Results 1 to 4 of 4

Thread: Have you done a NETSTAT -A -B lately?

  1. #1
    Senior Member LaoziSailor's Avatar
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    1,601

    Have you done a NETSTAT -A -B lately?

    Anyone done a NETSTAT -A -B on their machine lately?

    I did and I think I'm starting to freak out!


    ---- RIGHT AFTER BOOT ----


    C:\Documents and Settings\han>date
    The current date is: Mon 12/03/2007
    Enter the new date: (mm-dd-yy)

    C:\Documents and Settings\han>time
    The current time is: 22:31:42.17
    Enter the new time:

    C:\Documents and Settings\han>netstat -a -b

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP mymachine:microsoft-ds mymachine:0 LISTENING 4
    [System]

    TCP mymachine:netbios-ssn mymachine:0 LISTENING 4
    [System]

    TCP mymachine:1046 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1048 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1050 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1052 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1054 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1056 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1058 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1060 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1062 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1064 ads.datingyes.com:1110 TIME_WAIT 0
    TCP mymachine:1047 209.170.118.56:http TIME_WAIT 0
    TCP mymachine:1049 209.170.118.11:http TIME_WAIT 0
    TCP mymachine:1051 209.170.118.11:http TIME_WAIT 0
    TCP mymachine:1053 209.170.118.11:http TIME_WAIT 0
    TCP mymachine:1055 209.170.118.11:http TIME_WAIT 0
    TCP mymachine:1057 209.170.118.11:http TIME_WAIT 0
    TCP mymachine:1059 64.212.198.11:http TIME_WAIT 0
    TCP mymachine:1061 209.170.118.11:http TIME_WAIT 0
    TCP mymachine:1063 209.170.118.11:http TIME_WAIT 0
    TCP mymachine:1065 209.170.118.11:http TIME_WAIT 0
    UDP mymachine:ms-sql-m *:* 1708
    [sqlservr.exe]

    UDP mymachine:isakmp *:* 1120
    [lsass.exe]

    UDP mymachine:4500 *:* 1120
    [lsass.exe]

    UDP mymachine:1041 *:* 1640
    C:\WINDOWS\system32\mswsock.dll
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\DNSAPI.dll
    c:\windows\system32\dnsrslvr.dll
    C:\WINDOWS\system32\RPCRT4.dll
    [svchost.exe]

    UDP mymachine:microsoft-ds *:* 4
    [System]

    UDP mymachine:1032 *:* 1640
    C:\WINDOWS\system32\mswsock.dll
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\DNSAPI.dll
    c:\windows\system32\dnsrslvr.dll
    C:\WINDOWS\system32\RPCRT4.dll
    [svchost.exe]

    UDP mymachine:1900 *:* 1788
    [svchost.exe]

    UDP mymachine:ntp *:* 1532
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    -- unknown component(s) --
    [svchost.exe]

    UDP mymachine:491 *:* 3084
    [vsmon.exe]

    UDP mymachine:netbios-dgm *:* 4
    [System]

    UDP mymachine:netbios-ns *:* 4
    [System]

    UDP mymachine:1900 *:* 1788
    [svchost.exe]

    UDP mymachine:ntp *:* 1532
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]


    C:\Documents and Settings\han>time
    The current time is: 22:35:52.71
    Enter the new time:

    C:\Documents and Settings\han>
    I did this before and added "datingyes.com" to my block list in ZoneAlarm Pro and figured OK, that'll take care of it. Well it didn't, so I'm thinking ROOTKIT -- and I have Greatis, so what gives?

    Anyone know the TCP startup sequence and where it might be picking these up?
    I'm currently doing checks on the IPs sitting there too.

