[Dshield] Does 207.115.129.30 ring any bell?

Dan dan at dbdigitalweb.com
Thu Jan 8 19:31:27 GMT 2004


Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:
------------------------------
Well I would like to mention a couple of things.  First Compaq's have a
program installed called BackWeb, it is so Compaq people can get into your
system and fix problems when you call for support (in theory anyway).  And
spybot S&D will mention it and allow you to remove it.  I may be possible
that this was taken over, it does give all the hooks into the system, so
bascially get your foot in the door and you are all set.  I don't know what
ports it uses, but I do remember it allows for installing of patches and
automatcially downloading of them.  This can all be shut off, but if I
remmember right, it is on by default.  In short, if you don't use it, get
rid of it.  There should be a uninstall in the add/remove and then run
Spybot S&D to make sure all of it got zaped.  And if this does turn out to
be the cause, then it was "taken over" because BackWeb should only resolve
to a compaq IP for any kind of file transfer.

As regard to programs hiding in the process list, oh yes they can.  I would
suggest getting something like processviewer (which is free and preaty good)
and will show you a LOT more than standard windows98 viewer will. You might
be able to track it down then if it is not BackWeb.




More information about the list mailing list