Solved

Stopping The Barbarians at The Gate!

Posted on 2002-07-15
26
176 Views
Last Modified: 2013-12-29
Hello!

I recently got cable internet. The first thing I did was to install Zone Alarm for a firewall.

Yesterday, I happened to run netstat, and was appalled to see some connections I just don't recognize. I ran a trojan scanner, as well as an uptodate McAfee, and they showed nothing. Nor have I detected any Trojan-like activity.

The unknown connections don't appear when I'm on dialup... only cable. I'd like to try blocking the ports just to see if I can keep them out totally. Is there a simple, Freeware utility I can use to do this?

Many thanks,
R2D2
0
Comment
Question by:R2D2022097
  • 4
  • 4
  • 3
  • +9
26 Comments
 
LVL 28

Expert Comment

by:vinnyd79
Comment Utility
I would remove Zone Alarm and try sygate's free personal firewall.

http://www1.simtel.net/pub/dl/53687.html

0
 
LVL 12

Expert Comment

by:pjknibbs
Comment Utility
Which sort of connections are you talking about? Bear in mind a lot of the information NETSTAT outputs just tells you which ports on your machine are listening--what it WON'T tell you is if those ports are being blocked by the firewall or not, because the firewall sits at a different level in the TCP/IP stack to the NETSTAT command. Maybe if you listed some of the suspect connections here we could tell you if they're dangerous or not.
0
 
LVL 3

Expert Comment

by:pleasenospam
Comment Utility
Zone Alarm has a feature that can block or accept specific ports. Your version may be
later than mine and may be able to do both operations at once.  Anyway, for me it was
a laborious trial and error procedure to get it set up the way I want. Here is a listing
of ports and their usage:

http://www.walthowe.com/navnet/faq/ports.html
0
 
LVL 12

Expert Comment

by:Wouter Boevink
Comment Utility
Can you give me some more information about the unwanted open connection? Maybe I can explain to you what they are.
0
 

Author Comment

by:R2D2022097
Comment Utility
Hi!

Here's what I got this morning:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    oemcomputer:1028       205.188.7.194:5190     ESTABLISHED
  TCP    oemcomputer:1042       fl-stu1a-194.stu.adelphia.net:3670  ESTABLISHED
  TCP    oemcomputer:1043       fl-stu1a-194.stu.adelphia.net:3670  ESTABLISHED

Somehow I have TWO connections from someone in Florida on adelphia. Again, I've scanned for trojans every which way but loose. I honestly don't think I have one.

What is the meaning of this?

best,
R2D2
0
 
LVL 4

Expert Comment

by:Monchanger
Comment Utility
I usually refrain from saying this, but you did use the word "ports", so here goes...

I use TINY Personal Firewall (2.0.15)
I've tried the previous version of ZoneAlarm, seen the pretty and "user-friendly" interface. Tried to understand how to configure it the way I wanted and gave up. I tried Sygate too and can't even remember why I uninstalled it a few hours later.

TINY doesn't have a nice interface - I could probably write a short novel about what should be fixed in the GUI. It's far from being "easy" to use. It's got nothing in terms of inteligence (which is good, if you're technical), but it blocks everything I tell it to block.

Just check out the user opinions at download.com (86%Thumbs Up out of 1163 votes)
http://download.com.com/3000-2092-6313778.html?tag=lst-0-1
0
 
LVL 4

Expert Comment

by:Monchanger
Comment Utility
Port 5190 is your connection to an instant messanging server (seems to be AOL according to the trace I did).
I don't have port 3670 on my port lists either, so it's not a well known protocol/application.
Sorry for the preaching, but TINY's status window shows the application or service that initiated the connection. Might be worth installing just for that.

You might want to post a link to this question in one of the networking topics.
0
 

Author Comment

by:R2D2022097
Comment Utility
Hi!

