R2D2022097
asked on
Stopping The Barbarians at The Gate!
Hello!
I recently got cable internet. The first thing I did was to install Zone Alarm for a firewall.
Yesterday, I happened to run netstat, and was appalled to see some connections I just don't recognize. I ran a trojan scanner, as well as an uptodate McAfee, and they showed nothing. Nor have I detected any Trojan-like activity.
The unknown connections don't appear when I'm on dialup... only cable. I'd like to try blocking the ports just to see if I can keep them out totally. Is there a simple, Freeware utility I can use to do this?
Many thanks,
R2D2
I recently got cable internet. The first thing I did was to install Zone Alarm for a firewall.
Yesterday, I happened to run netstat, and was appalled to see some connections I just don't recognize. I ran a trojan scanner, as well as an uptodate McAfee, and they showed nothing. Nor have I detected any Trojan-like activity.
The unknown connections don't appear when I'm on dialup... only cable. I'd like to try blocking the ports just to see if I can keep them out totally. Is there a simple, Freeware utility I can use to do this?
Many thanks,
R2D2
Which sort of connections are you talking about? Bear in mind a lot of the information NETSTAT outputs just tells you which ports on your machine are listening--what it WON'T tell you is if those ports are being blocked by the firewall or not, because the firewall sits at a different level in the TCP/IP stack to the NETSTAT command. Maybe if you listed some of the suspect connections here we could tell you if they're dangerous or not.
Zone Alarm has a feature that can block or accept specific ports. Your version may be
later than mine and may be able to do both operations at once. Anyway, for me it was
a laborious trial and error procedure to get it set up the way I want. Here is a listing
of ports and their usage:
http://www.walthowe.com/navnet/faq/ports.html
later than mine and may be able to do both operations at once. Anyway, for me it was
a laborious trial and error procedure to get it set up the way I want. Here is a listing
of ports and their usage:
http://www.walthowe.com/navnet/faq/ports.html
Can you give me some more information about the unwanted open connection? Maybe I can explain to you what they are.
ASKER
Hi!
Here's what I got this morning:
Active Connections
Proto Local Address Foreign Address State
TCP oemcomputer:1028 205.188.7.194:5190 ESTABLISHED
TCP oemcomputer:1042 fl-stu1a-194.stu.adelphia.
TCP oemcomputer:1043 fl-stu1a-194.stu.adelphia.
Somehow I have TWO connections from someone in Florida on adelphia. Again, I've scanned for trojans every which way but loose. I honestly don't think I have one.
What is the meaning of this?
best,
R2D2
Here's what I got this morning:
Active Connections
Proto Local Address Foreign Address State
TCP oemcomputer:1028 205.188.7.194:5190 ESTABLISHED
TCP oemcomputer:1042 fl-stu1a-194.stu.adelphia.
TCP oemcomputer:1043 fl-stu1a-194.stu.adelphia.
Somehow I have TWO connections from someone in Florida on adelphia. Again, I've scanned for trojans every which way but loose. I honestly don't think I have one.
What is the meaning of this?
best,
R2D2
I usually refrain from saying this, but you did use the word "ports", so here goes...
I use TINY Personal Firewall (2.0.15)
I've tried the previous version of ZoneAlarm, seen the pretty and "user-friendly" interface. Tried to understand how to configure it the way I wanted and gave up. I tried Sygate too and can't even remember why I uninstalled it a few hours later.
TINY doesn't have a nice interface - I could probably write a short novel about what should be fixed in the GUI. It's far from being "easy" to use. It's got nothing in terms of inteligence (which is good, if you're technical), but it blocks everything I tell it to block.
Just check out the user opinions at download.com (86%Thumbs Up out of 1163 votes)
http://download.com.com/3000-2092-6313778.html?tag=lst-0-1
I use TINY Personal Firewall (2.0.15)
I've tried the previous version of ZoneAlarm, seen the pretty and "user-friendly" interface. Tried to understand how to configure it the way I wanted and gave up. I tried Sygate too and can't even remember why I uninstalled it a few hours later.
TINY doesn't have a nice interface - I could probably write a short novel about what should be fixed in the GUI. It's far from being "easy" to use. It's got nothing in terms of inteligence (which is good, if you're technical), but it blocks everything I tell it to block.
Just check out the user opinions at download.com (86%Thumbs Up out of 1163 votes)
http://download.com.com/3000-2092-6313778.html?tag=lst-0-1
Port 5190 is your connection to an instant messanging server (seems to be AOL according to the trace I did).
