potential spyware/trojan

Discussion in 'NZ Computing' started by -[Myth]-, Jan 21, 2004.

  1. -[Myth]-

    -[Myth]- Guest

    When i execute netstat i get this:
    Active Connections

    Proto Local Address Foreign Address State
    TCP david:1078 ad.de.doubleclick.net:1079 ESTABLISHED
    TCP david:1079 ad.de.doubleclick.net:1078 ESTABLISHED

    at first glance it appears to be an http connection downloading an ad,
    however i cannont connect to ad.de.doubleclick.net ports 1078 or 1079 using
    mozilla or telnet. I will do a scan with spybot and adaware.
    Does anyone have any idea what is causing this? my guess is spyware.
    -[Myth]-, Jan 21, 2004
    #1
    1. Advertising

  2. -[Myth]-

    -[Myth]- Guest

    On Wed, 21 Jan 2004 18:18:27 +1300, -[Myth]- wrote:

    > When i execute netstat i get this:
    > Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP david:1078 ad.de.doubleclick.net:1079 ESTABLISHED
    > TCP david:1079 ad.de.doubleclick.net:1078 ESTABLISHED
    >
    > at first glance it appears to be an http connection downloading an ad,
    > however i cannont connect to ad.de.doubleclick.net ports 1078 or 1079 using
    > mozilla or telnet. I will do a scan with spybot and adaware.
    > Does anyone have any idea what is causing this? my guess is spyware.


    after rebooting i get:

    TCP david:1035 ad.de.doubleclick.net:1036 ESTABLISHED
    TCP david:1036 ad.de.doubleclick.net:1035 ESTABLISHED

    then after a few seconds:

    TCP david:1036 ad.de.doubleclick.net:1035 TIME_WAIT

    there was also an http connection to 210.55.6.135
    -[Myth]-, Jan 21, 2004
    #2
    1. Advertising

  3. -[Myth]- wrote:
    > On Wed, 21 Jan 2004 18:18:27 +1300, -[Myth]- wrote:
    >
    >> When i execute netstat i get this:
    >> Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> TCP david:1078 ad.de.doubleclick.net:1079
    >> ESTABLISHED TCP david:1079
    >> ad.de.doubleclick.net:1078 ESTABLISHED
    >>
    >> at first glance it appears to be an http connection downloading an
    >> ad, however i cannont connect to ad.de.doubleclick.net ports 1078 or
    >> 1079 using mozilla or telnet. I will do a scan with spybot and
    >> adaware.
    >> Does anyone have any idea what is causing this? my guess is spyware.

    >
    > after rebooting i get:
    >
    > TCP david:1035 ad.de.doubleclick.net:1036 ESTABLISHED
    > TCP david:1036 ad.de.doubleclick.net:1035 ESTABLISHED
    >
    > then after a few seconds:
    >
    > TCP david:1036 ad.de.doubleclick.net:1035 TIME_WAIT
    >
    > there was also an http connection to 210.55.6.135


    Well? Are you going to run a Spyware removing tool such as the excellent
    free Spybot Search & Destroy? :). One of your programs must be Adware -
    shows ad banners so that you can use it for free.

    Cheers,
    Nicholas Sherlock
    Nicholas Sherlock, Jan 21, 2004
    #3
  4. -[Myth]-

    Enkidu Guest

    On Wed, 21 Jan 2004 18:18:27 +1300, "-[Myth]-"
    <> wrote:

    >When i execute netstat i get this:
    >Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP david:1078 ad.de.doubleclick.net:1079 ESTABLISHED
    > TCP david:1079 ad.de.doubleclick.net:1078 ESTABLISHED
    >
    >at first glance it appears to be an http connection downloading an ad,
    >however i cannont connect to ad.de.doubleclick.net ports 1078 or 1079 using
    >mozilla or telnet. I will do a scan with spybot and adaware.
    >Does anyone have any idea what is causing this? my guess is spyware.
    >

    If you can't connect to it, that sort of implies that the other end
    connected first. If that is true, there may be a trojan on your
    machine.

