Strange tcp connection

Discussion in 'NZ Computing' started by Mike_P, Jul 31, 2004.

  1. Mike_P

    Mike_P Guest

    Doing a netstat -a shows the following connection...

    TCP a1700:1043 68-189-115-59.ca.charter.com:60409
    ESTABLISHED

    does anybody know what this is ?
     
    Mike_P, Jul 31, 2004
    #1
    1. Advertising

  2. Mike_P

    Collector Guest

    Mike_P said the following on 31/07/2004 18:58:

    > Doing a netstat -a shows the following connection...
    >
    > TCP a1700:1043 68-189-115-59.ca.charter.com:60409
    > ESTABLISHED
    >
    > does anybody know what this is ?
    >
    >

    You are either running a P2p client or you has been owned.

    The connection is to a dsl or cable connetion owned by a user of
    charter.com.
     
    Collector, Jul 31, 2004
    #2
    1. Advertising

  3. Mike_P

    ~misfit~ Guest

    Collector wrote:

    > You are either running a P2p client or you has been owned.


    LOL. Reminds me of something I read in a different group:

    Our Father, who 0wnz h34V3n, j00 r0ck!
    May all 0ur base someday be belong to you!
    May j00 0wn earth just like j00 0wn h34V3n.
    Give us this day our warez, mp3z, and pr0n through a phat pipe.
    And cut us some slack when we act like n00b lamerz, just as we teach n00bz
    when they act lame on us.
    Please don't give us root access on some poor d00d'z box when we're too
    pissed off to think about what's right and wrong, and if you could keep the
    fbi off our backs, we'd appreciate it.
    For j00 0wn r00t on all our b0x3s 4ever and ever.

    4m3n.
    --
    ~misfit~
     
    ~misfit~, Jul 31, 2004
    #3
  4. On Sat, 31 Jul 2004 22:01:56 +1200, "~misfit~"
    <> wrote:

    >Collector wrote:
    >
    >> You are either running a P2p client or you has been owned.

    >
    >LOL. Reminds me of something I read in a different group:
    >
    >Our Father, who 0wnz h34V3n, j00 r0ck!
    >May all 0ur base someday be belong to you!
    >May j00 0wn earth just like j00 0wn h34V3n.
    >Give us this day our warez, mp3z, and pr0n through a phat pipe.
    >And cut us some slack when we act like n00b lamerz, just as we teach n00bz
    >when they act lame on us.
    >Please don't give us root access on some poor d00d'z box when we're too
    >pissed off to think about what's right and wrong, and if you could keep the
    >fbi off our backs, we'd appreciate it.
    >For j00 0wn r00t on all our b0x3s 4ever and ever.
    >
    >4m3n.


    Reminds me of this one. Unsure of source, found it quite some time ago
    and saved it to a text file.

    Our ISP, who art in Auckland, hallo'd be thy bandwidth.
    Thy downloads come, thy uploads done, 2 speeds as it is uneven.
    Give us this day our daily broadband,
    and forgive us our leeching,
    as we forgive those who leech against us,
    and lead us not into full hard drives,
    but deliver us from lagging,
    for thine is the ping-time,
    the password and the Carrier Sense Multiple Access / Collision
    Detection,
    for exabytes and exabytes,
    ADSL


    --
    Kristofer Clayton (KJClayton)
    Gisborne, New Zealand
     
    Kristofer Clayton, Jul 31, 2004
    #4
  5. Mike_P

    Mike_P Guest

    "Collector" <> wrote in message
    news:...
    > Mike_P said the following on 31/07/2004 18:58:
    >
    >> Doing a netstat -a shows the following connection...
    >>
    >> TCP a1700:1043 68-189-115-59.ca.charter.com:60409
    >> ESTABLISHED
    >>
    >> does anybody know what this is ?

    > You are either running a P2p client or you has been owned.
    >
    > The connection is to a dsl or cable connetion owned by a user of
    > charter.com.
    >


    Yeah that's what I figured but Adaware and AVG have found nothing.
     
