PDA

View Full Version : Crazy amount of network connections, possible system compromise


skeedo
04-20-2012, 06:25 PM
Running netstat -a, I have a lot of of connections which I believe to be loopback connections, and I'm not quite sure the reason for this.

Yesterday, I logged onto my bank website and it said it did not recognize my IP address and I had to provide answer to security question. Also, I placed an order for a Linux shell with a provider and they denied my order saying I sent by proxy. However, doing a lookup on my computer on various websites my IP resolves to a Verizon IP, and no proxy is detected...although I'm told you can be using a proxy that doesn't identify itself.

I have done scans with both Avast and Windows Defender that found nothing. I only download software from trusted sites and honestly have not had a virus since I moved to Windows 7 with Chrome some 8 months ago.

My bank website not recognizing my IP and shell provider claiming that I sent from a proxy is enough to raise suspicion however. Here are my netstat -a results after a fresh reboot, does anybody seen anything out of the ordinary here? I can't understand why I have all these open loopback connections, furthermore I don't like the established http and https connections that I see when I haven't even opened a web browser yet. I imagine there are other services that use http protocol other than web browser however, but just can't be completely sure that I'm out of the woods.



Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 skeedo:0 LISTENING
TCP 0.0.0.0:445 skeedo:0 LISTENING
TCP 0.0.0.0:554 skeedo:0 LISTENING
TCP 0.0.0.0:2869 skeedo:0 LISTENING
TCP 0.0.0.0:3389 skeedo:0 LISTENING
TCP 0.0.0.0:5357 skeedo:0 LISTENING
TCP 0.0.0.0:10243 skeedo:0 LISTENING
TCP 0.0.0.0:49152 skeedo:0 LISTENING
TCP 0.0.0.0:49153 skeedo:0 LISTENING
TCP 0.0.0.0:49155 skeedo:0 LISTENING
TCP 0.0.0.0:49156 skeedo:0 LISTENING
TCP 0.0.0.0:49157 skeedo:0 LISTENING
TCP 0.0.0.0:49160 skeedo:0 LISTENING
TCP 127.0.0.1:5354 skeedo:0 LISTENING
TCP 127.0.0.1:12025 skeedo:0 LISTENING
TCP 127.0.0.1:12080 skeedo:0 LISTENING
TCP 127.0.0.1:12080 3dns:49178 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49190 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49192 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49195 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49197 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49198 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49199 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49200 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49201 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49202 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49203 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49211 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49212 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49215 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49216 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49217 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49223 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49225 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49227 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49229 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49230 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49233 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49235 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49236 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49239 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49240 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49241 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49249 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49251 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49253 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49255 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49256 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49257 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49258 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49259 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49265 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49267 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49269 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49271 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49273 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49274 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49281 ESTABLISHED
TCP 127.0.0.1:12080 3dns:49283 ESTABLISHED
TCP 127.0.0.1:12110 skeedo:0 LISTENING
TCP 127.0.0.1:12119 skeedo:0 LISTENING
TCP 127.0.0.1:12143 skeedo:0 LISTENING
TCP 127.0.0.1:12465 skeedo:0 LISTENING
TCP 127.0.0.1:12563 skeedo:0 LISTENING
TCP 127.0.0.1:12993 skeedo:0 LISTENING
TCP 127.0.0.1:12995 skeedo:0 LISTENING
