Solved

Net connection has multiple unknown outgoing connections

Posted on 2003-10-28
6
570 Views
Last Modified: 2012-05-04
I ran a netstat -a out of curiosity, and found lots and lots of connections pointing to 80.80.15.166. This Ip is blocked by the KaZaA Lite supertrick, and I am aware that they are hypothetically being blocked by looping it back.

Running a whois, it's registered to bluewebhouse in the netherlands, which isn't very helpful!

What I want to know is what is causing all these unrequested connections, how to either terminate all those 80.80.15.166 connections or to remove what is trying to phone home, and (wondering) why it's blocked by the supertrick (ie is it an ad site, a porn site...). Obviously the last one is just a wish, I just want to get rid of this!

-Thanks, LeeM01

Below is a netstat -a dumping, as you can see there are more than 80 connections to that site (some partially closed, I know):

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    Mtat:http              Mtat:0                 LISTENING
  TCP    Mtat:epmap             Mtat:0                 LISTENING
  TCP    Mtat:microsoft-ds      Mtat:0                 LISTENING
  TCP    Mtat:1025              Mtat:0                 LISTENING
  TCP    Mtat:1026              Mtat:0                 LISTENING
  TCP    Mtat:1029              Mtat:0                 LISTENING
  TCP    Mtat:3015              Mtat:0                 LISTENING
  TCP    Mtat:3016              Mtat:0                 LISTENING
  TCP    Mtat:3019              Mtat:0                 LISTENING
  TCP    Mtat:3023              Mtat:0                 LISTENING
  TCP    Mtat:3025              Mtat:0                 LISTENING
  TCP    Mtat:3483              Mtat:0                 LISTENING
  TCP    Mtat:3484              Mtat:0                 LISTENING
  TCP    Mtat:3527              Mtat:0                 LISTENING
  TCP    Mtat:3528              Mtat:0                 LISTENING
  TCP    Mtat:3538              Mtat:0                 LISTENING
  TCP    Mtat:3540              Mtat:0                 LISTENING
  TCP    Mtat:3541              Mtat:0                 LISTENING
  TCP    Mtat:3542              Mtat:0                 LISTENING
  TCP    Mtat:5000              Mtat:0                 LISTENING
  TCP    Mtat:http              80.80.15.166:3069      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3091      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3100      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3109      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3119      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3129      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3142      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3151      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3168      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3179      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3186      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3199      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3204      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3207      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3213      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3215      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3220      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3225      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3230      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3239      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3242      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3245      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3248      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3257      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3260      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3268      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3276      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3279      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3298      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3305      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3314      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3320      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3324      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3329      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3331      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3333      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3344      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3346      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3353      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3358      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3363      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3365      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3367      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3376      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3381      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3384      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3397      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3400      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3403      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3408      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3415      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3422      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3429      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3434      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3441      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3448      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3453      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3455      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3457      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3464      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3468      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3475      CLOSE_WAIT
  TCP    Mtat:http              80.80.15.166:3484      ESTABLISHED
  TCP    Mtat:1030              Mtat:0                 LISTENING
  TCP    Mtat:1030              80.80.15.166:3015      ESTABLISHED
  TCP    Mtat:1030              80.80.15.166:3483      ESTABLISHED
  TCP    Mtat:1030              80.80.15.166:3496      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3513      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3521      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3523      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3525      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3527      ESTABLISHED
  TCP    Mtat:1030              80.80.15.166:3529      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3531      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3533      TIME_WAIT
  TCP    Mtat:1030              80.80.15.166:3538      ESTABLISHED
  TCP    Mtat:1030              80.80.15.166:3541      ESTABLISHED
  TCP    Mtat:3001              Mtat:0                 LISTENING
  TCP    Mtat:3002              Mtat:0                 LISTENING
  TCP    Mtat:3003              Mtat:0                 LISTENING
  TCP    Mtat:3008              Mtat:0                 LISTENING
  TCP    Mtat:3015              80.80.15.166:1030      ESTABLISHED
  TCP    Mtat:3019              80.80.15.166:1030      CLOSE_WAIT
  TCP    Mtat:3023              80.80.15.166:1030      CLOSE_WAIT
  TCP    Mtat:3025              80.80.15.166:1030      CLOSE_WAIT
  TCP    Mtat:3483              80.80.15.166:1030      ESTABLISHED
  TCP    Mtat:3484              80.80.15.166:http      ESTABLISHED
  TCP    Mtat:3527              80.80.15.166:1030      ESTABLISHED
  TCP    Mtat:3538              80.80.15.166:1030      ESTABLISHED
  TCP    Mtat:3541              80.80.15.166:1030      ESTABLISHED
  TCP    Mtat:3016              baym-cs53.msgr.hotmail.com:1863  ESTABLI
  TCP    Mtat:3512              peach.ripe.net:http    TIME_WAIT
  TCP    Mtat:3520              216.239.57.99:http     TIME_WAIT
  TCP    Mtat:3528              80.80.14.54:http       ESTABLISHED
  TCP    Mtat:3540              80.80.14.54:http       ESTABLISHED
  TCP    Mtat:3542              80.80.14.54:http       ESTABLISHED
  UDP    Mtat:epmap             *:*
  UDP    Mtat:microsoft-ds      *:*
  UDP    Mtat:isakmp            *:*
  UDP    Mtat:1027              *:*
  UDP    Mtat:1028              *:*
  UDP    Mtat:3004              *:*
  UDP    Mtat:3012              *:*
  UDP    Mtat:3022              *:*
  UDP    Mtat:3062              *:*
  UDP    Mtat:ntp               *:*
  UDP    Mtat:1900              *:*
  UDP    Mtat:3005              *:*
  UDP    Mtat:3017              *:*
  UDP    Mtat:3032              *:*
  UDP    Mtat:discard           *:*
  UDP    Mtat:ntp               *:*
  UDP    Mtat:1900              *:*
0
Comment
Question by:LeeM01
6 Comments
 
LVL 7

Assisted Solution

by:philby11
philby11 earned 133 total points
ID: 9632321
Have you tried to run Spybot S&D on this issue?
You can test your system security at http://www.grc.com  
Sheilds up
0
 
LVL 18

Assisted Solution

by:liddler
liddler earned 133 total points
ID: 9632358
Ad-aware (www.lavasoftusa.com) and Spybot Search & Destry (security.kolla.de)
and have a look in the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and see if there any programs aytostarting you didn't install
0
 

Author Comment

by:LeeM01
ID: 9632363
Yes, I have run spybot s&d after updating it, shields up! on the service ports returns stealth, and I ran a virus scan with NAV this afternoon (Of course, it is updated!)

Thanks for the input though philby11.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 4

Accepted Solution

by:
Wiired earned 134 total points
ID: 9636234
Go to http://www.foundstone.com and download a free tool called "fport"

Fport will map any communication process to their originating software. This way you can see what application on your machine is making this traffic.

0
 

Author Comment

by:LeeM01
ID: 9938942
Sorry everyone, i totally forgot about this question...

I got fed up with these connections, since i could not figure out what was generating the traffic, even using fport.

In the end, i just rebuilt my windows xp installation from scratch and now the connections are gone. Since the problem didn't actually get solved, i am partially reluctant to award points, however, that wouldn't be in the spirit of the ee community. Thus points are awarded equally (or as equally as 400/3 can be) to all participants.
0
 
LVL 7

Expert Comment

by:philby11
ID: 9939488
thx LeeM01,
but since we didn't solve the problem I dont have any issue with you getting a refund on the points.
Post a refund request in the CS section of EE.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now