Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Support (http://www.velocityreviews.com/forums/f33-computer-support.html)
-   -   Router reveals port activity (http://www.velocityreviews.com/forums/t206806-router-reveals-port-activity.html)

RAH 08-26-2004 11:31 AM

Router reveals port activity
 
Hi,
I access the internet from my laptop via a Netgear wireless router. Shortly
after a connection is made between laptop and router the dialup modem which
is attached to the router dials up automatically without me getting as far
as starting OE6 or IE6.

I discovered the following entry in the router log:
Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
address of the router - i think).

Can anyone tell me if there is anything untoward in this behaviour such as a
trojan or virus, if it is normal for this to occur or if some background
programme is attempting an auto-update or similar?

I have AVG antivirus, Ad-Aware and Spybot installed.

Thanks in adance.

RAH


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004



Duane Arnold 08-26-2004 12:09 PM

Re: Router reveals port activity
 
RAH wrote:

> Hi,
> I access the internet from my laptop via a Netgear wireless router.
> Shortly after a connection is made between laptop and router the dialup
> modem which is attached to the router dials up automatically without me
> getting as far as starting OE6 or IE6.
>
> I discovered the following entry in the router log:
> Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
> address of the router - i think).
>
> Can anyone tell me if there is anything untoward in this behaviour such as
> a trojan or virus, if it is normal for this to occur or if some background
> programme is attempting an auto-update or similar?
>
> I have AVG antivirus, Ad-Aware and Spybot installed.
>
> Thanks in adance.
>
> RAH
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004


Use the tools in the link like Active Ports and Process Explorer (free) to
help you make your determination.

http://www.windowsecurity.com/pages/..._p.asp?id=1122

Duane :)

I am an *unregistered* Linux user. Unreg# 99999999999999999

why? 08-26-2004 07:06 PM

Re: Router reveals port activity
 

On Thu, 26 Aug 2004 12:31:36 +0100, RAH wrote:

>Hi,
>I access the internet from my laptop via a Netgear wireless router. Shortly
>after a connection is made between laptop and router the dialup modem which
>is attached to the router dials up automatically without me getting as far
>as starting OE6 or IE6.
>
>I discovered the following entry in the router log:
>Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
>address of the router - i think).


X's are the IP of the router in both cases?

If your (some unknown model) Netgear router follows normal conventions
then,

The 53 on the 2nd entry is DNS lookup (port 53)
http://www.iana.org/assignments/port-numbers

>Can anyone tell me if there is anything untoward in this behaviour such as a
>trojan or virus, if it is normal for this to occur or if some background


Many apps I run call home checking for updates at startup and I never
use OE6 and hardly IE6.

>programme is attempting an auto-update or similar?


DNS lookups happen quite often.

>I have AVG antivirus, Ad-Aware and Spybot installed.

<snip>

Me

RAH 08-27-2004 02:39 PM

Re: Router reveals port activity
 
It seems that most of the activity is caused by svchost doing various normal
things. Glad I checked with TCPView though. Thanks for the tip WHY.
RAH

"why?" <fgrirp*sgc@VAINY!Qznq.fpvragvfg.pbz> wrote in message
news:ufcsi05gkd4ms73gtnehpr9qsdm9a0i5qv@4ax.com...
>
> On Thu, 26 Aug 2004 12:31:36 +0100, RAH wrote:
>
> >Hi,
> >I access the internet from my laptop via a Netgear wireless router.

Shortly
> >after a connection is made between laptop and router the dialup modem

which
> >is attached to the router dials up automatically without me getting as

far
> >as starting OE6 or IE6.
> >
> >I discovered the following entry in the router log:
> >Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
> >address of the router - i think).

>
> X's are the IP of the router in both cases?
>
> If your (some unknown model) Netgear router follows normal conventions
> then,
>
> The 53 on the 2nd entry is DNS lookup (port 53)
> http://www.iana.org/assignments/port-numbers
>
> >Can anyone tell me if there is anything untoward in this behaviour such

as a
> >trojan or virus, if it is normal for this to occur or if some background

>
> Many apps I run call home checking for updates at startup and I never
> use OE6 and hardly IE6.
>
> >programme is attempting an auto-update or similar?

>
> DNS lookups happen quite often.
>
> >I have AVG antivirus, Ad-Aware and Spybot installed.

> <snip>
>
> Me



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004



Duane Arnold 08-27-2004 04:46 PM

Re: Router reveals port activity
 

"RAH" <Me@home.com> wrote in message
news:cgnh2e$68o$1@news5.svr.pol.co.uk...
> It seems that most of the activity is caused by svchost doing various

normal
> things. Glad I checked with TCPView though. Thanks for the tip WHY.
> RAH


What makes you think that malware cannot use svchost.exe for its bidding,
after all svchost.exe is the messenger for the O/S programs and any other
program such as a Trojan that may want to communicate out can use it? If
svchost.exe is not running out of the system32 directory, then it's a
Trojan. That also includes dllhost.exe too.



Duane :)






RAH 08-28-2004 10:03 AM

Re: Router reveals port activity
 
All instances of svchost are running from system32 directory.

RAH
"Duane Arnold" <notme@notme.com> wrote in message
news:EzJXc.78312$mD.16109@attbi_s02...
>
> "RAH" <Me@home.com> wrote in message
> news:cgnh2e$68o$1@news5.svr.pol.co.uk...
> > It seems that most of the activity is caused by svchost doing various

> normal
> > things. Glad I checked with TCPView though. Thanks for the tip WHY.
> > RAH

>
> What makes you think that malware cannot use svchost.exe for its bidding,
> after all svchost.exe is the messenger for the O/S programs and any other
> program such as a Trojan that may want to communicate out can use it? If
> svchost.exe is not running out of the system32 directory, then it's a
> Trojan. That also includes dllhost.exe too.
>
>
>
> Duane :)
>
>
>
>
>



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004




All times are GMT. The time now is 12:12 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.