Have I been hacked?

The other day, I was playing around with the command prompt, and did a "netstat".

I wasn't expecting anything unsual, but I stumbled upon a connection to hotmail.se. A little research and I found out that .se is an extension for Sweden, and the port belonged to something called "Autodesk Liscense Manager".

I was quite worrried, but I put it out of my head figuring that it might have been from some spyware or something.

However, when I logged onto my computer tonight and started surfing the internet. I got a login-box, like the type you get when you're trying to log into an FTP site, seemingly out of nowhere. It asked for a username and password.
I did a netstat, and this was the result:

After that, I immediately unplugged my laptop from my home network.
I did some research and found that, again, the port is used by Autodesk License Manager.
Does anyone have any idea what is going on? I'm sure it's bad, whatever it is. I can't seem to find any information on exploits regarding this port...
Who is Participating?
CrazyOneConnect With a Mentor Commented:
here use this free utility to see if you can finde which process it may be attachet to

Process Explorer

Note when you open the program go to the menu View and make sure there is a check mark next to View > Lower Pane View > DLL's if there isn't then click on it.

just click each process one at a time and look at the bottom window note if that file is listed and if it is kill the process that had the files open.

Also do this

Try this

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.

If you have Win2000 then
MSCONFIG for Win 2000



Startup Control Panel
In the spring of 2004, Autodesk will release a new version, Architectural Desktop/Neon – AutoCAD 2004. This version represents a major advance in AutoCAD’s 3D design capacity, as well as significant user interface and productivity improvements. We skipped one AutoCAD upgrade because the improvements didn’t justify the expense. But this new version contains enough improvements to make an upgrade worthwhile. Since AutoCAD uses a network licensing model, we would be able to offer the new version for CAUP students to install on their own computers. The proposed number of licenses is sufficient to meet the anticipated demand.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

lizzieluvsyouAuthor Commented:
I've honestly never heard of Autodesk License Manager or AutoCad till today.
Actually, AutoCad sounds distantly familiar, but I still assume that if I had it on my computer, it looks like it would be something I'd know about.
It may be attached to something other than Autocad. It could be attachet ot some other proccess that uses Autodesk License Manager
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Autodesk is AutoCAD... 1422, 2080  (1538 too?) are supposidly reservered, however M$ will typicall use anything above 1024 for ephemeral ports. What you have there is a False-Positive (maybe). With M$ they are generally between 1024 and 5000, if you look here you can see that there are many port's "reserved" for other applications within that range of port numbers-  http://www.iana.org/assignments/port-numbers
Ephemeral are port's that windows binds to as the source- when you connect to www.example.com and you do a "netstat -a" you'll typically see your pc with a source port above 1024 and below 5000, connecting to DESTINATION www.example.com:http (port 80) or https (port 443)

I don't know what that geocities garbage is... doesn't look promissing

If you'v been hacked... those could be statically bound ports, you can do this with many back-door programs. To keep yourself safe, you need a firewall, like zonealarm. You also need anti-virus, with M$ there is practically no getting around it. ZA has a free FW that will suit your needs just fine. You should also turn off certain services on your PC.
Remote Registry service needs to be disabled, and stopped.
If you do not connect to a windows network, you can disable the Server service, and NO-ONE can connect remotely to your pc- but don't touch it if you take your laptop to work and plug into a windows domain, you'll need the server service. Also the messenger service can be disabled, this does not affect anything except your ability to get "net send" messages.

If you have XP pro turn on it's firewall, it is a decent step FWD for M$. http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp 
if no XP Pro, then get ZoneAlarm. You'll need to scan you PC for viri and backdoors, mcafee has great detection definitions for most of the popular tools and viri out there, notron does well with viri, however I do not think they do as well with detecting "malicious" programs. Ad-aware also can detect some trojans and other annoyances...

ZA has the added benefit of helping you track down and or stop new programs from running. If you install ZA, and all of a sudden got the newest virus out there, no company had made a virus definition for it yet it's sooo new, you get this virus- then it tries to spread to other machines via the internet- ZA will prompt you asking "would you like to allow "new-vir.exe" to access the internet?" You would say no, and you could put a check mark for "remember this response" for that program. Then track down that program and delete it.  ZA is a port firewall and a process firewall also. It is "chatty" at first, but once you've got it set up, there is hardly ever a need to change much.
Hi lizzieluvsyou,
You have some kind of software from Autodesk, thats why.. no problem!
the txis.com i do not know what is, but it seems harmless.. You have not been hacked 99% sure!