Here's what I got this morning:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    oemcomputer:1028       205.188.7.194:5190     ESTABLISHED
  TCP    oemcomputer:1042       fl-stu1a-194.stu.adelphia.net:3670  ESTABLISHED
  TCP    oemcomputer:1043       fl-stu1a-194.stu.adelphia.net:3670  ESTABLISHED

Somehow I have TWO connections from someone in Florida on adelphia. Again, I've scanned for trojans every which way but loose. I honestly don't think I have one.

What is the meaning of this?

best,
R2D2
0
 
LVL 3

Expert Comment

by:pleasenospam
Comment Utility
There are really only a few kinds of intrusions:

...advertisers
...spyware
...hackers
...viruses
...popups

As far as volume goes, most intrusions are from advertisers that are part
of legitimate web sites, such as this one.  It is a lengthy process to get rid
of these, but it can be done.  Look at COOKIES on your system and use Zone Alarm
to block those that have words like "ads" or "click" in the name.


0
 
LVL 12

Expert Comment

by:Wouter Boevink
Comment Utility
Can't find anything about port 3670 try shutting down some application like icq, other instant messengers, peer to peer programs like kazaa, gnutella, imesh etc.

Information about ports
http://www.chebucto.ns.ca/~rakerman/port-table.html
http://www.wittys.com/files/all-ip-numbers.txt
http://www.securitystats.com/tools/portsearch.asp
http://windows.about.com/cs/portstcpudp/
0
 
LVL 2

Expert Comment

by:tandy
Comment Utility
Hi,

What is the name of the isp you are using?

Sounds like the url's of your isp...

The cable modems i have seen all seem to keep open connection as part of the setup..I thinks it may be normal..ask your ISP about it..

Hope this is helpful,,

Tandy
0
 
LVL 7

Expert Comment

by:jatcan
Comment Utility
Go here and use the form to send a report into adelphia abuse. This is the NOC (Network operations Center) network security division:

http://24.48.59.187/forms/abuse_form.cfm

Tell them what is happening in point format

-cable internet service install on (DATE)
-your cable company name and state
-details of how you discovered this intrusion
-copy/paste the netstat results into the form so they have proof



What remote control software do you have installed, check add/remove programs, list anything you don't recognize here.

Are there any people other than yourself who have access to your PC(or have had access)? Who are they and could they have "planted" something?

Click start button\run\type in msconfig,click OK.
Click the selective startup option under the general tab, unchecked all the boxes, apply, OK, reboot. Open msconfig again, are there any boxes re-checked? IF so, what is the path and file name that is re-checked? Do netstat -an in command. Anything. Let it sit for a day or so. Anything now, no? Re-check each option seperately and reboot between each check box. Did the connections return. I am trying to establish whether this IS a trojan/virus and IF so the connections will not return UNLESS the writer has another program that will check for the existence of the trojan in startup areas and if not found will replace and start it.

OH and as far as firewalls goes, get a router. Even if you DO only have one PC on the cnnection. Get the freaking router anyways, it is the BEST hacker protection you can have. For about twice the cost of a good firewall program. ZONE ALARM PRO is well worth the mone spent on it IMHO.

Gotta go home now(I'm at work)pick this up tomrrow if still not resolved.

Cheers.



0
 
LVL 2

Expert Comment

by:Ber
Comment Utility
I dont know if you checked this but adelphia seem to be a cable services company...??? and you are on a cable modem , perhaps they own the ISP you use...??? you can find out more here...

http://www.adelphia.net/

Cheers...
Ber...
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 4

Expert Comment

by:Monchanger
Comment Utility
I'm no expert at this stuff, learning as I stumble across new things, but since nobody likes the idear installing TINY, how about this:

If TINY knows how to get the application/service which opened each port, would there be another way to do this? Any command prompt utility or something you can d/l off the net?
0
 
LVL 7

Expert Comment

by:jatcan
Comment Utility
Yes, it's called port moitor and is made by Lcokdown Corp. as part of their lockdown tool for 9X systems. I've used a standalone version of port monitor the first year it was released. All I can say is AWESOME. It is highly configurable. Reasonably stable(I never personally had any problems with it), reasonably priced and downloadable in shareware format.

http://lockdowncorp.com/manual/Monitor.htm

This will give a screenshot of the PORTS tab of the software:

http://lockdowncorp.com/manual/Monitor.htm

It scans for trojan virus/virus like activity and will blocked any until YOU decide to let it through(such as the case is when using Remote Control Software). The trojan scanner has an auto-updater(like antivirus programs-Norton, McAfee, etc,etc..)for updating Trojan virus definitions.

