Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 04-20-2012, 07:25 PM   #1
skeedo
Senior Member
 
Join Date: Nov 2004
Posts: 230
Default Crazy amount of network connections, possible system compromise

Running netstat -a, I have a lot of of connections which I believe to be loopback connections, and I'm not quite sure the reason for this.

Yesterday, I logged onto my bank website and it said it did not recognize my IP address and I had to provide answer to security question. Also, I placed an order for a Linux shell with a provider and they denied my order saying I sent by proxy. However, doing a lookup on my computer on various websites my IP resolves to a Verizon IP, and no proxy is detected...although I'm told you can be using a proxy that doesn't identify itself.

I have done scans with both Avast and Windows Defender that found nothing. I only download software from trusted sites and honestly have not had a virus since I moved to Windows 7 with Chrome some 8 months ago.

My bank website not recognizing my IP and shell provider claiming that I sent from a proxy is enough to raise suspicion however. Here are my netstat -a results after a fresh reboot, does anybody seen anything out of the ordinary here? I can't understand why I have all these open loopback connections, furthermore I don't like the established http and https connections that I see when I haven't even opened a web browser yet. I imagine there are other services that use http protocol other than web browser however, but just can't be completely sure that I'm out of the woods.


Code:
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            skeedo:0               LISTENING
  TCP    0.0.0.0:445            skeedo:0               LISTENING
  TCP    0.0.0.0:554            skeedo:0               LISTENING
  TCP    0.0.0.0:2869           skeedo:0               LISTENING
  TCP    0.0.0.0:3389           skeedo:0               LISTENING
  TCP    0.0.0.0:5357           skeedo:0               LISTENING
  TCP    0.0.0.0:10243          skeedo:0               LISTENING
  TCP    0.0.0.0:49152          skeedo:0               LISTENING
  TCP    0.0.0.0:49153          skeedo:0               LISTENING
  TCP    0.0.0.0:49155          skeedo:0               LISTENING
  TCP    0.0.0.0:49156          skeedo:0               LISTENING
  TCP    0.0.0.0:49157          skeedo:0               LISTENING
  TCP    0.0.0.0:49160          skeedo:0               LISTENING
  TCP    127.0.0.1:5354         skeedo:0               LISTENING
  TCP    127.0.0.1:12025        skeedo:0               LISTENING
  TCP    127.0.0.1:12080        skeedo:0               LISTENING
  TCP    127.0.0.1:12080        3dns:49178             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49190             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49192             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49195             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49197             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49198             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49199             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49200             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49201             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49202             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49203             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49211             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49212             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49215             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49216             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49217             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49223             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49225             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49227             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49229             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49230             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49233             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49235             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49236             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49239             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49240             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49241             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49249             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49251             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49253             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49255             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49256             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49257             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49258             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49259             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49265             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49267             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49269             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49271             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49273             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49274             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49281             ESTABLISHED