TCP 127.0.0.1:49178 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49190 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49192 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49195 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49197 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49198 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49199 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49200 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49201 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49202 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49203 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49211 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49212 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49215 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49216 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49217 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49223 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49225 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49227 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49229 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49230 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49233 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49235 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49236 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49239 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49240 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49241 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49249 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49251 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49253 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49255 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49256 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49257 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49258 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49259 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49265 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49267 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49269 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49271 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49273 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49274 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49281 3dns:12080 ESTABLISHED
TCP 127.0.0.1:49283 3dns:12080 ESTABLISHED
TCP 192.168.1.33:139 skeedo:0 LISTENING
TCP 192.168.1.33:49181 vb-in-f104:https ESTABLISHED
TCP 192.168.1.33:49182 iad04s01-in-f95:https TIME_WAIT
TCP 192.168.1.33:49183 vb-in-f104:http ESTABLISHED
TCP 192.168.1.33:49185 vb-in-f104:https TIME_WAIT
TCP 192.168.1.33:49186 iad04s01-in-f113:https ESTABLISHED
TCP 192.168.1.33:49187 iad04s01-in-f120:https TIME_WAIT
TCP 192.168.1.33:49191 iad04s01-in-f100:http ESTABLISHED
TCP 192.168.1.33:49193 iad04s01-in-f138:http ESTABLISHED
TCP 192.168.1.33:49194 iad04s01-in-f120:https ESTABLISHED
TCP 192.168.1.33:49196 merlin:http CLOSE_WAIT
TCP 192.168.1.33:49204 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49205 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49206 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49207 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49208 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49209 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49210 advanced360:http CLOSE_WAIT
TCP 192.168.1.33:49213 a23-66-231-43:http CLOSE_WAIT
TCP 192.168.1.33:49214 a23-66-231-43:http CLOSE_WAIT
TCP 192.168.1.33:49218 iad04s01-in-f95:http ESTABLISHED
TCP 192.168.1.33:49219 iad04s01-in-f95:http ESTABLISHED
TCP 192.168.1.33:49220 iad04s01-in-f95:http ESTABLISHED
TCP 192.168.1.33:49224 www-slb-11-05-prn1:http ESTABLISHED
TCP 192.168.1.33:49226 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49228 goku:http ESTABLISHED
TCP 192.168.1.33:49231 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49232 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49234 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49237 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49238 72.21.81.253:http CLOSE_WAIT
TCP 192.168.1.33:49243 merlin:http CLOSE_WAIT
TCP 192.168.1.33:49244 merlin:http CLOSE_WAIT
TCP 192.168.1.33:49245 merlin:http CLOSE_WAIT
TCP 192.168.1.33:49250 iad04s01-in-f113:http ESTABLISHED
TCP 192.168.1.33:49252 64.152.208.202:http ESTABLISHED
TCP 192.168.1.33:49254 a72-247-242-72:http CLOSE_WAIT
TCP 192.168.1.33:49260 a72-247-242-72:http CLOSE_WAIT
TCP 192.168.1.33:49261 a72-247-242-72:http CLOSE_WAIT
TCP 192.168.1.33:49262 a72-247-242-72:http CLOSE_WAIT
TCP 192.168.1.33:49263 a72-247-242-72:http CLOSE_WAIT
TCP 192.168.1.33:49264 a72-247-242-72:http CLOSE_WAIT
TCP 192.168.1.33:49266 a23-66-231-57:http ESTABLISHED
TCP 192.168.1.33:49268 208-44-23-96:http ESTABLISHED
TCP 192.168.1.33:49270 goku:http ESTABLISHED
TCP 192.168.1.33:49272 cdn-208-111-161-254:http CLOSE_WAIT
TCP 192.168.1.33:49275 cdn-208-111-161-254:http CLOSE_WAIT
TCP 192.168.1.33:49276 cdn-208-111-161-254:http CLOSE_WAIT
TCP 192.168.1.33:49282 67.148.147.80:http ESTABLISHED
TCP 192.168.1.33:49284 67.148.147.80:http ESTABLISHED
TCP [::]:135 skeedo:0 LISTENING
TCP [::]:445 skeedo:0 LISTENING
TCP [::]:554 skeedo:0 LISTENING
TCP [::]:2869 skeedo:0 LISTENING
TCP [::]:3389 skeedo:0 LISTENING
TCP [::]:3587 skeedo:0 LISTENING
TCP [::]:5357 skeedo:0 LISTENING
TCP [::]:10243 skeedo:0 LISTENING
TCP [::]:49152 skeedo:0 LISTENING
TCP [::]:49153 skeedo:0 LISTENING
TCP [::]:49155 skeedo:0 LISTENING
TCP [::]:49156 skeedo:0 LISTENING
TCP [::]:49157 skeedo:0 LISTENING
TCP [::]:49160 skeedo:0 LISTENING
UDP 0.0.0.0:3544 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:5004 *:*
UDP 0.0.0.0:5005 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:54818 *:*
UDP 0.0.0.0:54820 *:*
UDP 0.0.0.0:56882 *:*
UDP 0.0.0.0:57313 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:44301 *:*
UDP 127.0.0.1:45301 *:*
UDP 127.0.0.1:56881 *:*
UDP 127.0.0.1:56887 *:*
UDP 192.168.1.33:137 *:*
UDP 192.168.1.33:138 *:*
UDP 192.168.1.33:1900 *:*
UDP 192.168.1.33:5353 *:*
UDP 192.168.1.33:56886 *:*
UDP 192.168.1.33:64784 *:*
UDP [::]:3540 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:5004 *:*
UDP [::]:5005 *:*
UDP [::]:5355 *:*
UDP [::]:54819 *:*
UDP [::]:54821 *:*
UDP [::]:56883 *:*
UDP [::]:57314 *:*
UDP [::1]:1900 *:*
UDP [::1]:56885 *:*
UDP [fe80::58cc:59d9:a4f6:f96a%10]:546 *:*
UDP [fe80::58cc:59d9:a4f6:f96a%10]:1900 *:*
UDP [fe80::58cc:59d9:a4f6:f96a%10]:56884 *:*