I don't have port 3670 on my port lists either, so it's not a well known protocol/application.
Sorry for the preaching, but TINY's status window shows the application or service that initiated the connection. Might be worth installing just for that.
You might want to post a link to this question in one of the networking topics.
I don't have port 3670 on my port lists either, so it's not a well known protocol/application.
Sorry for the preaching, but TINY's status window shows the application or service that initiated the connection. Might be worth installing just for that.
You might want to post a link to this question in one of the networking topics.
ASKER
Hi!
Here's what I got this morning:
Active Connections
Proto Local Address Foreign Address State
TCP oemcomputer:1028 205.188.7.194:5190 ESTABLISHED
TCP oemcomputer:1042 fl-stu1a-194.stu.adelphia.
TCP oemcomputer:1043 fl-stu1a-194.stu.adelphia.
Somehow I have TWO connections from someone in Florida on adelphia. Again, I've scanned for trojans every which way but loose. I honestly don't think I have one.
What is the meaning of this?
best,
R2D2
Here's what I got this morning:
Active Connections
Proto Local Address Foreign Address State
TCP oemcomputer:1028 205.188.7.194:5190 ESTABLISHED
TCP oemcomputer:1042 fl-stu1a-194.stu.adelphia.
TCP oemcomputer:1043 fl-stu1a-194.stu.adelphia.
Somehow I have TWO connections from someone in Florida on adelphia. Again, I've scanned for trojans every which way but loose. I honestly don't think I have one.
What is the meaning of this?
best,
R2D2
There are really only a few kinds of intrusions:
...advertisers
...spyware
...hackers
...viruses
...popups
As far as volume goes, most intrusions are from advertisers that are part
of legitimate web sites, such as this one. It is a lengthy process to get rid
of these, but it can be done. Look at COOKIES on your system and use Zone Alarm
to block those that have words like "ads" or "click" in the name.
...advertisers
...spyware
...hackers
...viruses
...popups
As far as volume goes, most intrusions are from advertisers that are part
of legitimate web sites, such as this one. It is a lengthy process to get rid
of these, but it can be done. Look at COOKIES on your system and use Zone Alarm
to block those that have words like "ads" or "click" in the name.
Can't find anything about port 3670 try shutting down some application like icq, other instant messengers, peer to peer programs like kazaa, gnutella, imesh etc.
Information about ports
http://www.chebucto.ns.ca/~rakerman/port-table.html
http://www.wittys.com/files/all-ip-numbers.txt
http://www.securitystats.com/tools/portsearch.asp
http://windows.about.com/cs/portstcpudp/
Information about ports
http://www.chebucto.ns.ca/~rakerman/port-table.html
http://www.wittys.com/files/all-ip-numbers.txt
http://www.securitystats.com/tools/portsearch.asp
http://windows.about.com/cs/portstcpudp/
Hi,
What is the name of the isp you are using?
Sounds like the url's of your isp...
The cable modems i have seen all seem to keep open connection as part of the setup..I thinks it may be normal..ask your ISP about it..
Hope this is helpful,,
Tandy
What is the name of the isp you are using?
Sounds like the url's of your isp...
The cable modems i have seen all seem to keep open connection as part of the setup..I thinks it may be normal..ask your ISP about it..
Hope this is helpful,,
Tandy
Go here and use the form to send a report into adelphia abuse. This is the NOC (Network operations Center) network security division:
http://24.48.59.187/forms/abuse_form.cfm
Tell them what is happening in point format
-cable internet service install on (DATE)
-your cable company name and state
-details of how you discovered this intrusion
-copy/paste the netstat results into the form so they have proof
What remote control software do you have installed, check add/remove programs, list anything you don't recognize here.
Are there any people other than yourself who have access to your PC(or have had access)? Who are they and could they have "planted" something?
Click start button\run\type in msconfig,click OK.
Click the selective startup option under the general tab, unchecked all the boxes, apply, OK, reboot. Open msconfig again, are there any boxes re-checked? IF so, what is the path and file name that is re-checked? Do netstat -an in command. Anything. Let it sit for a day or so. Anything now, no? Re-check each option seperately and reboot between each check box. Did the connections return. I am trying to establish whether this IS a trojan/virus and IF so the connections will not return UNLESS the writer has another program that will check for the existence of the trojan in startup areas and if not found will replace and start it.
OH and as far as firewalls goes, get a router. Even if you DO only have one PC on the cnnection. Get the freaking router anyways, it is the BEST hacker protection you can have. For about twice the cost of a good firewall program. ZONE ALARM PRO is well worth the mone spent on it IMHO.
