[Dshield] Netstat output from XP machine

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Wed Feb 4 19:49:57 GMT 2004


The box definitely looks compromised to me. Either NAV does not work
anymore, or the malware is custom-made and is therefore not detected.

Both ports 9420/tcp and 14298/tcp don't ring a bell with me. A few hits
listed here: http://isc.incidents.org/port_details.html?port=9420 but
there's hardly any data on 14298.

It looks like either some P2P network node (what about free disk
space?) or may be used as a "hub" by spammers. The remote boxes it
is talking to are typically what I see as spam senders. However, I
looked up some on www.spamcop.net and cbl.abuseat.org : none seem to
be listed.

Either this means they're not used by spammers, or it means that those
boxes are hubs too (you may have stepped on a tarantula). However,
probably spammers will have redundancy built in, and may automatically
have their network reorganized, so I don't expect spam to stop :(

The last four connections definitely look suspect. I dislike level3's
way of handling reverse DNS. For example, a lookup of
also yields unknown.Level3.net (which cannot be reversed). It surely
looks like level3 has something to hide. is registered to Redwoosh. A Google Groups lookup for:
"" (including quotation marks!!) yields 1 message:

> From: Kernelpanic (none)
> Subject: Strange IPs/port # showing in netstat 
> Newsgroups: microsoft.public.windowsxp.general
> Date: 2003-09-08 21:53:59 PST 
> I run netstat after logging into on user and found that a connection is
> being made to on the http port.  After several seconds and
> connection is made to on port 14298.  I've since blocked the
> port 14298 on my router.  Has anyone seen this before?  TIA

I suggest you try to report this to the authorities. However I'm not a
US citizen so someone else may have good advice where to report this
(the local police will probably not understand what you're talking
about). If you plan to do that, I suggest you touch the box as little
as possible (I'd unplug the modem cable).

Otherwise it's probably best to wipe the disk and reinstall XP. Before
your friend starts, suggest him read Johannes Ullrich's tips for
installing XP from scratch (or his PC will likely be compromised before
being able to download and apply patches):

Windows XP: Surviving the First Day. (PDF)

Erik van Straten

On Wed, 04 Feb 2004 11:28:10 -0600 "Dustin Plank" wrote:
> I have a question that hopefully the people of the list can help me
> with.
> The following was pulled from a friends computer. His computer is
> running updated Norton AV, he scans regularly with Ad-Aware, he is
> behind a Linksys router and runs Seagate Personal Firewall. He is
> running on cable modem for his internet connection as well. 
> The network connection was going bonkers and this is what I found.
> Can anyone decipher what this maybe? His machine is seems to be clear
> of viruses, no spyware found, updated to the fullest from Windows
> Update.
> Thanks for the help in advance. It is much appreciated.
> Thanks,
> Dustin

[Note: I "beautified" Dustin's netstat output for better readability]

