Netstat question

[David Sherman]

If I run netstat -n from a DOS box and get the following connections:

TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED

Why doesn't Microsof Spyware product catch this open connections?

thanks

 

[plun]

David Sherman laid this down on his screen :

64.94.180.109

Hi

Maybe you can recognise what this is, your ISP ?

.... here is the whois look up result for 64.94.180.109 from
whois.arin.net :

Internap Network Services PNAP-05-2000 (NET-64-94-0-0-1)
64.94.0.0 - 64.95.255.255
Radianz PNAP-NYM-RADIAN-RM-01 (NET-64-94-180-0-1)
64.94.180.0 - 64.94.181.255

# ARIN WHOIS database, last updated 2005-06-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 

[David Sherman]

My ISP is Ameritech. My Ip address is 68.xxx.xxx.xxx

 

[plun]

Hi

Ok, first of all its better to use Sysinternals TCP view instead
of Netstat command.

http://www.sysinternals.com/Utilities/TcpView.html

What applications are running during Netstat command ? (use TcpView
when downloaded)

What firewall are you running ?

Anything suspicious within hosts file ?

Everything updated including SP2 from Windowsupdate ?

Updated Antivirusprogram ?

--
plun





David Sherman laid this down on his screen :

 

[David Sherman]

TCpView doesn't work for this.

1. I have a Linksys WRTG54 Router(firmware is 3.03.6) Linksys support
is clueless.
I have
1. Block anonymous Internet Requests
2. Filter Multicast
3. Filter NatRedirection
4. Filter IDENT(Port 113)

2. I also use XP SP2 firewall

3. Machine is patched via Windows Update.

4. I run Norton 2005.

5. I have run Ad aware, Spybot and MS AntiSpyware. No hits.

Some of the companies that out these connections:
192.168.1.3:3435 207.46.248.16:119 ESTABLISHED Microsoft
news server.
I also got one from http:///www.wininternals.com

thanks

 

[plun]

Hi

Well, you must then have a ongoing process that
connects you to 64.94.180.109:80

One way to sort out this is to use MSAS > Advanced tools >System
Explorers
and check all running processes.

One other way is to use HijackThis and examine your system, perhaps
you can do it yourself ?

HijackThis download:
http://www.merijn.org/files/hijackthis.zip

How to use HijackThis (be careful):
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

You can also get some "hints" about anything wrong using HijackThis.de
and paste your hijackthislog and analyze it. Note only hints !!!

http://www.hijackthis.de/


If you want support choose one of these HijackThis forums and
they help you with this.

http://www.merijn.org/forums.html

or

http://aumha.net/viewforum.php?f=30

Important, Register, read announcements and sticky notes
before you post !


--
plun



David Sherman has brought this to us :

 

[Anonymous Bob]

If I run netstat -n from a DOS box and get the following connections:

TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED

Why doesn't Microsof Spyware product catch this open connections?

thanks

If you were brave you could've just put 64.94.180.109 into your
browser address and seen that it's
http://today.reuters.com/news/default.aspx

Scary stuff!

Bob Vanderveen

 

[Anonymous Bob]

Scary stuff!

I forgot to add the smiley ;-)

Bob Vanderveen

 

[plun]

Anonymous Bob brought next idea :

I forgot to add the smiley ;-)

Bob Vanderveen

Must add some more smileys..........

:') :/