#1  
Old 17-August-2004, 17:39
shred
Guest
 
Posts: n/a
Default Help please. Netstat.

Ran netstat and got the following results.


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\>netstat

Active Connections

Proto Local Address Foreign Address State
TCP g-p10y3drit3eft:1026 10.0.229.197:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1027 10.0.164.84:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1028 10.0.75.0:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1029 10.0.234.186:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1030 10.0.226.231:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1031 10.0.35.42:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1032 10.0.5.128:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1033 10.0.139.44:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1034 10.0.222.89:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1035 10.0.149.65:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1036 10.0.248.225:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1037 10.0.146.27:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1038 10.0.178.47:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1039 10.0.35.51:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1040 10.0.76.244:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1041 10.0.197.11:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1042 10.0.211.74:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1043 10.0.7.193:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1044 10.0.186.221:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1045 10.0.123.97:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1046 10.0.204.240:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1047 10.0.221.102:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1048 10.0.120.163:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1049 10.0.51.144:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1050 10.0.193.180:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1051 10.0.96.46:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1052 10.0.133.100:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:1053 10.0.153.54:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:2112 ds80-237-205-33.dedicated.hosteurope.de:4661 ES
TABLISHED
TCP g-p10y3drit3eft:4557 66.102.11.104:http ESTABLISHED
TCP g-p10y3drit3eft:4558 66.102.9.104:http ESTABLISHED
TCP g-p10y3drit3eft:4960 10.0.131.100:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4961 10.0.254.174:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4962 10.0.35.215:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4963 10.0.92.117:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4964 10.0.248.198:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4965 10.0.126.163:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4966 10.0.171.243:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4967 10.0.163.0:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4968 10.0.150.13:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4969 10.0.134.148:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4970 10.0.20.188:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4971 10.0.127.73:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4972 10.0.146.144:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4973 10.0.212.64:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4974 10.0.95.30:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4975 10.0.219.133:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4976 10.0.249.156:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4977 10.0.42.177:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4978 10.0.225.168:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4979 10.0.155.200:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4980 10.0.23.183:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4981 10.0.115.113:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4982 10.0.196.73:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4983 10.0.13.115:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4984 10.0.192.138:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4985 10.0.182.15:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4986 10.0.2.27:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4987 10.0.195.218:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4988 10.0.39.249:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4989 10.0.216.247:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4990 10.0.12.245:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4991 10.0.19.190:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4992 10.0.134.64:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4993 10.0.168.175:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4994 10.0.190.224:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4995 10.0.104.232:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4996 10.0.255.218:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4997 10.0.75.14:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4998 10.0.19.28:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:4999 10.0.203.166:microsoft-ds SYN_SENT
TCP g-p10y3drit3eft:5000 10.0.0.112:microsoft-ds SYN_SENT

I notice that if I block spools.exe via the software firewall this goes away.

Ran virus/trojan and spy checks. Online scans at RAV, Panda and Symantec including security checks. All report a clean and secure system.

Behind a NAT router so is the spools exe just trying to find anything else on the 10.x.x.x network?

Any advice gratefully accepted

shred.
Reply With Quote
  #2  
Old 17-August-2004, 18:29
Zer02004
Guest
 
Posts: n/a
Default

All the entries are internal to your network except the following (Do a lookup if you're not certain what these are):
TCP g-p10y3drit3eft:2112 ds80-237-205-33.dedicated.hosteurope.de:4661 ES
TABLISHED
TCP g-p10y3drit3eft:4557 66.102.11.104:http ESTABLISHED
TCP g-p10y3drit3eft:4558 66.102.9.104:http ESTABLISHED

SYN_SENT means that an application has issued a request for a TCP session, but has not received the return SYN+ACK packet.
This could point to a problem with your network.
What was actually running at this time?

Try setting the spooler service to manual rather than automatic via the services management console. It should then only run when requested to do so.
Reply With Quote
  #3  
Old 17-August-2004, 21:01
shred
Guest
 
Posts: n/a
Default

Thanks for the info ZerO.