This is all you REALLY need. Configured properly, it would take a hacker with some skill to get on your system. Even if someone plants a trojan at the keyboard, they would ALSO have to configure Lockdown to allow the trojan access.


AND, anything I can find on this 3760 port connection refers to the nimbda client scanning for servers over the net, does your son or anyone else who MAY be hacking have access to your PC?

An example of the nimbda scans:

Oct 29 14:18:30 - snort [1:0:0] Potential CodeRed/Nimda probe
   Source IP: 12.82.134.88   Source port: 3760
Source host: 88.seattle-16-17rs.wa.dial-access.att.net

I beleive that, as previously mentioned by somone above that 3760 is not reserved or assigned to any specific protocol or application, the reaqson for this beleif is because searching iana(Internet Authorized Assignment Numbers) nothing:

http://www.iana.org/assignments/port-numbers  

Just so you know. I would disabled all using msconfig, as I previously mentioned, then reboot and see if it returns. Tiny peronsal firewall IS one of the better ones. I personally prefer the router/port monitor (lockdown corp.) solution, but I have used timy and know people who still do, they like it a lot..

L8tr

0
 
LVL 7

Accepted Solution

by:
jatcan earned 100 total points
Comment Utility
OH Yeah, about Tiny showing you the process that owns each connection; here's another standalone tool that will DO just that:freeware from Sysinternals.com, a very reputable website.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Cheers.
0
 
LVL 4

Expert Comment

by:Monchanger
Comment Utility
I'm with jatcan on SystemInternals. Great site, great utilities. They even release the source code for the utilities. Give it a try.

About the "Nimda" virus (jatcan - it comes from "admin", reversed)- I've also seen a few pages mentioning the virus as related to the port in question.
I'm not sure how likely it is that the virus is causing the trouble, but you can get a removal utility from Symantec. Notice that there are two wide-spread variations, and a utility was written for each one. URLs to them are:
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html
http://www.symantec.com/avcenter/venc/data/w32.nimda.e@mm.removal.tool.html
(Please read the instructions provided on each page before running the utilities)
0
 
LVL 4

Expert Comment

by:CyberWizard
Comment Utility
r2d2, these connections must be from your provider...

I've got an adsl connection and currently my connections are as follows if I check with netstat:

cs201.msgr.hotmail.com:1863  ESTABLISHED
wwwproxy.xs4all.nl:8080  TIME_WAIT
wwwproxy.xs4all.nl:8080  ESTABLISHED
wwwproxy.xs4all.nl:8080  ESTABLISHED

first is off course msn messenger.
the next connections are from my ISP, this will be my connections via the internet proxy server from my ISP.
and 2 pop connections on Time_wait are also there.

if you have any doubts that there may be something you missed in anti-virus and trojan scanning (have also checked but have not seen any reference of the port you've specified) than you can probe and test your ports via the following website:

https://grc.com/x/ne.dll?bh0bkyd2
Shields up.

Here you can test if any ports are listening which are not made stealth by zonealarm.

Also cross reference your ip address with this ip address:
24.49.244.194

Because this was what I found on www.samspade.org when I filled in the fl-stu1a-194.stu.adelphia.net

Is it about the same perhaps? (and I don't mean compared to any private addresses you have been given in 10.x.x.x or 192.168.x.x ranges, make sure you got the right ip)

It is very likely that adelphia is providing services for your local cable company if you check which services they provide.