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
    Enkidu, Jan 21, 2004
    #4
  5. -[Myth]-

    -[Myth]- Guest

    On Wed, 21 Jan 2004 19:54:04 +1300, Enkidu wrote:

    > On Wed, 21 Jan 2004 18:18:27 +1300, "-[Myth]-"
    > <> wrote:
    >
    >>When i execute netstat i get this:
    >>Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> TCP david:1078 ad.de.doubleclick.net:1079 ESTABLISHED
    >> TCP david:1079 ad.de.doubleclick.net:1078 ESTABLISHED
    >>
    >>at first glance it appears to be an http connection downloading an ad,
    >>however i cannont connect to ad.de.doubleclick.net ports 1078 or 1079 using
    >>mozilla or telnet. I will do a scan with spybot and adaware.
    >>Does anyone have any idea what is causing this? my guess is spyware.
    >>

    > If you can't connect to it, that sort of implies that the other end
    > connected first. If that is true, there may be a trojan on your
    > machine.
    >
    > Cheers,
    >
    > Cliff


    there is no way that the connection could have got through my router,
    unless it has a security hole of some sort, which i very much doubt.
    -[Myth]-, Jan 21, 2004
    #5
  6. -[Myth]-

    -[Myth]- Guest

    On Wed, 21 Jan 2004 19:37:11 +1300, Nicholas Sherlock wrote:

    > -[Myth]- wrote:
    >> On Wed, 21 Jan 2004 18:18:27 +1300, -[Myth]- wrote:
    >>
    >>> When i execute netstat i get this:
    >>> Active Connections
    >>>
    >>> Proto Local Address Foreign Address State
    >>> TCP david:1078 ad.de.doubleclick.net:1079
    >>> ESTABLISHED TCP david:1079
    >>> ad.de.doubleclick.net:1078 ESTABLISHED
    >>>
    >>> at first glance it appears to be an http connection downloading an
    >>> ad, however i cannont connect to ad.de.doubleclick.net ports 1078 or
    >>> 1079 using mozilla or telnet. I will do a scan with spybot and
    >>> adaware.
    >>> Does anyone have any idea what is causing this? my guess is spyware.

    >>
    >> after rebooting i get:
    >>
    >> TCP david:1035 ad.de.doubleclick.net:1036 ESTABLISHED
    >> TCP david:1036 ad.de.doubleclick.net:1035 ESTABLISHED
    >>
    >> then after a few seconds:
    >>
    >> TCP david:1036 ad.de.doubleclick.net:1035 TIME_WAIT
    >>
    >> there was also an http connection to 210.55.6.135

    >
    > Well? Are you going to run a Spyware removing tool such as the excellent
    > free Spybot Search & Destroy? :). One of your programs must be Adware -
    > shows ad banners so that you can use it for free.
    >
    > Cheers,
    > Nicholas Sherlock


    as far as i know I have no adware software, and i have scanned with both
    adaware and spybot recently.
    -[Myth]-, Jan 21, 2004
    #6
  7. On Wed, 21 Jan 2004 18:18:27 +1300, "-[Myth]-"
    <> wrote:

    >When i execute netstat i get this:
    >Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP david:1078 ad.de.doubleclick.net:1079 ESTABLISHED
    > TCP david:1079 ad.de.doubleclick.net:1078 ESTABLISHED
    >
    >at first glance it appears to be an http connection downloading an ad,
    >however i cannont connect to ad.de.doubleclick.net ports 1078 or 1079 using
    >mozilla or telnet. I will do a scan with spybot and adaware.
    >Does anyone have any idea what is causing this? my guess is spyware.


    My guess is that it is simply a connection from one port on your
    computer to another. Either you have an entry in your hosts that sets
    ad.de.doubleclick.net to 127.0.0.1 or you have some sort of ad
    blocking software that is doing that. Netstat is then trying to do a
    reverse lookup on 127.0.0.1 and is comiong up with
    ad.de.doubleclick.net instead of the name of your computer.

    You don't say what OS you are running but at guess I would Windows
    2000 or XP. If so then download fport from
    http://www.foundstone.com/knowledge/proddesc/fport.html run it and it
    will tell you what is running on your computer is on that port.

    --
    Richard Gallagher
    Richard Gallagher, Jan 21, 2004
    #7
  8. In article <1cp6l40n4uia2$.nthi23jnvw7i$>,
    "-[Myth]-" <> wrote:

    >When i execute netstat i get this:


    Can you try it with -n as well? Just to confirm that the addresses being
    connected to are not local to your net.
    Lawrence D'Oliveiro, Jan 21, 2004
    #8
  9. -[Myth]-

    -[Myth]- Guest

    On Wed, 21 Jan 2004 22:49:20 +1300, Richard Gallagher wrote:

    > On Wed, 21 Jan 2004 18:18:27 +1300, "-[Myth]-"
    > <> wrote:
    >
    >>When i execute netstat i get this:
    >>Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> TCP david:1078 ad.de.doubleclick.net:1079 ESTABLISHED
    >> TCP david:1079 ad.de.doubleclick.net:1078 ESTABLISHED
    >>
    >>at first glance it appears to be an http connection downloading an ad,
    >>however i cannont connect to ad.de.doubleclick.net ports 1078 or 1079 using
    >>mozilla or telnet. I will do a scan with spybot and adaware.
    >>Does anyone have any idea what is causing this? my guess is spyware.

