/security/tools/mbsahome.mspx MSBSA can help you determine if your system is easy to penetrate also.
-rich

 

by: chicagoanPosted on 2004-03-26 at 03:21:18ID: 10686043

fport
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
will map the port to the process that opened it, and you can go from there.

 

by: RazmusPosted on 2004-03-26 at 13:27:17ID: 10691339

There is a trojan, WinHole, which does use one of the AutoCad License Manager ports 2080.
http://www.glocksoft.com/trojan_list/WinHole.htm

I'm having a hard time understanding why a legitamate AutoCad software utility would be connecting to the sites you are referencing...

 

by: lizzieluvsyouPosted on 2004-03-26 at 19:08:25ID: 10693015

Well, I was able to explain away the ftp popup.
I took a look at the sites I visted that day, and on a message board, someone had direct linked an image off of the site swords.com. Which seems to be why it showed up as swords.txis.com on my computer.
However, I'm still getting weird traffic I can't explain, even when I'm not at any webpages.
A few such sites:
unicyclist.com
wx.com
level3.com
jobs.collegerecruiter.com

Tonight I haven't noticed that much outside the norm. I'll try your suggestions and see if anything else develops.

 

by: richrumblePosted on 2004-03-27 at 04:45:56ID: 10694377

You probably do have a trojan, or infection. You need AV to scann your machine 1st and foremost. Then get a firewall going etc...

 

by: lizzieluvsyouPosted on 2004-03-27 at 08:44:05ID: 10695126

I ran McAfee antivirus on the suspect computer yesterday, but it didn't find anything wrong (it is fully updated).
I'm running an online version of Norton antivirus right now, I'll see if that makes any difference.

 

by: richrumblePosted on 2004-03-27 at 18:32:08ID: 10696966

Mcafee has a few seetings that may help you, that aren't on by default... depending on your verion of mcafee-
 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101142  Use hueristics or the "find potentially unwanted/joke" settings
Remember XP and winME to turn off system restore: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Ad-Aware might also turn something up, GL!
-rich

 

by: lizzieluvsyouPosted on 2004-03-30 at 19:43:35ID: 10720666

Alright, I'll try that too. I've already run Ad-aware... I had one piece of malware along with the usual junk, but it said it was low-risk, and after I removed it I continued having problems.

Lately, the activity has completely stopped. I didn'y try the extra McAfee settings yet, but all other virus software I've run reports no problems.

I'm really quite confused. Since all the weird activity has stopped, though, I don't think I'll be able to determine what caused it.

 

by: chicagoanPosted on 2004-03-30 at 23:51:30ID: 10721701

What did fport report?

 

by: skyflash_dePosted on 2004-08-03 at 06:30:23ID: 11704181


The what.txt you posted above is a GIF file... why did you post it as a .txt file?

Anyway, I dont think you got a trojan, but nevertheless you shouldnt allow anything
to access ports, so get a firewall fast, I recommend Sygate Personal Firewall.

You probably were doing some strange stuff and visiting some strange websites, thats all.

 

by: lizzieluvsyouPosted on 2004-08-14 at 13:35:50ID: 11801675

It's a .txt to get around Geocities' image hotlinking limitations.
About going to odd websites -- it would happen even when there were no applications running.

I've gotten a firewall and secured myself a little more, and I haven't had any especially weird goings on.

I did find that the strangest part of it was a false alarm. The log in window that popped up was due to a hot linked image that was in somebody's signature on a messageboard.

As for the stuff that was showing up without me having any apps open, like I said, I have no idea.

The oddest thing that's happened lately was Microsoft Messenger popping up for no reason and asking for me to log in. When I did a netstat, it showed a connection to *.hotmail.com. At least I believe it was something like that. the first part might have looked like "bob13"... I googled it and some other people had reported similiar occurances, so I didn't worry about it.

Thanks for the comment.

 

by: richrumblePosted on 2004-08-15 at 18:33:48ID: 11806405

The extra mcafee settings - will detect "annoying" and "pests" as well as the regular viri- spy-ware often needs no browser open, to pop-up a window- they can open a window for you ;) (very nice of them, don't you think?)  The hotmail (msn passport) stuff can be turned off, setting in the preferences i think.
-rich

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...