What is Adelphia?
Adelphia owns and operates one of the nation´s largest broadband communication networks. We are a leader in:

Cable entertainment
Digital cable
Local voice and long distance telephone services
Messaging
Enhanced data and high-speed Internet services

Where is Adelphia?
Adelphia maintains hundreds of remote locations throughout the United States providing personalized local service to our customers. Adelphia and Adelphia Media Services are all headquartered in Coudersport, a rural community in North Central Pennsylvania.

hope this helps...
0
 
LVL 7

Expert Comment

by:jatcan
Comment Utility
Yes, it is an IP address belonging to the adelphia/cable companies. I have worked for @home tech support. The IP is in their old range. Meaning that whomever took over the geographcial area that this IP is coming from OWNs the IP(Adelphia?) BUT, it could also be a trojan, a hacker with an established connection, your OS communicating with DNS servers and/or routers announcing themselves via broadcast after being rebooted...although, with the last staement, I must say, I have never seen a router "establish" a connection with a PC unles the PC initiated the connection to begin with. I think that it IS possible, that Adelphia(or local cable internet provider) has an established connection to your PC, this does bring the question "WHY"? to the front of the pack though don't it? There is ABSOLUTELY NO REASON whatsoever for an ISP to establish a connection to your PC unless they are monitoring you in some way shape or form and that can be done by veiwing logs and bandwidth usage...as a matter of fact IF it is the ISP I would get an explanation and bring that explanation to a lawyer to see about legal action. There is NOT one good reason why an ISP would need to do this.Period.

Cheers.
0
 
LVL 28

Expert Comment

by:vinnyd79
Comment Utility
I think sygates Personal firewall is a better product then both zone alarm and tiny.There is a Trojan called Tron that can make a connection to your pc and it claims to be able to make a connection to machines running Zone alarm or Tiny 2.0.15. I tested it with Tiny and I was able to connect and open the CD-Rom,download files and more without Tiny making a peep. I tested it with Sygate and Sygate picked it right up. I have not tested it with Zone Alarm yet.
0
 
LVL 28

Expert Comment

by:vinnyd79
Comment Utility
You might want to check what is running in your machine to make sure you don't have a trojan.You can do this with msinfo32
start > run > msinfo32 >Software Environment > Running Tasks

This will show you what is running on your machine.
0
 
LVL 3

Expert Comment

by:pleasenospam
Comment Utility
Until you get a permanent fix you can stop intrusions from specific sites with a
one line entry in the HOSTS file.
0
 
LVL 4

Expert Comment

by:CyberWizard
Comment Utility
r2d2, can you offer some feedback on the suggestions that have been offered?

this can help to further help you solve the problem.

or if the problem has already been resolved you can accept a comment as an answer.

regards,

CyberWizard
0
 
LVL 1

Expert Comment

by:Computer101
Comment Utility
Hello all,
I am Computer101 from Experts-Exchange and also an expert within this topic area. This question has been open a long time.  What I am going to do is allow feedback from the questioner and xperts.  If it is not resolved, I will delete or accept an answer based on the info I have been given, Experts, feel free to offer input.  I will monitor these questions for a period of 5-7 days and come back and evaluate.  I will have another moderator (who is also an expert in this topic area) look at the question also to ensure we do the right thing for this question.

Thank you
Computer101
E-E Admin
0
 

Expert Comment

by:YensidMod
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Question to be PAQ'd and no refund

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
YensidMod
Community Support Moderator @ Experts Exchange
0
 

Author Comment

by:R2D2022097
Comment Utility
Hello, Friends!

Please forgive me for being tardy accepting and grading this question. I went on vacation shortly after I posted it. I truly apologize for my thoughtless and somewhat boorish behavior.

Many thanks to the kindness of YensidMod for bring this to my attention.

best always,
R2D2
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Auslogics BoostSpeed 9 software 5 43
address book on outlook 2016 mac 7 46
move command 5 29
firefox deployment by sccm 1 20
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now