Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unloicited Connection to Ports


  • Please log in to reply
9 replies to this topic

#1 Joequine

Joequine

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 12 October 2009 - 03:48 PM

I have recently had my computer hacked into and since have bought a router and set it up between my dsl modem and computer. I have also bought and downloaded McAfee Security and a anit-spyware. I think the hacker is being kept out now. On my security log I keep getting this message that a computer at home.domain.actdsltmp has attempted an unsolicited connection to different ports. There is an IP associated with this. Is this someon trying to hack in or is it some website I am going to.
I am suspicious that someone is still trying to access my computer. The person doing this is known to me but I don't know how to stop it.

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:12:28 PM

Posted 12 October 2009 - 04:38 PM

Does the IP associated with home.domain.actdsltmp happen to be close to 192.168.0.? I have left off the last portion as it varies.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 Joequine

Joequine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 12 October 2009 - 05:23 PM

Yes that is the IP. The port number is different for each attempt though.

#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:12:28 PM

Posted 12 October 2009 - 07:04 PM

That IP is your computer behind the router. Whats happening is application/s on your computer are attempting to access the web. Such as MS updates, AV updates and web browsing.

Use the following port list to see if the right applications are accessing their assigned ports. http://www.iana.org/assignments/port-numbers

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 Joequine

Joequine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 12 October 2009 - 07:49 PM

Ok so I checked that and understood some of it. I then looked up port knocking and found this. # Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap
I am posting some of my inbound events log. Attempted unsolicited connection to UDP port 56192 or port 57419, 64935 etc... all high numbers except the ones that say commonly used by icslap etc.

Also there is one log that says. A computer at 192.168.1.1 has pinged your computer. The source IP is "non-routable" IP

Thanks for the help

#6 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:28 PM

Posted 12 October 2009 - 09:23 PM

I would scan your computer with Malwarebytes and SuperAntiSpyware to see if you have any trojans on your system

#7 Joequine

Joequine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 13 October 2009 - 12:47 PM

I scanned my computer with Superantispyware and my McaFee antivirus and found nothing but add cookies. This morning a window popped up that says "Generic Host Process for Win32 Services" It is an error report stating it has encountered a program and needs to close and says the following files will be included in this error report.
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WER201a.dir00\svchost.exe.mdmp
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WER201a.dir00\appcompat.txt


So I went to that directory to see what it is and couldn't find anything even when I made so I could see hidden files. Also when I try to open Owner Folder I get this message. " Owner is not accessible. Access is denied"

Am I just being paranoid or is could there be something on my computer I can't find? How much does a router, antivirus and firewall provide? As I am pretty sure who is cracking my email account and hacked my computer and they have left some traces my brother called them kiddie scripters. Not sure what that means. I do have some ips and email addresses but don't know if I can use that info to prove anything.

#8 Joequine

Joequine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 13 October 2009 - 06:33 PM

Well my computer shut itself down with an error that there was a missing sys32 file and wouldn't restart and the only thing I could do was a recovery. Luckily I had already moved all my files to an external hard drive when I was hacked the first time so didn't lose much but still very annoying. Can anyone tell me what could have caused this to happen?

#9 Joequine

Joequine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 16 October 2009 - 01:52 PM

I have mcafee antivirus, malwarebytes and superantispyware on my computer. In the mcafee log this morning there was this UDP port scan entry. It says my computer at 192.168.0.1 home.domain.actdsltmp has attempted to scan your system by sending a large amount of various udp packets. The source IP is a non-routable IP.

Does this mean I have a virus or something on my computer that is not being detected? Also when that happened I had 7 pages of logs on mcafee and now I have 17 and it is all attempted access by 192.168.0.1 to different ports and all the ports are high numers such as 51460, 64010 etc...

I am also having trouble connecting to websites.

What do I do about this? Please help if you can.

Thanks

Edited by The weatherman, 16 October 2009 - 05:51 PM.
Merged topic.~Tw


#10 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,569 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:03:28 PM

Posted 16 October 2009 - 10:38 PM

what do you use for your DNS servers? The router or a service such as OpenDNS. the reason I ask is that a delayed response from a DNS server might be seen by a firewall as a port attack.

In the old days the communication was by UDP over local port 53 and remote (DNS server) port 53. That has changed. Currently remote is always 53, but random local high port numbers are where the replies come to into your box.

So you need to provide the complete information of source IP, source port, remote IP and remote port and UDP or TCP protocol and direction and what application is involved. Perhaps then people can stop guessing.

I don't know whether if the router is a DNS server the high ports are involved, but suspect they are, because it was a change Microsoft made to our systems.

Take a look at your ipconfig - Start, Run, type cmd, the type ipconfig /all and check what your DNS servers are. While you're there, confirm that your computer really is 192.168.0.1 since it sounds to me more like a typical router address and likely your PC is 192.168.0.2 or .100 or some other number. Then again the modem might be in the picture. I hope the modem's address and router's are different and that you don't have two DHCP servers conflicting.

Edited by tos226, 16 October 2009 - 10:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users