Stopping the spools.exe resulted in

TCP g-p10y3drit3eft:2112 ds80-237-205-33.dedicated.hosteurope.de:4661 SYN_SENT

This entry was always there on a netstat run.

Checked in msconfig>startup and noticed two entrys for spools.exe but only spools.exe, not the usual C:\windows\etc. Disabled both of these entrys and hey presto a clean netstat.

I think either.

a) the "malware" was either trying to infect other PCs on my network of which there are none (just one PC connected).

Or

b) the "malware" was trying a DoS attack.

Any thoughts and can I follow the register location, shown in msconfig>startup, to delete it from the reg?

Thanks again,

shred.
Reply With Quote
  #4  
Old 17-August-2004, 22:07
Zer02004
Guest
 
Posts: n/a
Default

Results of lookup:

% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html

inetnum: 80.237.205.0 - 80.237.205.127
remarks: INFRA-AW
netname: HE-DEDIC-CGN-205
descr: Hosteurope GmbH
descr: koeln@hosteurope.de
country: DE
admin-c: HER4-RIPE
tech-c: HER12-RIPE
status: ASSIGNED PA
notify: notify@hosteurope.de
mnt-by: ONE2ONE-MNT
changed: hostmaster@hosteurope.de 20040721
source: RIPE

route: 80.237.128.0/17
descr: DE-HEC-80-237-128
origin: AS20773
notify: notify@one-2-one.net
mnt-by: ONE2ONE-MNT
changed: hostmaster@hosteurope.de 20011114
source: RIPE

role: Host Europe Ripehandle
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 0
e-mail: hostmaster@hosteurope.de
trouble: hostmaster@hosteurope.de
admin-c: DART
admin-c: FLX
admin-c: WIRR
tech-c: DART
tech-c: FLX
tech-c: WIRR
nic-hdl: HER12-RIPE
notify: hostmaster@hosteurope.de
mnt-by: ONE2ONE-MNT
changed: hostmaster@hosteurope.de 20010720
changed: hostmaster@hosteurope.de 20020617
changed: hostmaster@hosteurope.de 20021115
changed: hostmaster@hosteurope.de 20031029
changed: fs@hosteurope.de 20040521
changed: fs@hosteurope.de 20040524
source: RIPE

person: Uwe Braun
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 7000
e-mail: uwe.braun@hosteurope.de
nic-hdl: HER4-RIPE
changed: hostmaster@hosteurope.de 20011123
changed: hostmaster@hosteurope.de 20031029
source: RIPE
mnt-by: ONE2ONE-MNT

Grab yourself a copy of TDS 3 and run a complete scan. This software is fully functional except that it has to be manually updated and it's a time limited trial.
Reply With Quote
  #5  
Old 17-August-2004, 22:27
shred
Guest
 
Posts: n/a
Default

Great call ZerO

Scan Control Dumped @ 22:24:56 17-08-04
RegVal Trace: Suspicious please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServi ces [Print Spooler=spools.exe]

Thats without installing the update. BTW How do you install the update?:D

shred.

Last edited by shred; 17-August-2004 at 23:11.
Reply With Quote
  #6  
Old 17-August-2004, 22:47
shred
Guest
 
Posts: n/a
Default

Sorted replace the td3 file.

Thanks again,

shred.
Reply With Quote
  #7  
Old 17-August-2004, 23:17
Zer02004
Guest
 
Posts: n/a
Default

As you have discovered, TDS-3 is a very powerful piece of software. It's probably the best anti trojan suite on the market.
Reply With Quote
  #8  
Old 05-March-2009, 06:53
john_in_problem
Guest
 
Posts: n/a
Default Re: Help please. Netstat.

hey zero ... i had the same prob.. i installed tds3, however it did not find anything but i cannot see anymore syn packet sent over microsoft-ds port.
i doubt the problem is going to hit again.... do you have any idea on any such free softwares like tds3 or if you have the crack for tds 3 and related diamond softwares....

please let me know

thnx

Regards
Reply With Quote
Reply

Tags
123, crack, email, free, line, lookup, nat, network, online, port, router, security, settings, software, trojan, virus, windows, zero

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 21:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!