| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 50531 | 2004-10-23 10:24:00 | 284 strange connections on "SYN_SENT" to nonexistant pc's in local network | george12 (7) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 283954 | 2004-10-23 10:24:00 | On my server, I was wondering why on the router all the activity lights for every computer of the network was on constantly. I checked netstat on the server, and found 284 very strange connections. All were on "SYN_SENT", and all had random destination addresses in our local network range (non-existant though). Here is some from netstat -n: TCP 10.0.0.80:64627 10.0.28.104:135 SYN_SENT TCP 10.0.0.80:64628 10.0.119.63:135 SYN_SENT TCP 10.0.0.80:64629 10.0.66.89:135 SYN_SENT TCP 10.0.0.80:64630 10.0.99.143:135 SYN_SENT TCP 10.0.0.80:64631 10.0.159.0:135 SYN_SENT TCP 10.0.0.80:64632 10.0.157.230:135 SYN_SENT TCP 10.0.0.80:64633 10.0.34.210:135 SYN_SENT TCP 10.0.0.80:64634 10.0.125.222:135 SYN_SENT TCP 10.0.0.80:64635 10.0.187.227:135 SYN_SENT TCP 10.0.0.80:64636 10.0.161.4:135 SYN_SENT TCP 10.0.0.80:64637 10.0.201.214:135 SYN_SENT TCP 10.0.0.80:64638 10.0.95.236:135 SYN_SENT TCP 10.0.0.80:64639 10.0.218.30:135 SYN_SENT TCP 10.0.0.80:64640 10.0.102.10:135 SYN_SENT TCP 10.0.0.80:64641 10.0.134.115:135 SYN_SENT TCP 10.0.0.80:64642 10.0.170.110:135 SYN_SENT TCP 10.0.0.80:64643 10.0.220.52:135 SYN_SENT TCP 10.0.0.80:64644 10.0.248.3:135 SYN_SENT TCP 10.0.0.80:64645 10.0.208.11:135 SYN_SENT TCP 10.0.0.80:64646 10.0.123.107:135 SYN_SENT TCP 10.0.0.80:64647 10.0.203.88:135 SYN_SENT TCP 10.0.0.80:64648 10.0.169.94:135 SYN_SENT TCP 10.0.0.80:64649 10.0.126.15:135 SYN_SENT TCP 10.0.0.80:64650 10.0.53.28:135 SYN_SENT TCP 10.0.0.80:64651 10.0.190.184:135 SYN_SENT TCP 10.0.0.80:64652 10.0.69.48:135 SYN_SENT TCP 10.0.0.80:64653 10.0.212.228:135 SYN_SENT TCP 10.0.0.80:64654 10.0.167.210:135 SYN_SENT TCP 10.0.0.80:64655 10.0.22.254:135 SYN_SENT TCP 10.0.0.80:64656 10.0.235.3:135 SYN_SENT TCP 10.0.0.80:64657 10.0.27.120:135 SYN_SENT TCP 10.0.0.80:64658 10.0.246.146:135 SYN_SENT TCP 10.0.0.80:64659 10.0.154.117:135 SYN_SENT TCP 10.0.0.80:64660 10.0.222.239:135 SYN_SENT TCP 10.0.0.80:64661 10.0.24.106:135 SYN_SENT TCP 10.0.0.80:64662 10.0.80.96:135 SYN_SENT TCP 10.0.0.80:64663 10.0.135.161:135 SYN_SENT TCP 10.0.0.80:64664 10.0.127.121:135 SYN_SENT TCP 10.0.0.80:64665 10.0.91.106:135 SYN_SENT TCP 10.0.0.80:64666 10.0.235.91:135 SYN_SENT TCP 10.0.0.80:64667 10.0.90.253:135 SYN_SENT TCP 10.0.0.80:64668 10.0.203.94:135 SYN_SENT TCP 10.0.0.80:64669 10.0.215.136:135 SYN_SENT TCP 10.0.0.80:64670 10.0.163.161:135 SYN_SENT TCP 10.0.0.80:64671 10.0.102.234:135 SYN_SENT TCP 10.0.0.80:64672 10.0.75.189:135 SYN_SENT TCP 10.0.0.80:64673 10.0.7.131:135 SYN_SENT TCP 10.0.0.80:64674 10.0.23.116:135 SYN_SENT TCP 10.0.0.80:64675 10.0.38.89:135 SYN_SENT TCP 10.0.0.80:64676 10.0.156.66:135 SYN_SENT The network activity on all computers indicates no internet access, but constant sending traffic on all computers (but by far most on the server). The server sends around 35 packets per second at the moment, the others about 1 per second. In both cases no traffic is received (unless it's meant to be). All this has me seriously worried about some kind of virus (seems very dodgy). Please help Cheers, George |
george12 (7) | ||
| 283955 | 2004-10-23 10:30:00 | Port 135 which they all seem to be going to is a DCOM/RPC port for Windows, claim to fame for Blaster and associated wormness. Possibly got a viral infected machine there. |
whtafo (156) | ||
| 283956 | 2004-10-23 10:59:00 | Spot on WTF, running the removal tool now. The symptoms match exactly those described on the Symantec website. By the way, I noticed the unwelcome sarcasm has disappeared. The new Whiskey is much nicer :). Cheers George |
george12 (7) | ||
| 283957 | 2004-10-23 11:04:00 | > By the way, I noticed the unwelcome sarcasm has > disappeared. The new Whiskey is much nicer :). Now see that was unnecessary. |
whtafo (156) | ||
| 283958 | 2004-10-23 11:06:00 | Oh crap, it's not Blaster. I have heard stuff about mydoom as well, I'll try running the tool for that now. | george12 (7) | ||
| 283959 | 2004-10-23 11:19:00 | Have installed NAV, updated to latest, ran windows update and installed all critical patches. Doing a full system scan now. Not much interest in this thread is there? Maybe next time I should make the title "OT: Bloody telescum" - would attract a lot more attention! George |
george12 (7) | ||
| 283960 | 2004-10-23 11:23:00 | HORROR!!!! A page just opened on the server, a gay porn site. Now that's strange as I don't exactly go around installing Kazaa and visiting porn sites on my servers! I only have known good programs installed. So I guess some other computer(s) are infected on the network. This may take a long time to completely eradicate. George |
george12 (7) | ||
| 283961 | 2004-10-23 11:25:00 | Have you noticed its after midnight?,that WTF who is 99% of the time right on the money has given you an answer that matches exactly with your own research and you are now taking steps to rectify the problem..... What is it you wish for?.....25 posts of conflicting advice that are obviously guesswok and straw grasping? |
metla (154) | ||
| 283962 | 2004-10-23 11:26:00 | Gay porn? Thats sure to generate some interest. Lmao. |
metla (154) | ||
| 1 | |||||