Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IP Detection?


  • Please log in to reply
3 replies to this topic

#1 PandaBear20202

PandaBear20202

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 10 December 2009 - 12:08 PM

Hey yall,

Im having some problems with the conficker worm. I have cleaned it from my computer and several other pcs. and have Symantec Endpoint installed on them.
But im having an issue when i log in to the pcs, symantec says there were detections while i was logged out. When i check the logs it says it was the conficker. Is there any program i can use to detect where these infections are coming from? Looks like symantec is blocking it. But its getting sent from some pc on my network. and i do not know which one :thumbsup:

Any help would be appreciated

thanks!

---Panda

PS Sorry if this is the wrong section for this type of post :flowers:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 PM

Posted 10 December 2009 - 03:06 PM

Hackers use "port scanning" to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs (viruses, Trojans). Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. If your computer is sending out large amounts of data, this usually indicates that your system may have a virus or a Trojan horse.

If your firewall provides an alert which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. The alerts allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. It is not unusual for a firewall to provide numerous alerts regarding such attempted access. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion.

You can use netstat, a command-line tool that displays incoming and outgoing network connections, from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
-- If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it.

You can use Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity or various network traffic monitoring tools for troubleshooting and malware investigation.

There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity. For a list of TCP/UDP ports and notes about them, please refer to:You can investigate IP addresses and gather additional information at:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 PandaBear20202

PandaBear20202
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 11 December 2009 - 11:24 AM

Thanks for your Help, this is exactly what i need :woot: :thumbsup: :flowers: :trumpet: :inlove: :)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 PM

Posted 11 December 2009 - 03:40 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users