    Mike_P, Jul 31, 2004
    #5
  6. Mike_P

    Collector Guest

    Mike_P said the following on 1/08/2004 09:17:
    > "Collector" <> wrote in message
    > news:...
    >
    >>Mike_P said the following on 31/07/2004 18:58:
    >>
    >>
    >>>Doing a netstat -a shows the following connection...
    >>>
    >>>TCP a1700:1043 68-189-115-59.ca.charter.com:60409
    >>>ESTABLISHED
    >>>
    >>>does anybody know what this is ?

    >>
    >>You are either running a P2p client or you has been owned.
    >>
    >>The connection is to a dsl or cable connetion owned by a user of
    >>charter.com.
    >>

    >
    >
    > Yeah that's what I figured but Adaware and AVG have found nothing.
    >
    >
    >

    Okay well serious now.

    Disconnect, reboot and connect, do a netstat and check what is connected

    It is possible you had just visited a site run by a lamer on a dsl
    connection, with a java/active x on the page. In which case so long as
    your security settings are okay (an you dont run IE) your okay.

    I assume a1700 is the name of your machine so the port was 1043 on your
    machine connected to port 60409 on the destination.
     
    Collector, Jul 31, 2004
    #6
  7. Mike_P

    ~misfit~ Guest

    Kristofer Clayton wrote:
    > On Sat, 31 Jul 2004 22:01:56 +1200, "~misfit~"
    > <> wrote:
    >
    >> Collector wrote:
    >>
    >>> You are either running a P2p client or you has been owned.

    >>
    >> LOL. Reminds me of something I read in a different group:
    >>
    >> Our Father, who 0wnz h34V3n, j00 r0ck!
    >> May all 0ur base someday be belong to you!
    >> May j00 0wn earth just like j00 0wn h34V3n.
    >> Give us this day our warez, mp3z, and pr0n through a phat pipe.
    >> And cut us some slack when we act like n00b lamerz, just as we teach
    >> n00bz when they act lame on us.
    >> Please don't give us root access on some poor d00d'z box when we're
    >> too pissed off to think about what's right and wrong, and if you
    >> could keep the fbi off our backs, we'd appreciate it.
    >> For j00 0wn r00t on all our b0x3s 4ever and ever.
    >>
    >> 4m3n.

    >
    > Reminds me of this one. Unsure of source, found it quite some time ago
    > and saved it to a text file.
    >
    > Our ISP, who art in Auckland, hallo'd be thy bandwidth.
    > Thy downloads come, thy uploads done, 2 speeds as it is uneven.
    > Give us this day our daily broadband,
    > and forgive us our leeching,
    > as we forgive those who leech against us,
    > and lead us not into full hard drives,
    > but deliver us from lagging,
    > for thine is the ping-time,
    > the password and the Carrier Sense Multiple Access / Collision
    > Detection,
    > for exabytes and exabytes,
    > ADSL


    LOL. I like it.
    --
    ~misfit~
     
    ~misfit~, Jul 31, 2004
    #7
  8. Mike_P

    Mike_P Guest

    >>
    > Okay well serious now.
    >
    > Disconnect, reboot and connect, do a netstat and check what is connected
    >
    > It is possible you had just visited a site run by a lamer on a dsl
    > connection, with a java/active x on the page. In which case so long as
    > your security settings are okay (an you dont run IE) your okay.
    >
    > I assume a1700 is the name of your machine so the port was 1043 on your
    > machine connected to port 60409 on the destination.


    Yes A1700 is this machine so port 1043 is connecting to 60409.
    Have rebooted and done a netstat... last connection has gone but been
    replaced by:
    TCP a1700:1043 69-171-36-105.clvdoh.adelphia.net:57029
    ESTABLI
    SHED
    Time for some serious investigation !
     