  TCP    127.0.0.1:12080        3dns:49283             ESTABLISHED
  TCP    127.0.0.1:12110        skeedo:0               LISTENING
  TCP    127.0.0.1:12119        skeedo:0               LISTENING
  TCP    127.0.0.1:12143        skeedo:0               LISTENING
  TCP    127.0.0.1:12465        skeedo:0               LISTENING
  TCP    127.0.0.1:12563        skeedo:0               LISTENING
  TCP    127.0.0.1:12993        skeedo:0               LISTENING
  TCP    127.0.0.1:12995        skeedo:0               LISTENING
  TCP    127.0.0.1:49178        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49190        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49192        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49195        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49197        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49198        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49199        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49200        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49201        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49202        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49203        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49211        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49212        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49215        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49216        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49217        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49223        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49225        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49227        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49229        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49230        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49233        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49235        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49236        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49239        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49240        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49241        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49249        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49251        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49253        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49255        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49256        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49257        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49258        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49259        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49265        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49267        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49269        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49271        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49273        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49274        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49281        3dns:12080             ESTABLISHED
  TCP    127.0.0.1:49283        3dns:12080             ESTABLISHED
  TCP    192.168.1.33:139       skeedo:0               LISTENING
  TCP    192.168.1.33:49181     vb-in-f104:https       ESTABLISHED
  TCP    192.168.1.33:49182     iad04s01-in-f95:https  TIME_WAIT
  TCP    192.168.1.33:49183     vb-in-f104:http        ESTABLISHED
  TCP    192.168.1.33:49185     vb-in-f104:https       TIME_WAIT
  TCP    192.168.1.33:49186     iad04s01-in-f113:https  ESTABLISHED
  TCP    192.168.1.33:49187     iad04s01-in-f120:https  TIME_WAIT
  TCP    192.168.1.33:49191     iad04s01-in-f100:http  ESTABLISHED
  TCP    192.168.1.33:49193     iad04s01-in-f138:http  ESTABLISHED
  TCP    192.168.1.33:49194     iad04s01-in-f120:https  ESTABLISHED
  TCP    192.168.1.33:49196     merlin:http            CLOSE_WAIT
  TCP    192.168.1.33:49204     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49205     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49206     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49207     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49208     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49209     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49210     advanced360:http       CLOSE_WAIT
  TCP    192.168.1.33:49213     a23-66-231-43:http     CLOSE_WAIT
  TCP    192.168.1.33:49214     a23-66-231-43:http     CLOSE_WAIT
  TCP    192.168.1.33:49218     iad04s01-in-f95:http   ESTABLISHED