If youre afraid of spyware run:
spybot: http://beam.to/spybotsd
adaware: http://www.lavasoftusa.com/support/download/
Coolwebshredder: http://www.spychecker.com/program/coolwebshredder.html
These three tools take everything!

sorry Crazy, my QP is acting up again...
Rich RumbleSecurity SamuraiCommented:
AutoCad is a 3d Computer Aided Design program- making floor plans, 3d modeling and such.... it's for very specific uses. you can serach your HD for "auto*" (auto then astricks) and see if it's there or not. I doubt it- sounds like FP of the empherial ports. Run windows update also- open internet explorer, tools, windows update, click scan then review and install updates.  http://www.microsoft.com/technet/security/tools/mbsahome.mspx MSBSA can help you determine if your system is easy to penetrate also.
chicagoanConnect With a Mentor Commented:
will map the port to the process that opened it, and you can go from there.
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
There is a trojan, WinHole, which does use one of the AutoCad License Manager ports 2080.

I'm having a hard time understanding why a legitamate AutoCad software utility would be connecting to the sites you are referencing...
lizzieluvsyouAuthor Commented:
Well, I was able to explain away the ftp popup.
I took a look at the sites I visted that day, and on a message board, someone had direct linked an image off of the site swords.com. Which seems to be why it showed up as swords.txis.com on my computer.
However, I'm still getting weird traffic I can't explain, even when I'm not at any webpages.
A few such sites:

Tonight I haven't noticed that much outside the norm. I'll try your suggestions and see if anything else develops.
Rich RumbleSecurity SamuraiCommented:
You probably do have a trojan, or infection. You need AV to scann your machine 1st and foremost. Then get a firewall going etc...
lizzieluvsyouAuthor Commented:
I ran McAfee antivirus on the suspect computer yesterday, but it didn't find anything wrong (it is fully updated).
I'm running an online version of Norton antivirus right now, I'll see if that makes any difference.
Rich RumbleSecurity SamuraiCommented:
Mcafee has a few seetings that may help you, that aren't on by default... depending on your verion of mcafee-
 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101142  Use hueristics or the "find potentially unwanted/joke" settings
Remember XP and winME to turn off system restore: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Ad-Aware might also turn something up, GL!
lizzieluvsyouAuthor Commented:
Alright, I'll try that too. I've already run Ad-aware... I had one piece of malware along with the usual junk, but it said it was low-risk, and after I removed it I continued having problems.

Lately, the activity has completely stopped. I didn'y try the extra McAfee settings yet, but all other virus software I've run reports no problems.

I'm really quite confused. Since all the weird activity has stopped, though, I don't think I'll be able to determine what caused it.
What did fport report?

The what.txt you posted above is a GIF file... why did you post it as a .txt file?

Anyway, I dont think you got a trojan, but nevertheless you shouldnt allow anything
to access ports, so get a firewall fast, I recommend Sygate Personal Firewall.

You probably were doing some strange stuff and visiting some strange websites, thats all.
lizzieluvsyouAuthor Commented:
It's a .txt to get around Geocities' image hotlinking limitations.
About going to odd websites -- it would happen even when there were no applications running.

I've gotten a firewall and secured myself a little more, and I haven't had any especially weird goings on.

I did find that the strangest part of it was a false alarm. The log in window that popped up was due to a hot linked image that was in somebody's signature on a messageboard.

As for the stuff that was showing up without me having any apps open, like I said, I have no idea.

The oddest thing that's happened lately was Microsoft Messenger popping up for no reason and asking for me to log in. When I did a netstat, it showed a connection to *.hotmail.com. At least I believe it was something like that. the first part might have looked like "bob13"... I googled it and some other people had reported similiar occurances, so I didn't worry about it.

Thanks for the comment.
Rich RumbleSecurity SamuraiCommented:
The extra mcafee settings - will detect "annoying" and "pests" as well as the regular viri- spy-ware often needs no browser open, to pop-up a window- they can open a window for you ;) (very nice of them, don't you think?)  The hotmail (msn passport) stuff can be turned off, setting in the preferences i think.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.