Gotta go home now(I'm at work)pick this up tomrrow if still not resolved.
Cheers.
http://24.48.59.187/forms/abuse_form.cfm
Tell them what is happening in point format
-cable internet service install on (DATE)
-your cable company name and state
-details of how you discovered this intrusion
-copy/paste the netstat results into the form so they have proof
What remote control software do you have installed, check add/remove programs, list anything you don't recognize here.
Are there any people other than yourself who have access to your PC(or have had access)? Who are they and could they have "planted" something?
Click start button\run\type in msconfig,click OK.
Click the selective startup option under the general tab, unchecked all the boxes, apply, OK, reboot. Open msconfig again, are there any boxes re-checked? IF so, what is the path and file name that is re-checked? Do netstat -an in command. Anything. Let it sit for a day or so. Anything now, no? Re-check each option seperately and reboot between each check box. Did the connections return. I am trying to establish whether this IS a trojan/virus and IF so the connections will not return UNLESS the writer has another program that will check for the existence of the trojan in startup areas and if not found will replace and start it.
OH and as far as firewalls goes, get a router. Even if you DO only have one PC on the cnnection. Get the freaking router anyways, it is the BEST hacker protection you can have. For about twice the cost of a good firewall program. ZONE ALARM PRO is well worth the mone spent on it IMHO.
Gotta go home now(I'm at work)pick this up tomrrow if still not resolved.
Cheers.
I dont know if you checked this but adelphia seem to be a cable services company...??? and you are on a cable modem , perhaps they own the ISP you use...??? you can find out more here...
http://www.adelphia.net/
Cheers...
Ber...
http://www.adelphia.net/
Cheers...
Ber...
I'm no expert at this stuff, learning as I stumble across new things, but since nobody likes the idear installing TINY, how about this:
If TINY knows how to get the application/service which opened each port, would there be another way to do this? Any command prompt utility or something you can d/l off the net?
If TINY knows how to get the application/service which opened each port, would there be another way to do this? Any command prompt utility or something you can d/l off the net?
Yes, it's called port moitor and is made by Lcokdown Corp. as part of their lockdown tool for 9X systems. I've used a standalone version of port monitor the first year it was released. All I can say is AWESOME. It is highly configurable. Reasonably stable(I never personally had any problems with it), reasonably priced and downloadable in shareware format.
http://lockdowncorp.com/manual/Monitor.htm
This will give a screenshot of the PORTS tab of the software:
http://lockdowncorp.com/manual/Monitor.htm
It scans for trojan virus/virus like activity and will blocked any until YOU decide to let it through(such as the case is when using Remote Control Software). The trojan scanner has an auto-updater(like antivirus programs-Norton, McAfee, etc,etc..)for updating Trojan virus definitions.
This is all you REALLY need. Configured properly, it would take a hacker with some skill to get on your system. Even if someone plants a trojan at the keyboard, they would ALSO have to configure Lockdown to allow the trojan access.
AND, anything I can find on this 3760 port connection refers to the nimbda client scanning for servers over the net, does your son or anyone else who MAY be hacking have access to your PC?
An example of the nimbda scans:
Oct 29 14:18:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.88 Source port: 3760
Source host: 88.seattle-16-17rs.wa.dial
I beleive that, as previously mentioned by somone above that 3760 is not reserved or assigned to any specific protocol or application, the reaqson for this beleif is because searching iana(Internet Authorized Assignment Numbers) nothing:
http://www.iana.org/assignments/port-numbers
Just so you know. I would disabled all using msconfig, as I previously mentioned, then reboot and see if it returns. Tiny peronsal firewall IS one of the better ones. I personally prefer the router/port monitor (lockdown corp.) solution, but I have used timy and know people who still do, they like it a lot..
L8tr
http://lockdowncorp.com/manual/Monitor.htm
This will give a screenshot of the PORTS tab of the software:
http://lockdowncorp.com/manual/Monitor.htm
It scans for trojan virus/virus like activity and will blocked any until YOU decide to let it through(such as the case is when using Remote Control Software). The trojan scanner has an auto-updater(like antivirus programs-Norton, McAfee, etc,etc..)for updating Trojan virus definitions.
This is all you REALLY need. Configured properly, it would take a hacker with some skill to get on your system. Even if someone plants a trojan at the keyboard, they would ALSO have to configure Lockdown to allow the trojan access.
AND, anything I can find on this 3760 port connection refers to the nimbda client scanning for servers over the net, does your son or anyone else who MAY be hacking have access to your PC?