  TCP    192.168.1.33:49219     iad04s01-in-f95:http   ESTABLISHED
  TCP    192.168.1.33:49220     iad04s01-in-f95:http   ESTABLISHED
  TCP    192.168.1.33:49224     www-slb-11-05-prn1:http  ESTABLISHED
  TCP    192.168.1.33:49226     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49228     goku:http              ESTABLISHED
  TCP    192.168.1.33:49231     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49232     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49234     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49237     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49238     72.21.81.253:http      CLOSE_WAIT
  TCP    192.168.1.33:49243     merlin:http            CLOSE_WAIT
  TCP    192.168.1.33:49244     merlin:http            CLOSE_WAIT
  TCP    192.168.1.33:49245     merlin:http            CLOSE_WAIT
  TCP    192.168.1.33:49250     iad04s01-in-f113:http  ESTABLISHED
  TCP    192.168.1.33:49252     64.152.208.202:http    ESTABLISHED
  TCP    192.168.1.33:49254     a72-247-242-72:http    CLOSE_WAIT
  TCP    192.168.1.33:49260     a72-247-242-72:http    CLOSE_WAIT
  TCP    192.168.1.33:49261     a72-247-242-72:http    CLOSE_WAIT
  TCP    192.168.1.33:49262     a72-247-242-72:http    CLOSE_WAIT
  TCP    192.168.1.33:49263     a72-247-242-72:http    CLOSE_WAIT
  TCP    192.168.1.33:49264     a72-247-242-72:http    CLOSE_WAIT
  TCP    192.168.1.33:49266     a23-66-231-57:http     ESTABLISHED
  TCP    192.168.1.33:49268     208-44-23-96:http      ESTABLISHED
  TCP    192.168.1.33:49270     goku:http              ESTABLISHED
  TCP    192.168.1.33:49272     cdn-208-111-161-254:http  CLOSE_WAIT
  TCP    192.168.1.33:49275     cdn-208-111-161-254:http  CLOSE_WAIT
  TCP    192.168.1.33:49276     cdn-208-111-161-254:http  CLOSE_WAIT
  TCP    192.168.1.33:49282     67.148.147.80:http     ESTABLISHED
  TCP    192.168.1.33:49284     67.148.147.80:http     ESTABLISHED
  TCP    [::]:135               skeedo:0               LISTENING
  TCP    [::]:445               skeedo:0               LISTENING
  TCP    [::]:554               skeedo:0               LISTENING
  TCP    [::]:2869              skeedo:0               LISTENING
  TCP    [::]:3389              skeedo:0               LISTENING
  TCP    [::]:3587              skeedo:0               LISTENING
  TCP    [::]:5357              skeedo:0               LISTENING
  TCP    [::]:10243             skeedo:0               LISTENING
  TCP    [::]:49152             skeedo:0               LISTENING
  TCP    [::]:49153             skeedo:0               LISTENING
  TCP    [::]:49155             skeedo:0               LISTENING
  TCP    [::]:49156             skeedo:0               LISTENING
  TCP    [::]:49157             skeedo:0               LISTENING
  TCP    [::]:49160             skeedo:0               LISTENING
  UDP    0.0.0.0:3544           *:*                    
  UDP    0.0.0.0:3702           *:*                    
  UDP    0.0.0.0:3702           *:*                    
  UDP    0.0.0.0:3702           *:*                    
  UDP    0.0.0.0:3702           *:*                    
  UDP    0.0.0.0:5004           *:*                    
  UDP    0.0.0.0:5005           *:*                    
  UDP    0.0.0.0:5355           *:*                    
  UDP    0.0.0.0:54818          *:*                    
  UDP    0.0.0.0:54820          *:*                    
  UDP    0.0.0.0:56882          *:*                    
  UDP    0.0.0.0:57313          *:*                    
  UDP    127.0.0.1:1900         *:*                    
  UDP    127.0.0.1:44301        *:*                    
  UDP    127.0.0.1:45301        *:*                    
  UDP    127.0.0.1:56881        *:*                    
  UDP    127.0.0.1:56887        *:*                    
  UDP    192.168.1.33:137       *:*                    
  UDP    192.168.1.33:138       *:*                    
  UDP    192.168.1.33:1900      *:*                    
  UDP    192.168.1.33:5353      *:*                    
  UDP    192.168.1.33:56886     *:*                    
  UDP    192.168.1.33:64784     *:*                    
  UDP    [::]:3540              *:*                    
  UDP    [::]:3702              *:*                    
  UDP    [::]:3702              *:*                    
  UDP    [::]:3702              *:*                    
  UDP    [::]:3702              *:*                    
  UDP    [::]:5004              *:*                    
  UDP    [::]:5005              *:*                    
  UDP    [::]:5355              *:*                    
  UDP    [::]:54819             *:*                    
  UDP    [::]:54821             *:*                    
  UDP    [::]:56883             *:*                    
  UDP    [::]:57314             *:*                    
  UDP    [::1]:1900             *:*                    
  UDP    [::1]:56885            *:*                    
  UDP    [fe80::58cc:59d9:a4f6:f96a%10]:546  *:*                    
  UDP    [fe80::58cc:59d9:a4f6:f96a%10]:1900  *:*                    
  UDP    [fe80::58cc:59d9:a4f6:f96a%10]:56884  *:*
skeedo is offline   Reply With Quote
Old 04-20-2012, 07:43 PM   #2
AFurryReptile
Golden Member
 