    Cheers!
    Han Tacoma

    ~ Artificial Intelligence is better than none! ~

  2. #2
    Senior Member
    Join Date
    May 2004
    Location
    Ottawa, Cdn.....eh
    Posts
    3,268
    I believe the 209 & 64 address is MS

  3. #3
    Senior Member LaoziSailor's Avatar
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    1,601
    Quote Originally Posted by Patonb
    I believe the 209 & 64 address is MS
    uhhmm, I did a lookup with (useful tool) http://centralops.net/co/DomainDossier.aspx


    Address lookup
    lookup failed 209.170.118.56
    Could not find a domain name corresponding to this IP address.
    Domain Whois record

    Don't have a domain name for which to get a record
    Network Whois record

    Queried whois.arin.net with "!NET-209-170-64-0-1"...

    OrgName: Telia Network Services
    OrgID: TENS
    Address: Marbackagatan 11
    City: Farsta
    StateProv:
    PostalCode: 123 86
    Country: SE

    NetRange: 209.170.64.0 - 209.170.127.255
    CIDR: 209.170.64.0/18
    NetName: TELIANET-2BLK
    NetHandle: NET-209-170-64-0-1
    Parent: NET-209-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.TELIA.COM
    NameServer: DNS2.TELIA.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 1999-03-30
    Updated: 2001-06-27

    RTechHandle: AA2292-ARIN
    RTechName: Andersson, Amar
    RTechPhone: +46-8-456 89 68
    RTechEmail: amar@telia.net

    OrgTechHandle: TR-ORG-ARIN
    OrgTechName: Telia Registry
    OrgTechPhone: +46 8 7135466
    OrgTechEmail: registry@telia.net


    ddress lookup
    lookup failed 64.212.198.11
    Could not find a domain name corresponding to this IP address.
    Domain Whois record

    Don't have a domain name for which to get a record
    Network Whois record

    Queried whois.arin.net with "64.212.198.11"...

    OrgName: Global Crossing
    OrgID: GBLX
    Address: 14605 South 50th Street
    City: Phoenix
    StateProv: AZ
    PostalCode: 85044-6471
    Country: US

    ReferralServer: rwhois://rwhois.gblx.net:4321

    NetRange: 64.212.0.0 - 64.215.255.255
    CIDR: 64.212.0.0/14
    NetName: GBLX-11D
    NetHandle: NET-64-212-0-0-1
    Parent: NET-64-0-0-0-0
    NetType: Direct Allocation
    NameServer: NAME.ROC.GBLX.NET
    NameServer: NAME.PHX.GBLX.NET
    NameServer: NAME.SNV.GBLX.NET
    NameServer: NAME.JFK1.GBLX.NET
    Comment: rwhois.gblx.net:4321 - THESE ADDRESSES ARE
    Comment: NON-PORTABLE
    RegDate: 2000-03-15
    Updated: 2007-08-29

    RTechHandle: IA12-ORG-ARIN
    RTechName: GBLX-IPADMIN
    RTechPhone: +1-800-404-7714
    RTechEmail: ipadmin@gblx.net

    Although I don't have AdsGone running right now, their "removals.ini" shows:


    [Domains]
    D0=adlink.deh.nl
    D1=advert.stealth.nl
    D2=www.banneroverdrive.com
    D3=ads.datingyes.com
    D4=adserver2.mediainsight.de
    D5=adserver3.eudora.com
    D6=adserver4.eudora.com
    [DomainCount]
    N=7
    and their "adgonehosts.ini" has "[Domainount] N=2704", a bit too long to list here.




    .
    Han Tacoma

    ~ Artificial Intelligence is better than none! ~

  4. #4
    Senior Member LaoziSailor's Avatar
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    1,601
    unset.domain.tld is a domain that didn't get listed on my previous posts.
    "domain.tld" is bogus so I did a Google search on it and found (starnge stuff):
    robtex swiss army knife internet tool - http://www.robtex.com/cnet/85.17.40.html

    pastebin - collaborative debugging tool - http://pastebin.com/m3814b2ed

    Statistika pro www.bohunovice.info - October 2006 - Sites - http://www.bohunovice.info/stat/site_200610.html
    This stuff could be weirdly useful too.



    .
    Han Tacoma

    ~ Artificial Intelligence is better than none! ~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •