lizzieluvsyou
asked on
Have I been hacked?
The other day, I was playing around with the command prompt, and did a "netstat".
I wasn't expecting anything unsual, but I stumbled upon a connection to hotmail.se. A little research and I found out that .se is an extension for Sweden, and the port belonged to something called "Autodesk Liscense Manager".
I was quite worrried, but I put it out of my head figuring that it might have been from some spyware or something.
However, when I logged onto my computer tonight and started surfing the internet. I got a login-box, like the type you get when you're trying to log into an FTP site, seemingly out of nowhere. It asked for a username and password.
I did a netstat, and this was the result:
http://www.geocities.com/stormy_chan/what.txt
After that, I immediately unplugged my laptop from my home network.
I did some research and found that, again, the port is used by Autodesk License Manager.
Does anyone have any idea what is going on? I'm sure it's bad, whatever it is. I can't seem to find any information on exploits regarding this port...
I wasn't expecting anything unsual, but I stumbled upon a connection to hotmail.se. A little research and I found out that .se is an extension for Sweden, and the port belonged to something called "Autodesk Liscense Manager".
I was quite worrried, but I put it out of my head figuring that it might have been from some spyware or something.
However, when I logged onto my computer tonight and started surfing the internet. I got a login-box, like the type you get when you're trying to log into an FTP site, seemingly out of nowhere. It asked for a username and password.
I did a netstat, and this was the result:
http://www.geocities.com/stormy_chan/what.txt
After that, I immediately unplugged my laptop from my home network.
I did some research and found that, again, the port is used by Autodesk License Manager.
Does anyone have any idea what is going on? I'm sure it's bad, whatever it is. I can't seem to find any information on exploits regarding this port...
http://techfee.washington.edu/proposals/page8/2004-42
In the spring of 2004, Autodesk will release a new version, Architectural Desktop/Neon – AutoCAD 2004. This version represents a major advance in AutoCAD’s 3D design capacity, as well as significant user interface and productivity improvements. We skipped one AutoCAD upgrade because the improvements didn’t justify the expense. But this new version contains enough improvements to make an upgrade worthwhile. Since AutoCAD uses a network licensing model, we would be able to offer the new version for CAUP students to install on their own computers. The proposed number of licenses is sufficient to meet the anticipated demand.
In the spring of 2004, Autodesk will release a new version, Architectural Desktop/Neon – AutoCAD 2004. This version represents a major advance in AutoCAD’s 3D design capacity, as well as significant user interface and productivity improvements. We skipped one AutoCAD upgrade because the improvements didn’t justify the expense. But this new version contains enough improvements to make an upgrade worthwhile. Since AutoCAD uses a network licensing model, we would be able to offer the new version for CAUP students to install on their own computers. The proposed number of licenses is sufficient to meet the anticipated demand.
ASKER
I've honestly never heard of Autodesk License Manager or AutoCad till today.
Actually, AutoCad sounds distantly familiar, but I still assume that if I had it on my computer, it looks like it would be something I'd know about.
Actually, AutoCad sounds distantly familiar, but I still assume that if I had it on my computer, it looks like it would be something I'd know about.
It may be attached to something other than Autocad. It could be attachet ot some other proccess that uses Autodesk License Manager
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi lizzieluvsyou,
You have some kind of software from Autodesk, thats why.. no problem!
the txis.com i do not know what is, but it seems harmless.. You have not been hacked 99% sure!
If youre afraid of spyware run:
spybot: http://beam.to/spybotsd
adaware: http://www.lavasoftusa.com/support/download/
Coolwebshredder: http://www.spychecker.com/program/coolwebshredder.html
These three tools take everything!
Mattis
You have some kind of software from Autodesk, thats why.. no problem!
the txis.com i do not know what is, but it seems harmless.. You have not been hacked 99% sure!
If youre afraid of spyware run:
spybot: http://beam.to/spybotsd
adaware: http://www.lavasoftusa.com/support/download/
Coolwebshredder: http://www.spychecker.com/program/coolwebshredder.html
These three tools take everything!
Mattis
sorry Crazy, my QP is acting up again...
:)
AutoCad is a 3d Computer Aided Design program- making floor plans, 3d modeling and such.... it's for very specific uses. you can serach your HD for "auto*" (auto then astricks) and see if it's there or not. I doubt it- sounds like FP of the empherial ports. Run windows update also- open internet explorer, tools, windows update, click scan then review and install updates. http://www.microsoft.com/technet/security/tools/mbsahome.mspx MSBSA can help you determine if your system is easy to penetrate also.