Proto - Local Address - Foreign Address - State
TCP inet-wkst1:1754 thereserve-sc-142-106.dmisinetworks.com:9420 CLOSE_WAIT
TCP inet-wkst1:1755 cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420 CLOSE_WAIT
TCP inet-wkst1:1756 prtc-dsl-480229.mis.net:9420 CLOSE_WAIT
TCP inet-wkst1:1757 12-222-201-216.client.insightBB.com:9420 CLOSE_WAIT
TCP inet-wkst1:1758 ip68-8-212-101.sd.sd.cox.net:9420 CLOSE_WAIT
TCP inet-wkst1:1759 ool-182fa533.dyn.optonline.net:9420 CLOSE_WAIT
TCP inet-wkst1:1760 modemcable005.210-203-24.mc.videotron.ca:9420 CLOSE_WAIT
TCP inet-wkst1:1761 ma-northadams2a-36.bur.adelphia.net:9420 CLOSE_WAIT
TCP inet-wkst1:1762 cp209-202-78-173.cp.telus.net:9420 CLOSE_WAIT
TCP inet-wkst1:1763 68-233-86-83.pittpa.adelphia.net:9420 CLOSE_WAIT
TCP inet-wkst1:1764 Toronto-HSE-ppp3884730.sympatico.ca:9420 CLOSE_WAIT
TCP inet-wkst1:1765 ool-43563a71.dyn.optonline.net:9420 CLOSE_WAIT
TCP inet-wkst1:1766 tow29dhcp10.towson01.md.comcast.net:9420 CLOSE_WAIT
TCP inet-wkst1:1767 pcp01184645pcs.strl301.mi.comcast.net:9420 CLOSE_WAIT
TCP inet-wkst1:1768 pcp07845441pcs.wilmsc01.tn.comcast.net:9420 CLOSE_WAIT
TCP inet-wkst1:1769 CLOSE_WAIT
TCP inet-wkst1:1770 cpe-024-211-195-201.ec.rr.com:9420 CLOSE_WAIT
TCP inet-wkst1:1771 ca-fontana3a-138.snbrca.adelphia.net:9420 CLOSE_WAIT
TCP inet-wkst1:1772 cdm-66-233-104-15.bssr.cox-internet.com:9420 CLOSE_WAIT
TCP inet-wkst1:1773 ip68-2-201-228.ph.ph.cox.net:9420 CLOSE_WAIT
TCP inet-wkst1:1780 thereserve-sc-142-106.dmisinetworks.com:9420 CLOSE_WAIT
TCP inet-wkst1:1782 cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420 CLOSE_WAIT
TCP inet-wkst1:1784 prtc-dsl-480229.mis.net:9420 CLOSE_WAIT
TCP inet-wkst1:1785 ool-182fa533.dyn.optonline.net:9420 CLOSE_WAIT
TCP inet-wkst1:1787 24-119-33-15.cpe.cableone.net:9420 CLOSE_WAIT
TCP inet-wkst1:1788 ma-northadams2a-36.bur.adelphia.net:9420 CLOSE_WAIT
TCP inet-wkst1:1789 modemcable005.210-203-24.mc.videotron.ca:9420 CLOSE_WAIT
TCP inet-wkst1:1791 ip68-8-212-101.sd.sd.cox.net:9420 CLOSE_WAIT
TCP inet-wkst1:1792 cp209-202-78-173.cp.telus.net:9420 CLOSE_WAIT
TCP inet-wkst1:1793 68-233-86-83.pittpa.adelphia.net:9420 CLOSE_WAIT
TCP inet-wkst1:1795 Toronto-HSE-ppp3884730.sympatico.ca:9420 CLOSE_WAIT
TCP inet-wkst1:1797 ool-43563a71.dyn.optonline.net:9420 CLOSE_WAIT
TCP inet-wkst1:1799 tow29dhcp10.towson01.md.comcast.net:9420 CLOSE_WAIT
TCP inet-wkst1:1800 pcp07845441pcs.wilmsc01.tn.comcast.net:9420 CLOSE_WAIT
TCP inet-wkst1:1801 pcp01184645pcs.strl301.mi.comcast.net:9420 CLOSE_WAIT
TCP inet-wkst1:1802 cpe-024-211-195-201.ec.rr.com:9420 CLOSE_WAIT
TCP inet-wkst1:1803 ca-fontana3a-138.snbrca.adelphia.net:9420 CLOSE_WAIT
TCP inet-wkst1:1804 CLOSE_WAIT
TCP inet-wkst1:1805 modemcable035.75-130-66.mc.videotron.ca:9420 CLOSE_WAIT
TCP inet-wkst1:1806 cdm-66-233-104-15.bssr.cox-internet.com:9420 CLOSE_WAIT
TCP inet-wkst1:2807 ESTABLISHED
TCP inet-wkst1:2808 ESTABLISHED
TCP inet-wkst1:4131 unknown.Level3.net:http CLOSE_WAIT
TCP inet-wkst1:4446 ESTABLISHED

More information about the list mailing list