An example of the nimbda scans:
Oct 29 14:18:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.88 Source port: 3760
Source host: 88.seattle-16-17rs.wa.dial
I beleive that, as previously mentioned by somone above that 3760 is not reserved or assigned to any specific protocol or application, the reaqson for this beleif is because searching iana(Internet Authorized Assignment Numbers) nothing:
http://www.iana.org/assignments/port-numbers
Just so you know. I would disabled all using msconfig, as I previously mentioned, then reboot and see if it returns. Tiny peronsal firewall IS one of the better ones. I personally prefer the router/port monitor (lockdown corp.) solution, but I have used timy and know people who still do, they like it a lot..
L8tr
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm with jatcan on SystemInternals. Great site, great utilities. They even release the source code for the utilities. Give it a try.
About the "Nimda" virus (jatcan - it comes from "admin", reversed)- I've also seen a few pages mentioning the virus as related to the port in question.
I'm not sure how likely it is that the virus is causing the trouble, but you can get a removal utility from Symantec. Notice that there are two wide-spread variations, and a utility was written for each one. URLs to them are:
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html
http://www.symantec.com/avcenter/venc/data/w32.nimda.e@mm.removal.tool.html
(Please read the instructions provided on each page before running the utilities)
About the "Nimda" virus (jatcan - it comes from "admin", reversed)- I've also seen a few pages mentioning the virus as related to the port in question.
I'm not sure how likely it is that the virus is causing the trouble, but you can get a removal utility from Symantec. Notice that there are two wide-spread variations, and a utility was written for each one. URLs to them are:
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html
http://www.symantec.com/avcenter/venc/data/w32.nimda.e@mm.removal.tool.html
(Please read the instructions provided on each page before running the utilities)
r2d2, these connections must be from your provider...
I've got an adsl connection and currently my connections are as follows if I check with netstat:
cs201.msgr.hotmail.com:186
wwwproxy.xs4all.nl:8080 TIME_WAIT
wwwproxy.xs4all.nl:8080 ESTABLISHED
wwwproxy.xs4all.nl:8080 ESTABLISHED
first is off course msn messenger.
the next connections are from my ISP, this will be my connections via the internet proxy server from my ISP.
and 2 pop connections on Time_wait are also there.
if you have any doubts that there may be something you missed in anti-virus and trojan scanning (have also checked but have not seen any reference of the port you've specified) than you can probe and test your ports via the following website:
https://grc.com/x/ne.dll?bh0bkyd2
Shields up.
Here you can test if any ports are listening which are not made stealth by zonealarm.
Also cross reference your ip address with this ip address:
24.49.244.194
Because this was what I found on www.samspade.org when I filled in the fl-stu1a-194.stu.adelphia.
Is it about the same perhaps? (and I don't mean compared to any private addresses you have been given in 10.x.x.x or 192.168.x.x ranges, make sure you got the right ip)
It is very likely that adelphia is providing services for your local cable company if you check which services they provide.
What is Adelphia?
Adelphia owns and operates one of the nation´s largest broadband communication networks. We are a leader in:
Cable entertainment
Digital cable
Local voice and long distance telephone services
Messaging
Enhanced data and high-speed Internet services
Where is Adelphia?
Adelphia maintains hundreds of remote locations throughout the United States providing personalized local service to our customers. Adelphia and Adelphia Media Services are all headquartered in Coudersport, a rural community in North Central Pennsylvania.
hope this helps...
I've got an adsl connection and currently my connections are as follows if I check with netstat:
cs201.msgr.hotmail.com:186
wwwproxy.xs4all.nl:8080 TIME_WAIT
wwwproxy.xs4all.nl:8080 ESTABLISHED
wwwproxy.xs4all.nl:8080 ESTABLISHED
first is off course msn messenger.
the next connections are from my ISP, this will be my connections via the internet proxy server from my ISP.
and 2 pop connections on Time_wait are also there.
if you have any doubts that there may be something you missed in anti-virus and trojan scanning (have also checked but have not seen any reference of the port you've specified) than you can probe and test your ports via the following website:
https://grc.com/x/ne.dll?bh0bkyd2
Shields up.
Here you can test if any ports are listening which are not made stealth by zonealarm.
Also cross reference your ip address with this ip address:
24.49.244.194
Because this was what I found on www.samspade.org when I filled in the fl-stu1a-194.stu.adelphia.