-rich
-rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is a trojan, WinHole, which does use one of the AutoCad License Manager ports 2080.
http://www.glocksoft.com/trojan_list/WinHole.htm
I'm having a hard time understanding why a legitamate AutoCad software utility would be connecting to the sites you are referencing...
http://www.glocksoft.com/trojan_list/WinHole.htm
I'm having a hard time understanding why a legitamate AutoCad software utility would be connecting to the sites you are referencing...
ASKER
Well, I was able to explain away the ftp popup.
I took a look at the sites I visted that day, and on a message board, someone had direct linked an image off of the site swords.com. Which seems to be why it showed up as swords.txis.com on my computer.
However, I'm still getting weird traffic I can't explain, even when I'm not at any webpages.
A few such sites:
unicyclist.com
wx.com
level3.com
jobs.collegerecruiter.com
Tonight I haven't noticed that much outside the norm. I'll try your suggestions and see if anything else develops.
I took a look at the sites I visted that day, and on a message board, someone had direct linked an image off of the site swords.com. Which seems to be why it showed up as swords.txis.com on my computer.
However, I'm still getting weird traffic I can't explain, even when I'm not at any webpages.
A few such sites:
unicyclist.com
wx.com
level3.com
jobs.collegerecruiter.com
Tonight I haven't noticed that much outside the norm. I'll try your suggestions and see if anything else develops.
You probably do have a trojan, or infection. You need AV to scann your machine 1st and foremost. Then get a firewall going etc...
ASKER
I ran McAfee antivirus on the suspect computer yesterday, but it didn't find anything wrong (it is fully updated).
I'm running an online version of Norton antivirus right now, I'll see if that makes any difference.
I'm running an online version of Norton antivirus right now, I'll see if that makes any difference.
Mcafee has a few seetings that may help you, that aren't on by default... depending on your verion of mcafee-
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101142 Use hueristics or the "find potentially unwanted/joke" settings
Remember XP and winME to turn off system restore: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Ad-Aware might also turn something up, GL!
-rich
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101142 Use hueristics or the "find potentially unwanted/joke" settings
Remember XP and winME to turn off system restore: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Ad-Aware might also turn something up, GL!
-rich
ASKER
Alright, I'll try that too. I've already run Ad-aware... I had one piece of malware along with the usual junk, but it said it was low-risk, and after I removed it I continued having problems.
Lately, the activity has completely stopped. I didn'y try the extra McAfee settings yet, but all other virus software I've run reports no problems.
I'm really quite confused. Since all the weird activity has stopped, though, I don't think I'll be able to determine what caused it.
Lately, the activity has completely stopped. I didn'y try the extra McAfee settings yet, but all other virus software I've run reports no problems.
I'm really quite confused. Since all the weird activity has stopped, though, I don't think I'll be able to determine what caused it.
What did fport report?
The what.txt you posted above is a GIF file... why did you post it as a .txt file?
Anyway, I dont think you got a trojan, but nevertheless you shouldnt allow anything
to access ports, so get a firewall fast, I recommend Sygate Personal Firewall.
You probably were doing some strange stuff and visiting some strange websites, thats all.
ASKER
It's a .txt to get around Geocities' image hotlinking limitations.
About going to odd websites -- it would happen even when there were no applications running.
I've gotten a firewall and secured myself a little more, and I haven't had any especially weird goings on.
I did find that the strangest part of it was a false alarm. The log in window that popped up was due to a hot linked image that was in somebody's signature on a messageboard.
As for the stuff that was showing up without me having any apps open, like I said, I have no idea.
The oddest thing that's happened lately was Microsoft Messenger popping up for no reason and asking for me to log in. When I did a netstat, it showed a connection to *.hotmail.com. At least I believe it was something like that. the first part might have looked like "bob13"... I googled it and some other people had reported similiar occurances, so I didn't worry about it.
Thanks for the comment.
About going to odd websites -- it would happen even when there were no applications running.
I've gotten a firewall and secured myself a little more, and I haven't had any especially weird goings on.
I did find that the strangest part of it was a false alarm. The log in window that popped up was due to a hot linked image that was in somebody's signature on a messageboard.
As for the stuff that was showing up without me having any apps open, like I said, I have no idea.
The oddest thing that's happened lately was Microsoft Messenger popping up for no reason and asking for me to log in. When I did a netstat, it showed a connection to *.hotmail.com. At least I believe it was something like that. the first part might have looked like "bob13"... I googled it and some other people had reported similiar occurances, so I didn't worry about it.
Thanks for the comment.
The extra mcafee settings - will detect "annoying" and "pests" as well as the regular viri- spy-ware often needs no browser open, to pop-up a window- they can open a window for you ;) (very nice of them, don't you think?) The hotmail (msn passport) stuff can be turned off, setting in the preferences i think.
-rich
-rich
http://usa.autodesk.com/adsk/servlet/ps/item?siteID=123112&id=2886493&linkID=2475323