I think i'm being hacked, need advice!

[Centaur6]

Just ran ActivePorts and this part of the readout REALLY troubled me. I have no idea what the hell this is, so i'm assuming the worst. I'm using ZoneAlarm, so i have no idea how someone could get in, though 'closing' under 'state' may mean they didn't. Either way, i want to be sure. So what software am i going to need here? Check out the readout, my IP was censored for obvious reasons.

process/PID/locap IP/local port/remote IP/remote port/state/protocol

Unknown 2184 255.255.255.255 4928 130.94.70.82 80 CLOSING TCP
Unknown 4036 255.255.255.255 1454 24.100.218.119 3124 CLOSING TCP
Unknown 4036 255.255.255.255 4879 24.76.214.195 1214 CLOSING TCP
Unknown 4672 255.255.255.255 2092 68.101.208.22 1858 CLOSING TCP
Unknown 4672 255.255.255.255 2095 24.126.24.253 1214 CLOSING TCP
Unknown 4672 255.255.255.255 4506 24.203.141.179 3938 CLOSING TCP
Unknown 4996 255.255.255.255 1214 212.187.250.20 61696 CLOSING TCP
Unknown 4996 255.255.255.255 3396 217.228.216.93 1214 CLOSING TCP

 

[Anubis]

hummm do a reboot se what happens

 

[Centaur6]

Now i get this:

Unknown 0 255.255.255.255 1028 212.68.195.199 80 TIME_WAIT TCP

 

[Aves]

Originally posted by: Centaur6
Now i get this:

Unknown 0 255.255.255.255 1028 212.68.195.199 80 TIME_WAIT TCP

It's normal.

Whenever you visit websites, send IMs, download from P2P networks, etc. you establish TCP sessions with a remote host.

There are several states for the session to be in like ESTABLISHED, TIME_WAIT, CLOSING, etc.

In that particular session you establised a TCP session with 212.68.195.199 on port 80 which regular old web traffic.

You also have a couple from file transfers on Kazaa, port 1214.

 

[Aves]

Here is some info on the TCP Session States and the netstat command:

State - Description

CLOSED There is no connection between your computer and remote host.
CLOSING Your computer and remote computer have both agreed to close connection.
CLOSE WAIT The remote computer has initiated to close the connection
ESTABLISHED There is a connection.
FIN WAIT 1 The software using connection (like msn messenger) has finished using the connection
FIN WAIT 2 The remote computer has agreed to close connection.
LAST ACK The connection is waiting for all the data packets to destroy.
LISTEN Your computer is listening for incoming connection
SYN RCVD Remote computer is sending a request for connection
SYN SENT Your computer has initiated to open a connection
TIMED WAIT same as LAST ACK



IANA Port Assignments

 

[Desslok]

Turn off your system??

 

[Ns1]

BURN IT!

 

[Soybomb]

ohhhh noes someone is hacking the gibson!!!

 

[Centaur6]

Originally posted by: aves2k
Here is some info on the TCP Session States and the netstat command:

State - Description

CLOSED There is no connection between your computer and remote host.
CLOSING Your computer and remote computer have both agreed to close connection.
CLOSE WAIT The remote computer has initiated to close the connection
ESTABLISHED There is a connection.
FIN WAIT 1 The software using connection (like msn messenger) has finished using the connection
FIN WAIT 2 The remote computer has agreed to close connection.
LAST ACK The connection is waiting for all the data packets to destroy.
LISTEN Your computer is listening for incoming connection
SYN RCVD Remote computer is sending a request for connection
SYN SENT Your computer has initiated to open a connection
TIMED WAIT same as LAST ACK



IANA Port Assignments

Right, doesn't seem like there's a reason to worry unless it says ESTABLISHED. However, i'd still like to see what's using that port. What software can i use to do that?

 

[Aves]

Originally posted by: Centaur6
Right, doesn't seem like there's a reason to worry unless it says ESTABLISHED. However, i'd still like to see what's using that port. What software can i use to do that?

IANA Port Assignments will show you the different port numbers, many times port numbers can be randomly generated from the upper range so there is no real easy way to know unless you are using Windows XP.

In WinXP the netstat command has a new switch that will show which Process ID a session is associated with. Then you can find the matching PID in the Windows Task Manager.

Issue netstat -o from the command prompt to do this.


Also, ESTABLISHED isn't always something to get all worked up about either because once you visit a website you will have an ESTABLISHED TCP Session on port 80.

 

[Batti]

You might want to check out TCPview from the guys at Sysinternals. It will show you what process has the port open. Good stuff!!

 

[datalink7]

Your only option is format c:

I'm sorry to have to tell you this

 

[Aves]

Originally posted by: Batti
You might want to check out TCPview from the guys at Sysinternals. It will show you what process has the port open. Good stuff!!

Sweet!

 

[Barnaby W. Füi]

Originally posted by: Soybomb
ohhhh noes someone is hacking the gibson!!!

 

[silverpig]

Originally posted by: BingBongWongFooey

Originally posted by: Soybomb
ohhhh noes someone is hacking the gibson!!!

Heh, I just got that