AFurryReptile's Avatar
 
Join Date: Nov 2006
Location: Houston, Texas
Posts: 1,994
Default

That's completely normal, don't sweat it. Exactly 0 of those IP's are even internet routable.
AFurryReptile is offline   Reply With Quote
Old 04-20-2012, 11:12 PM   #3
power_hour
Senior Member
 
power_hour's Avatar
 
Join Date: Oct 2010
Location: nowhere important
Posts: 789
Default

Install Wireshark and view the results. Windows 7 is a bit chatty tho so don't freak out yet. And what exactly do you mean your bank doesn't recognize your IP? That could mean someone is attempting to access your accounts from another PC. Take steps to verify what they are saying immediately.
power_hour is offline   Reply With Quote
Old 04-21-2012, 01:57 AM   #4
SecurityTheatre
Senior Member
 
Join Date: Aug 2011
Posts: 672
Default

It looks like a computer that has visited a few different web pages in the last 20 minutes.


Was that you?

If so, totally normal.

Windows is massive, bloated, chatty on the network and all of those little updaters, agents, plugins, etc... each want to visit a site.

Flash is checking for updates, Java is checking for updates. iTunes is checking for updates, the browser is getting pages, antivirus is checking pages for malware and spam, email services are checking email.

Most of that happens without even opening other programs. :-)

And the overweight reptile is correct, none of the IPv4 addresses in there are routeable, it's all outbound connections.

Actually, if you're paranoid, maybe go disable IPv6. Under the network settings for your Local Area connection, simply uncheck the box. That's the only potentially routeable address you have.

It's possible your IP changed recently on your ISP. That IP could have been long ago listed in a SPAM database and you ran into that. Your bank would also not recognize your IP and might ask for confirmation. Many ISPs change your external IP on a daily/weekly/monthly basis, some do it less often.

Doesn't seem critical to me, though any of us can certainly be wrong or have overlooked something

Last edited by SecurityTheatre; 04-21-2012 at 02:00 AM.
SecurityTheatre is offline   Reply With Quote
Old 04-21-2012, 08:47 PM   #5
skeedo
Senior Member
 
Join Date: Nov 2004
Posts: 230
Default

Welp, looks like my IP address has been changing, I thought it would be more static since I am never offline. Looking at some IRC logs I'm seeing that it is different today than it was yesterday so it must change quite frequently. You'd think that my Bank website wouldn't freak out when I'm coming from different IP but from same subnet, but I guess its just a security precaution. I also logon my bank website from my work which is a static IP so that may have been throwing it off as well.

I downloaded Wireshark to capture packets. I have used it before, but far in the past for a college project and didn't really learn much about it then. I may or may not be reading this right, but I am seeing one thing that seems suspicious:

Code:
796	99.509054	192.168.1.33	78.46.145.99	TCP	73	49485 > 20069 [PSH, ACK] Seq=1 Ack=1 Win=16327 Len=19
798	99.836215	192.168.1.33	78.46.145.99	TCP	54	49485 > 20069 [ACK] Seq=20 Ack=50 Win=16314 Len=0
20069 is my Bittorrent port, one of the few ports that I have open. If I am right, it keeps sending the same length packet to that same IP address through the Bittorrent port. This doesn't seem to occur too often, but it does. Thing is, I do not have a bittorrent client open and I am still sending packets to this IP address.

Is this suspect? Is there anything specific I should be looking for that would indicate an intrusion?
skeedo is offline   Reply With Quote
Old 04-21-2012, 09:06 PM   #6
skeedo
Senior Member
 
Join Date: Nov 2004
Posts: 230
Default

Actually, nevermind about that, the paranoia is really getting to me heh. The port I use to connect to my psybnc is also 20069, so I wasn't reading it right. I knew it was my IRC client after analyzing actual packet data that was sent.

Can anybody give me some pointers on how to identify intrusions, specifically what kind of packets I should be looking for? Thanks.
skeedo is offline   Reply With Quote
Old 04-26-2012, 01:30 AM   #7
power_hour
Senior Member
 
power_hour's Avatar
 
Join Date: Oct 2010
Location: nowhere important
Posts: 789
Default

Quote:
Originally Posted by skeedo View Post
Actually, nevermind about that, the paranoia is really getting to me heh. The port I use to connect to my psybnc is also 20069, so I wasn't reading it right. I knew it was my IRC client after analyzing actual packet data that was sent.

Can anybody give me some pointers on how to identify intrusions, specifically what kind of packets I should be looking for? Thanks.
Your on the right track. Wireshark has an amazing number of tutorials. Also search Youtube and Google for more tips.

However at this stage of the game, I would format and reinstall the OS. These days thats what 30-45min tops? Then you install VirtualBox and create a couple of VMs. One for banking and one for browsing and never mix them. Recycle them every 30 days.

Cheers,
power_hour is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:28 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.