manchild_dk
asked on
hacker attack
hello everyone...
im not sure if this is the right place.. but spare with me.
i have abroardband conncetion. and every time I turn on the pc. my netstat tool show a active connection. protocol tcp port 3660.. foreign address: 220.67.19.97.reverse.thepl
now! i have windows XP pro tcp filteriung on and allow only few ports... 3660 is not among them... still the connection is there,,, futhermore i have made a security policy blocking this addresss and port.. still.. its there,,,
i have also added the dns namepsace to the (restricted site) under internet security for iexplorer.. still connected. my question is : how do I block or stop this connection,, now I have made all this setting and blocking..
i hope someone can help me.. what did I miss ?
thanks ad avanced
manchild
im not sure if this is the right place.. but spare with me.
i have abroardband conncetion. and every time I turn on the pc. my netstat tool show a active connection. protocol tcp port 3660.. foreign address: 220.67.19.97.reverse.thepl
now! i have windows XP pro tcp filteriung on and allow only few ports... 3660 is not among them... still the connection is there,,, futhermore i have made a security policy blocking this addresss and port.. still.. its there,,,
i have also added the dns namepsace to the (restricted site) under internet security for iexplorer.. still connected. my question is : how do I block or stop this connection,, now I have made all this setting and blocking..
i hope someone can help me.. what did I miss ?
thanks ad avanced
manchild
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
manchild_dk
port 3660 is your local port. HTTP (80) is the port on the remote computer.
Filtering blocks incoming packets not outgoing.
>> dns namepsace to the (restricted site)
This is for Internet Explorer - IE is probably NOT making the connection.
Sounds like you probably have something installed on your computer. Unfortunately, this little piece of software can be anywhere.
Check this site out and see if it helps.
http://www.neuber.com/taskmanager/process/winmgmt.exe.html
I suggest that you download SpyBot or something like it.
http://www.safer-networking.org/en/download/index.html
Jonathan
port 3660 is your local port. HTTP (80) is the port on the remote computer.
Filtering blocks incoming packets not outgoing.
>> dns namepsace to the (restricted site)
This is for Internet Explorer - IE is probably NOT making the connection.
Sounds like you probably have something installed on your computer. Unfortunately, this little piece of software can be anywhere.
Check this site out and see if it helps.
http://www.neuber.com/taskmanager/process/winmgmt.exe.html
I suggest that you download SpyBot or something like it.
http://www.safer-networking.org/en/download/index.html
Jonathan
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi folks,
cheers at Jonathan ^_^ !
I have found more info about port 3660:
http://network.programming-in.net/articles/tcp-udp-port.asp?port=2850&udp=4300
Actually tcp/udp connection on 3660 local is fr ssl ;can-nds-ssl :candle directory services...
http://www.siterecon.com/TCP-Ports-3001-10000.aspx ,i didn't found enoug info about candle ssl but it's registered by IANA-i think troyan accesment ,so if i aam rigght:
1) get Hijack This! and make log file and post it here!!!
Shehar is one of the best detectives about HiJack This logs...
http://www.spychecker.com/program/hijackthis.html
2)Install pest patrol with theese restrictions:
Pest patrol > options > Where to Search :
check : all files ;
check : scanning method : thorough ,
check : scan shell tree options > show hidden and show files .
Pest patrol > options > What to search for - and then check all the items-all!
Pest patrol > options > What to exclude : wtere must be only the recycle folder and system volume information nothing mere!
Pest patrol > options > Automatic scans !!!
check : scan on boot --> your boot partition
check : PPMemCheck Memory Scan > Invoke on boot
check : CookiePatrol > Invoke on boot
check : PPcontrol > Invoke on boot
check : KeyPatrol > Invoke on boot
you can check also the right click option for folders too...
check in the main menue to scan all hard drives .... update the pest patrol.
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp
3)You need also at least a second programe to block startup malicious:
try winpatrol : http://www.winpatrol.com/winpatrol.html,
4) run stinger -it's a basic troyn removal tool:
http://vil.nai.com/vil/stinger/
5)you need a startup-manager,for example:
starter:http://members.lycos.co.uk/codestuff/
6)you need a good task manager:for example:
process explorer:http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
7) if things are not getting better and you like posting:
Analyzer :http://jjhicks.com/ and please post all the logs here if pest patrol ,winpatrol,stinger can't help.But first paste the Hijack This log!!!VERY IMPORTAINT!
