Jump to content


Photo

Ruworld connections from netstat from system idle


  • Please log in to reply
1 reply to this topic

#1 Gmorgan

Gmorgan

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 May 2004 - 04:10 PM

Hello,

I have just finished clearing a browser hijacking off a users laptop and I have found that they have some other very strange symtoms, oh great!!! :o

If I run netstat -o to find all connections on this machine and the owning process the strange thing is that I have 40 connections to port 1048 and 40 connections to 1050. they are all in a TIME_WAIT state and all owned by the system idle process (0).
There are a couple of things
1. How can the system idle process own connections to somthing like ruworld on the ports
2. How come the TIME_WAIT are still there? I thought they should be only there for a very short time, like minutes not 12 hours
3. I assume the fact that they are in TIME_WAIT means that they started from this machine, how?
4. Most importantly how do I stop this from happening?

I have attahced the output below

Active Connections

Proto Local Address Foreign Address State PID
TCP plasmafire:1048 ruworld.com:3669 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3671 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3673 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3675 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3677 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3679 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3681 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3683 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3685 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3687 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3689 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3691 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3693 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3695 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3697 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3699 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3701 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3703 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3705 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3707 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3709 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3711 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3713 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3715 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3718 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3720 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3722 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3724 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3726 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3728 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3730 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3732 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3734 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3736 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3738 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3740 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3742 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3744 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3746 TIME_WAIT 0
TCP plasmafire:1048 ruworld.com:3748 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3670 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3672 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3674 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3676 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3678 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3680 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3682 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3684 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3686 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3688 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3690 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3692 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3694 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3696 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3698 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3700 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3702 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3704 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3706 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3708 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3710 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3712 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3714 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3716 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3719 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3721 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3723 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3725 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3727 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3729 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3731 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3733 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3735 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3737 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3739 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3741 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3743 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3745 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3747 TIME_WAIT 0
TCP plasmafire:1050 ruworld.com:3749 TIME_WAIT 0
TCP plasmafire:netbios-ssn s3:1169 ESTABLISHED 4
TCP plasmafire:1495 baym-cs307.msgr.hotmail.com:1863 ESTABLISHED 3440

any help or ideas on this would be much appreciated. I do not know where to look anymore!!

#2 Gmorgan

Gmorgan

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 May 2004 - 05:09 AM

Hello again,

Well even though there have been no responses I have kept looking into this.

The bizarre thing is that the number of connections has now gone down to 10 for each port and the number of ports is now just 2 (1050 & 1052) but more interestingly the address they are connecting to is now cracks.am.

my next move is to install zone alarms and see if I can see what program is triggering the connections.

I have tried pretty much everything, please, if anyone has any ideas, no matter how random or just more information about TCP stuff then please do drop a note.

thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button