Router reveals port activity

Discussion in 'Computer Support' started by RAH, Aug 26, 2004.

  1. RAH

    RAH Guest

    Hi,
    I access the internet from my laptop via a Netgear wireless router. Shortly
    after a connection is made between laptop and router the dialup modem which
    is attached to the router dials up automatically without me getting as far
    as starting OE6 or IE6.

    I discovered the following entry in the router log:
    Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
    address of the router - i think).

    Can anyone tell me if there is anything untoward in this behaviour such as a
    trojan or virus, if it is normal for this to occur or if some background
    programme is attempting an auto-update or similar?

    I have AVG antivirus, Ad-Aware and Spybot installed.

    Thanks in adance.

    RAH


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004
    RAH, Aug 26, 2004
    #1
    1. Advertising

  2. RAH

    Duane Arnold Guest

    RAH wrote:

    > Hi,
    > I access the internet from my laptop via a Netgear wireless router.
    > Shortly after a connection is made between laptop and router the dialup
    > modem which is attached to the router dials up automatically without me
    > getting as far as starting OE6 or IE6.
    >
    > I discovered the following entry in the router log:
    > Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
    > address of the router - i think).
    >
    > Can anyone tell me if there is anything untoward in this behaviour such as
    > a trojan or virus, if it is normal for this to occur or if some background
    > programme is attempting an auto-update or similar?
    >
    > I have AVG antivirus, Ad-Aware and Spybot installed.
    >
    > Thanks in adance.
    >
    > RAH
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004


    Use the tools in the link like Active Ports and Process Explorer (free) to
    help you make your determination.

    http://www.windowsecurity.com/pages/article_p.asp?id=1122

    Duane :)

    I am an *unregistered* Linux user. Unreg# 99999999999999999
    Duane Arnold, Aug 26, 2004
    #2
    1. Advertising

  3. RAH

    why? Guest

    On Thu, 26 Aug 2004 12:31:36 +0100, RAH wrote:

    >Hi,
    >I access the internet from my laptop via a Netgear wireless router. Shortly
    >after a connection is made between laptop and router the dialup modem which
    >is attached to the router dials up automatically without me getting as far
    >as starting OE6 or IE6.
    >
    >I discovered the following entry in the router log:
    >Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
    >address of the router - i think).


    X's are the IP of the router in both cases?

    If your (some unknown model) Netgear router follows normal conventions
    then,

    The 53 on the 2nd entry is DNS lookup (port 53)
    http://www.iana.org/assignments/port-numbers

    >Can anyone tell me if there is anything untoward in this behaviour such as a
    >trojan or virus, if it is normal for this to occur or if some background


    Many apps I run call home checking for updates at startup and I never
    use OE6 and hardly IE6.

    >programme is attempting an auto-update or similar?


    DNS lookups happen quite often.

    >I have AVG antivirus, Ad-Aware and Spybot installed.

    <snip>

    Me
    why?, Aug 26, 2004
    #3
  4. RAH

    RAH Guest

    It seems that most of the activity is caused by svchost doing various normal
    things. Glad I checked with TCPView though. Thanks for the tip WHY.
    RAH

    "why?" <fgrirp*sgc@VAINY!Qznq.fpvragvfg.pbz> wrote in message
    news:...
    >
    > On Thu, 26 Aug 2004 12:31:36 +0100, RAH wrote:
    >
    > >Hi,
    > >I access the internet from my laptop via a Netgear wireless router.

    Shortly
    > >after a connection is made between laptop and router the dialup modem

    which
    > >is attached to the router dials up automatically without me getting as

    far
    > >as starting OE6 or IE6.
    > >
    > >I discovered the following entry in the router log:
    > >Dial on demand, XXX.XXX.XXX.X:3014 to XXX.XX.XXX.XX:53 (X's are the IP
    > >address of the router - i think).

    >
    > X's are the IP of the router in both cases?
    >
    > If your (some unknown model) Netgear router follows normal conventions
    > then,
    >
    > The 53 on the 2nd entry is DNS lookup (port 53)
    > http://www.iana.org/assignments/port-numbers
    >
    > >Can anyone tell me if there is anything untoward in this behaviour such

    as a
    > >trojan or virus, if it is normal for this to occur or if some background

    >
    > Many apps I run call home checking for updates at startup and I never
    > use OE6 and hardly IE6.
    >
    > >programme is attempting an auto-update or similar?

    >
    > DNS lookups happen quite often.
    >
    > >I have AVG antivirus, Ad-Aware and Spybot installed.

    > <snip>
    >
    > Me



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004
    RAH, Aug 27, 2004
    #4
  5. RAH

    Duane Arnold Guest

    "RAH" <> wrote in message
    news:cgnh2e$68o$...
    > It seems that most of the activity is caused by svchost doing various

    normal
    > things. Glad I checked with TCPView though. Thanks for the tip WHY.
    > RAH


    What makes you think that malware cannot use svchost.exe for its bidding,
    after all svchost.exe is the messenger for the O/S programs and any other
    program such as a Trojan that may want to communicate out can use it? If
    svchost.exe is not running out of the system32 directory, then it's a
    Trojan. That also includes dllhost.exe too.



    Duane :)
    Duane Arnold, Aug 27, 2004
    #5
  6. RAH

    RAH Guest

    All instances of svchost are running from system32 directory.

    RAH
    "Duane Arnold" <> wrote in message
    news:EzJXc.78312$mD.16109@attbi_s02...
    >
    > "RAH" <> wrote in message
    > news:cgnh2e$68o$...
    > > It seems that most of the activity is caused by svchost doing various

    > normal
    > > things. Glad I checked with TCPView though. Thanks for the tip WHY.
    > > RAH

    >
    > What makes you think that malware cannot use svchost.exe for its bidding,
    > after all svchost.exe is the messenger for the O/S programs and any other
    > program such as a Trojan that may want to communicate out can use it? If
    > svchost.exe is not running out of the system32 directory, then it's a
    > Trojan. That also includes dllhost.exe too.
    >
    >
    >
    > Duane :)
    >
    >
    >
    >
    >



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.744 / Virus Database: 496 - Release Date: 24/08/2004
    RAH, Aug 28, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JFR

    Best character reveals

    JFR, Jun 14, 2004, in forum: DVD Video
    Replies:
    16
    Views:
    852
    Dennis Kuhn
    Jun 15, 2004
  2. Mardon

    What To Do When PS Color Proofing Reveals Problems?

    Mardon, Mar 22, 2006, in forum: Digital Photography
    Replies:
    2
    Views:
    263
    bmoag
    Mar 22, 2006
  3. Au79

    TippingPoint reveals 29 unresolved flaws

    Au79, Aug 31, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    354
    Meat Plow
    Aug 31, 2006
  4. Au79
    Replies:
    2
    Views:
    862
  5. Polly the Parrott
    Replies:
    19
    Views:
    339
    Wolfgang Weisselberg
    Dec 6, 2012
Loading...

Share This Page