[Dshield] Netstat output from XP machine

Rick Klinge rick at jaray.net
Wed Feb 4 19:11:22 GMT 2004


Wow.. That is interesting.. Maybe his computer is trojanized? And being used
to connect to those remote computers via port 9420? .. Some trojans won't
trigger antivirus software but a firewall should... Unless the trojan/hacker
rendered it useless.

I personally don't know what port 9420 is looking at the randomness of the
targets.. I'm suspecting compromised machines used to send spam.. Course I
could be way off on this too.

Fwiw,

~Rick

> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of Dustin Plank
> Sent: Wednesday, February 04, 2004 11:28 AM
> To: <"General DShield Discussion List"
> Subject: [Dshield] Netstat output from XP machine
> 
> 
> I have a question that hopefully the people of the list can 
> help me with.
> 
> The following was pulled from a friends computer. His 
> computer is running updated Norton AV, he scans regularly 
> with Ad-Aware, he is behind a Linksys router and runs Seagate 
> Personal Firewall. He is running on cable modem for his 
> internet connection as well. 
> 
> The network connection was going bonkers and this is what I 
> found. Can anyone decipher what this maybe? His machine is 
> seems to be clear of viruses, no spyware found, updated to 
> the fullest from Windows Update.
> 
> Thanks for the help in advance. It is much appreciated.
> 
> Thanks,
> 
> Dustin
> 
> 
> Active Connections
> 
>   Proto  Local Address          Foreign Address        State
>   TCP    inet-wkst1:1754       
> thereserve-sc-142-106.dmisinetworks.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1755       
> cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1756        prtc-dsl-480229.mis.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1757       
> 12-222-201-216.client.insightBB.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1758        ip68-8-212-101.sd.sd.cox.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1759        ool-182fa533.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1760       
> modemcable005.210-203-24.mc.videotron.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1761       
> ma-northadams2a-36.bur.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1762        cp209-202-78-173.cp.telus.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1763        68-233-86-83.pittpa.adelphia.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1764       
> Toronto-HSE-ppp3884730.sympatico.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1765        ool-43563a71.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1766       
> tow29dhcp10.towson01.md.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1767       
> pcp01184645pcs.strl301.mi.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1768       
> pcp07845441pcs.wilmsc01.tn.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1769        199.172.211.12:9420    CLOSE_WAIT
>   TCP    inet-wkst1:1770        cpe-024-211-195-201.ec.rr.com:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1771       
> ca-fontana3a-138.snbrca.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1772       
> cdm-66-233-104-15.bssr.cox-internet.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1773        ip68-2-201-228.ph.ph.cox.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1780       
> thereserve-sc-142-106.dmisinetworks.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1782       
> cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1784        prtc-dsl-480229.mis.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1785        ool-182fa533.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1787        24-119-33-15.cpe.cableone.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1788       
> ma-northadams2a-36.bur.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1789       
> modemcable005.210-203-24.mc.videotron.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1791        ip68-8-212-101.sd.sd.cox.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1792        cp209-202-78-173.cp.telus.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1793        68-233-86-83.pittpa.adelphia.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1795       
> Toronto-HSE-ppp3884730.sympatico.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1797        ool-43563a71.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1799       
> tow29dhcp10.towson01.md.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1800       
> pcp07845441pcs.wilmsc01.tn.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1801       
> pcp01184645pcs.strl301.mi.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1802        cpe-024-211-195-201.ec.rr.com:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1803       
> ca-fontana3a-138.snbrca.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1804        199.172.211.12:9420    CLOSE_WAIT
>   TCP    inet-wkst1:1805       
> modemcable035.75-130-66.mc.videotron.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1806       
> cdm-66-233-104-15.bssr.cox-internet.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:2807        69.28.154.21:http      ESTABLISHED
>   TCP    inet-wkst1:2808        69.28.154.21:http      ESTABLISHED
>   TCP    inet-wkst1:4131        unknown.Level3.net:http  CLOSE_WAIT
>   TCP    inet-wkst1:4446        216.52.240.10:14298    ESTABLISHED
> 
> Active Connections
> 
>   Proto  Local Address          Foreign Address        State
>   TCP    inet-wkst1:1754       
> thereserve-sc-142-106.dmisinetworks.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1755       
> cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1756        prtc-dsl-480229.mis.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1757       
> 12-222-201-216.client.insightBB.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1758        ip68-8-212-101.sd.sd.cox.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1759        ool-182fa533.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1760       
> modemcable005.210-203-24.mc.videotron.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1761       
> ma-northadams2a-36.bur.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1762        cp209-202-78-173.cp.telus.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1763        68-233-86-83.pittpa.adelphia.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1764       
> Toronto-HSE-ppp3884730.sympatico.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1765        ool-43563a71.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1766       
> tow29dhcp10.towson01.md.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1767       
> pcp01184645pcs.strl301.mi.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1768       
> pcp07845441pcs.wilmsc01.tn.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1769        199.172.211.12:9420    CLOSE_WAIT
>   TCP    inet-wkst1:1770        cpe-024-211-195-201.ec.rr.com:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1771       
> ca-fontana3a-138.snbrca.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1772       
> cdm-66-233-104-15.bssr.cox-internet.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1773        ip68-2-201-228.ph.ph.cox.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1780       
> thereserve-sc-142-106.dmisinetworks.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1782       
> cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1784        prtc-dsl-480229.mis.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1785        ool-182fa533.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1787        24-119-33-15.cpe.cableone.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1788       
> ma-northadams2a-36.bur.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1789       
> modemcable005.210-203-24.mc.videotron.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1791        ip68-8-212-101.sd.sd.cox.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1792        cp209-202-78-173.cp.telus.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1793        68-233-86-83.pittpa.adelphia.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1795       
> Toronto-HSE-ppp3884730.sympatico.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1797        ool-43563a71.dyn.optonline.net:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1799       
> tow29dhcp10.towson01.md.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1800       
> pcp07845441pcs.wilmsc01.tn.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1801       
> pcp01184645pcs.strl301.mi.comcast.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1802        cpe-024-211-195-201.ec.rr.com:9420 
> CLOSE_WAIT
>   TCP    inet-wkst1:1803       
> ca-fontana3a-138.snbrca.adelphia.net:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1804        199.172.211.12:9420    CLOSE_WAIT
>   TCP    inet-wkst1:1805       
> modemcable035.75-130-66.mc.videotron.ca:9420  CLOSE_WAIT
>   TCP    inet-wkst1:1806       
> cdm-66-233-104-15.bssr.cox-internet.com:9420  CLOSE_WAIT
>   TCP    inet-wkst1:2807        69.28.154.21:http      ESTABLISHED
>   TCP    inet-wkst1:2808        69.28.154.21:http      ESTABLISHED
>   TCP    inet-wkst1:4131        unknown.Level3.net:http  CLOSE_WAIT
>   TCP    inet-wkst1:4446        216.52.240.10:14298    ESTABLISHED
> 

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list