Strange netstat result???

ballooba

Hi,

I remember the netstat command from networking class but I'm generally not too hot on this stuff.

Attached is the result of the netstat command which even to me looks bloody odd.

What's the craic with it?

Thanks,

Stephen.

On IBB's ripwave btw.
FILE HERE

OfflerCrocGod

Disconnect from the internet and check what processes are running on your lappy. I'd say you have a worm or trojan spamming the wide world or giving access to your lappy to some nasty people in Romania. Just kill the process and try and clean your machine, get back on the net and update Win once you've cleaned it up.

conor-mr2

I use a tool called tcpview. Its a nice tool that will tell you what process is using what port-important for tracking down which nasty process is contacting that IP address.
Do a google for it and it will come up.

jd

ballooba wrote:

Hi,

I remember the netstat command from networking class but I'm generally not too hot on this stuff.

Attached is the result of the netstat command which even to me looks bloody odd.

What's the craic with it?

Thanks,

Stephen.

On IBB's ripwave btw.
FILE HERE

possibly the deloder worm..or the sasser worm.. or..
(google it)_
your comp certainly looks like it is scanning a subnet

Ripwave

Conor-Mr2 wrote:

I use a tool called tcpview. Its a nice tool that will tell you what process is using what port-important for tracking down which nasty process is contacting that IP address.
Do a google for it and it will come up.

If you've got XP, Netstat will tell you what process is responsible for each entry - just do netstat -o

To see what process name is associated with a processID, bring up Task Manager, select Processes, and click on the PID column to sort them.

It definitely looks like ballooba is infected.

It's imperative that you install a software firewall if you're using Ripwave - you are wide open to the internet, and will be at the mercy of worms within minutes of connecting. While most DSL users have the benefit of a NAT router to protect them from inbound attacks (except UTV users) Ripwave users are left wide open, and aren't advised by IBB that they need a firewall. (I don't know if IBBs other services have this problem).

conor-mr2

Win2k here so no netstat -o switch for me. Have to say Im not too fond of XP but thats for another thread altogether!!

BrianD

It's imperative that you install a software firewall if you're using Ripwave - you are wide open to the internet, and will be at the mercy of worms within minutes of connecting.

I have just ordered the IBB ripwave product. What firewall would you recommend?

conor-mr2

sygate personal firewall works ok for me.

logistic

Zone alarm if your running windows. Its also free.

ballooba

What's SVHOST.EXE??? This is the one scanning the subnet.

I notice that SVCHOST.EXE is similarly named.

Googled it. Virus alright. Now to get rid of the bástard....

Ripwave

BrianD wrote:

I have just ordered the IBB ripwave product. What firewall would you recommend?

I plugged my Ripwave unit into a D-Link router, which allowed me to share it between a couple of machines, but also provided a basic hardware firewall.

gibo_ie

ballooba wrote:

What's SVHOST.EXE??? This is the one scanning the subnet.

I notice that SVCHOST.EXE is similarly named.

Googled it. Virus alright. Now to get rid of the bástard....

Svchost.exe can be part of a vrus but if you running norton/symantec it is part of the system. More than three instances get worried, otherwise leave it alone!!!!

dahamsta

gibo_ie wrote:

Svchost.exe can be part of a vrus but if you running norton/symantec it is part of the system. More than three instances get worried, otherwise leave it alone!!!!

He said SVHOST.EXE, which is commonly used to masquerade as regular SVCHOST.EXE processes. Well spotted ballooba. After you've figured out how to get rid of it, figure out how you got it in the first place. Firewall is better than cure, but prevention is better than firewall.

adam