    Mike_P, Aug 1, 2004
    #8
  9. Mike_P

    Collector Guest

    Mike_P said the following on 1/08/2004 11:02:

    >>Okay well serious now.
    >>
    >>Disconnect, reboot and connect, do a netstat and check what is connected
    >>
    >>It is possible you had just visited a site run by a lamer on a dsl
    >>connection, with a java/active x on the page. In which case so long as
    >>your security settings are okay (an you dont run IE) your okay.
    >>
    >>I assume a1700 is the name of your machine so the port was 1043 on your
    >>machine connected to port 60409 on the destination.

    >
    >
    > Yes A1700 is this machine so port 1043 is connecting to 60409.
    > Have rebooted and done a netstat... last connection has gone but been
    > replaced by:
    > TCP a1700:1043 69-171-36-105.clvdoh.adelphia.net:57029
    > ESTABLI
    > SHED
    > Time for some serious investigation !
    >
    >

    Yep All of your base us belong

    Do a google on port 1043, you have one of the trojens that use this port.
     
    Collector, Aug 1, 2004
    #9
  10. Mike_P

    Mike_P Guest

    "Mike_P" <> wrote in message
    news:410b4aae$...
    > Doing a netstat -a shows the following connection...
    >
    > TCP a1700:1043 68-189-115-59.ca.charter.com:60409
    > ESTABLISHED
    >
    > does anybody know what this is ?
    >


    Well I disabled Skype using msconfig and that has fixed/solved the problem.
    Now I just have to figure out whether this was harmless or not.

    Mike_p
     
    Mike_P, Aug 1, 2004
    #10
  11. Mike_P

    thing Guest

    Collector wrote:
    > Mike_P said the following on 1/08/2004 11:02:
    >
    >>> Okay well serious now.
    >>>
    >>> Disconnect, reboot and connect, do a netstat and check what is connected
    >>>
    >>> It is possible you had just visited a site run by a lamer on a dsl
    >>> connection, with a java/active x on the page. In which case so long
    >>> as your security settings are okay (an you dont run IE) your okay.
    >>>
    >>> I assume a1700 is the name of your machine so the port was 1043 on
    >>> your machine connected to port 60409 on the destination.

    >>
    >>
    >>
    >> Yes A1700 is this machine so port 1043 is connecting to 60409.
    >> Have rebooted and done a netstat... last connection has gone but been
    >> replaced by:
    >> TCP a1700:1043
    >> 69-171-36-105.clvdoh.adelphia.net:57029 ESTABLI
    >> SHED
    >> Time for some serious investigation !
    >>
    >>

    > Yep All of your base us belong
    >
    > Do a google on port 1043, you have one of the trojens that use this port.


    Dosh
    Name: Dosh
    Aliases: Backdoor.Dosh,
    Ports: 113, 1026, 1028, 1032, 1033, 1035, 1037, 1039, 1041, 1043
    Files: Windpd.bqi - Winpc.exe -
    Created:
    Requires:
    Actions: Remote Access
    Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_ROOT\.bqi
    HKEY_CURRENT_ROOT\dpndfile
    HKEY_CURRENT_ROOT\dpndfile\DefaultIcon
    HKEY_CURRENT_ROOT\dpndfile\shell
    HKEY_CURRENT_ROOT\dpndfile\shell\open
    HKEY_CURRENT_ROOT\dpndfile\shell\open\command
    Notes: Works on Windows.
    Country:
    Program:

    ouch....

    regards

    Thing
     
    thing, Aug 1, 2004
    #11
  12. On Sun, 1 Aug 2004 11:02:00 +1200, "Mike_P"
    <> wrote:

    >>>

    >> Okay well serious now.
    >>
    >> Disconnect, reboot and connect, do a netstat and check what is connected
    >>
    >> It is possible you had just visited a site run by a lamer on a dsl
    >> connection, with a java/active x on the page. In which case so long as
    >> your security settings are okay (an you dont run IE) your okay.
    >>
    >> I assume a1700 is the name of your machine so the port was 1043 on your
    >> machine connected to port 60409 on the destination.