8) If you wisch try the Sygate Professional firewall;it has a blocking mechanism for all kind of connections before the firewall service is started!!!
Good Luck !
Till later
cheers at Jonathan ^_^ !
I have found more info about port 3660:
http://network.programming-in.net/articles/tcp-udp-port.asp?port=2850&udp=4300
Actually tcp/udp connection on 3660 local is fr ssl ;can-nds-ssl :candle directory services...
http://www.siterecon.com/TCP-Ports-3001-10000.aspx ,i didn't found enoug info about candle ssl but it's registered by IANA-i think troyan accesment ,so if i aam rigght:
1) get Hijack This! and make log file and post it here!!!
Shehar is one of the best detectives about HiJack This logs...
http://www.spychecker.com/program/hijackthis.html
2)Install pest patrol with theese restrictions:
Pest patrol > options > Where to Search :
check : all files ;
check : scanning method : thorough ,
check : scan shell tree options > show hidden and show files .
Pest patrol > options > What to search for - and then check all the items-all!
Pest patrol > options > What to exclude : wtere must be only the recycle folder and system volume information nothing mere!
Pest patrol > options > Automatic scans !!!
check : scan on boot --> your boot partition
check : PPMemCheck Memory Scan > Invoke on boot
check : CookiePatrol > Invoke on boot
check : PPcontrol > Invoke on boot
check : KeyPatrol > Invoke on boot
you can check also the right click option for folders too...
check in the main menue to scan all hard drives .... update the pest patrol.
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp
3)You need also at least a second programe to block startup malicious:
try winpatrol : http://www.winpatrol.com/winpatrol.html,
4) run stinger -it's a basic troyn removal tool:
http://vil.nai.com/vil/stinger/
5)you need a startup-manager,for example:
starter:http://members.lycos.co.uk/codestuff/
6)you need a good task manager:for example:
process explorer:http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
7) if things are not getting better and you like posting:
Analyzer :http://jjhicks.com/ and please post all the logs here if pest patrol ,winpatrol,stinger can't help.But first paste the Hijack This log!!!VERY IMPORTAINT!
8) If you wisch try the Sygate Professional firewall;it has a blocking mechanism for all kind of connections before the firewall service is started!!!
Good Luck !
Till later
ASKER
wow. guys.. thanks for all thise hits'n respondese..
i use ADSL, and i have housecall and spybot running every day. so clear of virus, etc... i did manage to reverse the ip adress connected to my ip to a main IP adress and as a result, my security polices work now..
however,, my netstat (command line tool :-) still show a time wait status for the connecting ip. just it is searching for open port to use...
my firewall (in XP) have TCP filtering on. and yes.. it is for incoming only... as jonathan stated.. thanks for the trick in local hosts. it gave me the ip in netstat (when offline) and lead me to the source of the connection attempt..
bacvain.. you gave me the last clue to find the program that make this outgoing attempt.. (not the incoming as I thought at first) as i only have realplayer and media player to use the media control protocol it was easy to see my new realplayer is the cause so.
no hacker atttack, but me in lack of realplayer controll.. i learn :-)
i have to share the points to jonathan and bacvain. but thanks again for helping me to help myself :-)
i use ADSL, and i have housecall and spybot running every day. so clear of virus, etc... i did manage to reverse the ip adress connected to my ip to a main IP adress and as a result, my security polices work now..
however,, my netstat (command line tool :-) still show a time wait status for the connecting ip. just it is searching for open port to use...
my firewall (in XP) have TCP filtering on. and yes.. it is for incoming only... as jonathan stated.. thanks for the trick in local hosts. it gave me the ip in netstat (when offline) and lead me to the source of the connection attempt..
bacvain.. you gave me the last clue to find the program that make this outgoing attempt.. (not the incoming as I thought at first) as i only have realplayer and media player to use the media control protocol it was easy to see my new realplayer is the cause so.
no hacker atttack, but me in lack of realplayer controll.. i learn :-)
i have to share the points to jonathan and bacvain. but thanks again for helping me to help myself :-)
When you say netstat , do you mean any seperate software or using netstat in command prompt ?
Do you have any firewall installed ? If not , install Zonealarm and see if you can block that port or check what is getting connected when you turn on the PC.
There could be some exe file that might be connecting..
Have you checked your system for virus and spywares ?
SR..