    >
    > My guess is that it is simply a connection from one port on your
    > computer to another. Either you have an entry in your hosts that sets
    > ad.de.doubleclick.net to 127.0.0.1 or you have some sort of ad
    > blocking software that is doing that. Netstat is then trying to do a
    > reverse lookup on 127.0.0.1 and is comiong up with
    > ad.de.doubleclick.net instead of the name of your computer.
    >

    yes that seems to be the case:
    C:\netstat -n


    Active Connections

    Proto Local Address Foreign Address State
    TCP 127.0.0.1:1036 127.0.0.1:1037 ESTABLISHED
    TCP 127.0.0.1:1037 127.0.0.1:1036 ESTABLISHED


    > You don't say what OS you are running but at guess I would Windows
    > 2000 or XP. If so then download fport from
    > http://www.foundstone.com/knowledge/proddesc/fport.html run it and it
    > will tell you what is running on your computer is on that port.

    i have downloaded it but the connections have vanished now. i will wait
    till they come back then use fport.

    Thanks for the help.
    -[Myth]-, Jan 25, 2004
    #9
  10. -[Myth]-

    BigFatWhiteGuy

    Joined:
    Mar 23, 2014
    Messages:
    1
    I came across a similar issue with my system, I had this listing from netstat:

    Active Connections

    Proto Local Address Foreign Address State
    TCP 127.0.0.1:1110 doubleclick:59818 ESTABLISHED
    TCP 127.0.0.1:1110 doubleclick:59922 ESTABLISHED
    TCP 127.0.0.1:1110 doubleclick:60618 ESTABLISHED
    TCP 127.0.0.1:4243 doubleclick:49203 ESTABLISHED
    TCP 127.0.0.1:60616 doubleclick:nfsd-status TIME_WAIT
    TCP 127.0.0.1:60618 doubleclick:nfsd-status ESTABLISHED

    and so on...

    After freaking out, and searching for the symptoms with DuckDuckGo! I came to this site. After a quick check, the answer was apparent. Being a Sr. Unix Engineer (no blue and white stripe hat, and they do not let me drive trains!) has taught me a thing or two, it is very easy to forget all that in the face of a potential security leak.

    I do not like doubleclick, or any tracking of my wanderings about on the Net. Having been unsuccessful in blocking doubleclick with other means, I did to doubleclick what I do to my kids. All the mind numbing on line gaming and other activities which I do not approve of are easily blocked by my internal system. It is the DNS server among other things.

    On the DNS, I setup a domain mind.numbing.game.com and the IP address for all access to the site is 127.0.0.1. Works well, although I had to block outbound DNS from any system other than my server, they found google's DNS at 8.8.8.8, GRRR!.

    Along the same lines, I modified my hosts file to include:

    ## fix those pesky bastards
    127.0.0.1 doubleclick.net
    127.0.0.1 googlesyndication.com
    127.0.0.1 adnxs.com
    127.0.0.1 serving-sys.com
    127.0.0.1 realmedia.com
    127.0.0.1 adsafeproteced.com

    Works like a charm!. So good that I forgot about it. If I were in your situation, I would capture the information from your netstat, reboot with no internet connected, edit the hosts file on your system and point all the spies at 127.0.0.1 as I did. Then get out the big guns and scan, clean, and delouse your system. Run netstat /b (under windows) to find any offending binaries, and seriously: consider using the BFWG method of mapping them to 127.0.0.1.

    Live Long And Grow Fat!


    BFWG.
    Last edited: Mar 23, 2014
    BigFatWhiteGuy, Mar 23, 2014
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bootstrap Bill

    Job potential for MCSD.net?

    Bootstrap Bill, Feb 20, 2004, in forum: Microsoft Certification
    Replies:
    2
    Views:
    457
    DalePres
    Mar 6, 2004
  2. Network Guru

    my potential next car

    Network Guru, Jan 28, 2004, in forum: MCSE
    Replies:
    18
    Views:
    760
    Consultant
    Jan 30, 2004
  3. Michael
    Replies:
    2
    Views:
    3,940
    Michael
    Sep 4, 2003
  4. Martina

    Entfalte dein Potential

    Martina, Oct 13, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    347
    Martina
    Oct 13, 2004
  5. Robert11
    Replies:
    4
    Views:
    1,956
    Ralph W. Phillips
    Dec 1, 2004
Loading...

Share This Page