Is it about the same perhaps? (and I don't mean compared to any private addresses you have been given in 10.x.x.x or 192.168.x.x ranges, make sure you got the right ip)
It is very likely that adelphia is providing services for your local cable company if you check which services they provide.
What is Adelphia?
Adelphia owns and operates one of the nation´s largest broadband communication networks. We are a leader in:
Cable entertainment
Digital cable
Local voice and long distance telephone services
Messaging
Enhanced data and high-speed Internet services
Where is Adelphia?
Adelphia maintains hundreds of remote locations throughout the United States providing personalized local service to our customers. Adelphia and Adelphia Media Services are all headquartered in Coudersport, a rural community in North Central Pennsylvania.
hope this helps...
Yes, it is an IP address belonging to the adelphia/cable companies. I have worked for @home tech support. The IP is in their old range. Meaning that whomever took over the geographcial area that this IP is coming from OWNs the IP(Adelphia?) BUT, it could also be a trojan, a hacker with an established connection, your OS communicating with DNS servers and/or routers announcing themselves via broadcast after being rebooted...although, with the last staement, I must say, I have never seen a router "establish" a connection with a PC unles the PC initiated the connection to begin with. I think that it IS possible, that Adelphia(or local cable internet provider) has an established connection to your PC, this does bring the question "WHY"? to the front of the pack though don't it? There is ABSOLUTELY NO REASON whatsoever for an ISP to establish a connection to your PC unless they are monitoring you in some way shape or form and that can be done by veiwing logs and bandwidth usage...as a matter of fact IF it is the ISP I would get an explanation and bring that explanation to a lawyer to see about legal action. There is NOT one good reason why an ISP would need to do this.Period.
Cheers.
Cheers.
I think sygates Personal firewall is a better product then both zone alarm and tiny.There is a Trojan called Tron that can make a connection to your pc and it claims to be able to make a connection to machines running Zone alarm or Tiny 2.0.15. I tested it with Tiny and I was able to connect and open the CD-Rom,download files and more without Tiny making a peep. I tested it with Sygate and Sygate picked it right up. I have not tested it with Zone Alarm yet.
You might want to check what is running in your machine to make sure you don't have a trojan.You can do this with msinfo32
start > run > msinfo32 >Software Environment > Running Tasks
This will show you what is running on your machine.
start > run > msinfo32 >Software Environment > Running Tasks
This will show you what is running on your machine.
Until you get a permanent fix you can stop intrusions from specific sites with a
one line entry in the HOSTS file.
one line entry in the HOSTS file.
r2d2, can you offer some feedback on the suggestions that have been offered?
this can help to further help you solve the problem.
or if the problem has already been resolved you can accept a comment as an answer.
regards,
CyberWizard
this can help to further help you solve the problem.
or if the problem has already been resolved you can accept a comment as an answer.
regards,
CyberWizard
Hello all,
I am Computer101 from Experts-Exchange and also an expert within this topic area. This question has been open a long time. What I am going to do is allow feedback from the questioner and xperts. If it is not resolved, I will delete or accept an answer based on the info I have been given, Experts, feel free to offer input. I will monitor these questions for a period of 5-7 days and come back and evaluate. I will have another moderator (who is also an expert in this topic area) look at the question also to ensure we do the right thing for this question.
Thank you
Computer101
E-E Admin
I am Computer101 from Experts-Exchange and also an expert within this topic area. This question has been open a long time. What I am going to do is allow feedback from the questioner and xperts. If it is not resolved, I will delete or accept an answer based on the info I have been given, Experts, feel free to offer input. I will monitor these questions for a period of 5-7 days and come back and evaluate. I will have another moderator (who is also an expert in this topic area) look at the question also to ensure we do the right thing for this question.
Thank you
Computer101
E-E Admin
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Question to be PAQ'd and no refund
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
YensidMod
Community Support Moderator @ Experts Exchange
I will leave a recommendation in the Cleanup topic area that this question is:
Question to be PAQ'd and no refund
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
YensidMod
Community Support Moderator @ Experts Exchange
ASKER
Hello, Friends!
Please forgive me for being tardy accepting and grading this question. I went on vacation shortly after I posted it. I truly apologize for my thoughtless and somewhat boorish behavior.
Many thanks to the kindness of YensidMod for bring this to my attention.
best always,
R2D2
Please forgive me for being tardy accepting and grading this question. I went on vacation shortly after I posted it. I truly apologize for my thoughtless and somewhat boorish behavior.
Many thanks to the kindness of YensidMod for bring this to my attention.
best always,
R2D2
http://www1.simtel.net/pub/dl/53687.html