    >
    >Yes A1700 is this machine so port 1043 is connecting to 60409.
    >Have rebooted and done a netstat... last connection has gone but been
    >replaced by:
    > TCP a1700:1043 69-171-36-105.clvdoh.adelphia.net:57029
    >ESTABLI
    >SHED
    >Time for some serious investigation !
    >


    try netstat -o to get the PID and use task manager or similar to find
    out what is connecting.
     
    Steve Sinclair, Aug 1, 2004
    #12
  13. Mike_P

    Collector Guest

    Steve Sinclair said the following on 1/08/2004 13:45:

    > On Sun, 1 Aug 2004 11:02:00 +1200, "Mike_P"
    > <> wrote:
    >
    >
    >>>Okay well serious now.
    >>>
    >>>Disconnect, reboot and connect, do a netstat and check what is connected
    >>>
    >>>It is possible you had just visited a site run by a lamer on a dsl
    >>>connection, with a java/active x on the page. In which case so long as
    >>>your security settings are okay (an you dont run IE) your okay.
    >>>
    >>>I assume a1700 is the name of your machine so the port was 1043 on your
    >>>machine connected to port 60409 on the destination.

    >>
    >>Yes A1700 is this machine so port 1043 is connecting to 60409.
    >>Have rebooted and done a netstat... last connection has gone but been
    >>replaced by:
    >> TCP a1700:1043 69-171-36-105.clvdoh.adelphia.net:57029
    >>ESTABLI
    >>SHED
    >>Time for some serious investigation !
    >>

    >
    >
    > try netstat -o to get the PID and use task manager or similar to find
    > out what is connecting.


    Netstat -o is not available in my w2k netstat what are you using
     
    Collector, Aug 1, 2004
    #13
  14. Mike_P

    Richard Guest

    >
    > Netstat -o is not available in my w2k netstat what are you using


    Is present on XP and 2003 server netstats.

    Drop me an email and I can try sending you the later netstat
     
    Richard, Aug 1, 2004
    #14
  15. Mike_P

    Richard Guest

    Mike_P wrote:

    > Well I disabled Skype using msconfig and that has fixed/solved the problem.
    > Now I just have to figure out whether this was harmless or not.


    Well if you installed a piece of P2P software, its perfictally reasonable for it
    to be connecting to others. Non-issue solved
     
    Richard, Aug 1, 2004
    #15
  16. Mike_P

    Collector Guest

    Richard said the following on 1/08/2004 15:00:

    >>
    >> Netstat -o is not available in my w2k netstat what are you using

    >
    >
    > Is present on XP and 2003 server netstats.
    >
    > Drop me an email and I can try sending you the later netstat
    >

    Thanks use
     
    Collector, Aug 1, 2004
    #16
  17. Steve Sinclair wrote:
    > try netstat -o to get the PID and use task manager or similar to find
    > out what is connecting.


    on which os?
    2k SP4 it doesnt work.

    --
    Dave Hall
    http://www.dave.net.nz
     
    Dave - Dave.net.nz, Aug 1, 2004
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin
    Replies:
    1
    Views:
    809
    Walter Roberson
    Nov 10, 2004
  2. DJ Chiro
    Replies:
    1
    Views:
    3,326
    Rowdy Yates
    Nov 7, 2003
  3. Eggert Ehmke

    strange tcp.rst resets on vip

    Eggert Ehmke, Apr 12, 2006, in forum: Cisco
    Replies:
    0
    Views:
    511
    Eggert Ehmke
    Apr 12, 2006
  4. john

    tcp/ip vs microsoft tcp/ip ver 6

    john, Aug 5, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    3,438
  5. Pavel Aronovich
    Replies:
    0
    Views:
    550
    Pavel Aronovich
    Feb 22, 2004
Loading...

Share This Page