AFurryReptile
04-20-2012, 06:43 PM
That's completely normal, don't sweat it. Exactly 0 of those IP's are even internet routable.

power_hour
04-20-2012, 10:12 PM
Install Wireshark and view the results. Windows 7 is a bit chatty tho so don't freak out yet. And what exactly do you mean your bank doesn't recognize your IP? That could mean someone is attempting to access your accounts from another PC. Take steps to verify what they are saying immediately.

SecurityTheatre
04-21-2012, 12:57 AM
It looks like a computer that has visited a few different web pages in the last 20 minutes.


Was that you?

If so, totally normal.

Windows is massive, bloated, chatty on the network and all of those little updaters, agents, plugins, etc... each want to visit a site.

Flash is checking for updates, Java is checking for updates. iTunes is checking for updates, the browser is getting pages, antivirus is checking pages for malware and spam, email services are checking email.

Most of that happens without even opening other programs. :-)

And the overweight reptile is correct, none of the IPv4 addresses in there are routeable, it's all outbound connections.

Actually, if you're paranoid, maybe go disable IPv6. Under the network settings for your Local Area connection, simply uncheck the box. That's the only potentially routeable address you have.

It's possible your IP changed recently on your ISP. That IP could have been long ago listed in a SPAM database and you ran into that. Your bank would also not recognize your IP and might ask for confirmation. Many ISPs change your external IP on a daily/weekly/monthly basis, some do it less often.

Doesn't seem critical to me, though any of us can certainly be wrong or have overlooked something

skeedo
04-21-2012, 07:47 PM
Welp, looks like my IP address has been changing, I thought it would be more static since I am never offline. Looking at some IRC logs I'm seeing that it is different today than it was yesterday so it must change quite frequently. You'd think that my Bank website wouldn't freak out when I'm coming from different IP but from same subnet, but I guess its just a security precaution. I also logon my bank website from my work which is a static IP so that may have been throwing it off as well.

I downloaded Wireshark to capture packets. I have used it before, but far in the past for a college project and didn't really learn much about it then. I may or may not be reading this right, but I am seeing one thing that seems suspicious:


796 99.509054 192.168.1.33 78.46.145.99 TCP 73 49485 > 20069 [PSH, ACK] Seq=1 Ack=1 Win=16327 Len=19
798 99.836215 192.168.1.33 78.46.145.99 TCP 54 49485 > 20069 [ACK] Seq=20 Ack=50 Win=16314 Len=0


20069 is my Bittorrent port, one of the few ports that I have open. If I am right, it keeps sending the same length packet to that same IP address through the Bittorrent port. This doesn't seem to occur too often, but it does. Thing is, I do not have a bittorrent client open and I am still sending packets to this IP address.

Is this suspect? Is there anything specific I should be looking for that would indicate an intrusion?

skeedo
04-21-2012, 08:06 PM
Actually, nevermind about that, the paranoia is really getting to me heh. The port I use to connect to my psybnc is also 20069, so I wasn't reading it right. I knew it was my IRC client after analyzing actual packet data that was sent.

Can anybody give me some pointers on how to identify intrusions, specifically what kind of packets I should be looking for? Thanks.

power_hour
04-26-2012, 12:30 AM
Actually, nevermind about that, the paranoia is really getting to me heh. The port I use to connect to my psybnc is also 20069, so I wasn't reading it right. I knew it was my IRC client after analyzing actual packet data that was sent.

Can anybody give me some pointers on how to identify intrusions, specifically what kind of packets I should be looking for? Thanks.

Your on the right track. Wireshark has an amazing number of tutorials. Also search Youtube and Google for more tips.

However at this stage of the game, I would format and reinstall the OS. These days thats what 30-45min tops? Then you install VirtualBox and create a couple of VMs. One for banking and one for browsing and never mix them. Recycle them every 30 days.

Cheers,