Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Determining legitimate TCP connections


  • Please log in to reply
3 replies to this topic

#1 fullerdav

fullerdav

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 10 March 2014 - 06:46 PM

I was hacked a few months ago mainly due to my own carelessness.  SInce then I've been pretty vigilant about computer security.  I'm using Emsisoft Online Armor firewall and repreatedly see TCP port 80 connections to numeric IP addresses with no DNS entries.  I reported one of these as a phishing site because it had a complete Google search mockup in place and Netcraft confirmed it was a phishing site.  Since then I see more of these numeric IPs but usually they return "invalid URL" error when I try to open them.  I submitted a few more of these IPs to Netcraft but they responded they were not phishing sites.

 

Why does my PC have connections on port 80 to sites with no web server or DNS.  Should I assume it is malicious?  Is opening the IP in my browser dangerous?  Am I screwed?  Or is it just that whacky open internet thing.

 

Any insight is appreciated.

 

 

 



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:49 PM

Posted 11 March 2014 - 05:46 AM

On a Web server or Hypertext Transfer Protocol daemon, port 80 is the port that the server "listens to" or expects to receive from a Web client, assuming that the default was taken when the server was configured or set up. A port can be specified in the range from 0-65536 on the NCSA server. However, the server administrator configures the server so that only one port number can be recognized. By default, the port number for a Web server is 80.

What is Port 80
How Web Servers Work

"Invalid URL" messages are not uncommon and there are various reasons for receiving them. In many cases they can be resolved by clearing your browser cache and cookies, then opening an elevated Command Prompt and typing: ipconfig /flushdns

You can use netstat, a command-line tool that displays incoming and outgoing network connections to check whether or not a port is open on your system, to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically; no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with parameters -a, -n, and -p as shown below:
    • netstat -an
      netstat -ano
* Understanding the Netstat Command?
* How to Detect hackers with netstat
* Secrets of netstat usage
* How to Investigate a port in Windows and Linux

-- If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it. A "listening" state is when a program on a computer listens and waits on an open port to accept (establish) a connection with a remote computer on another port. See what is the Difference between Established/Listening Ports?.

By default, Windows Task Manager will not show the PID of a processes. You have to enable it from the View menu. To view the PID in Task Manager:
1. Open Task Manager and click the Processes tab.
2, Click View in the top menu and choose Select Columns...
3. Place a check mark in the box next to PID (Process identifier)
4. Click OK.

There are online port scanning services which can be used to check for open and vulnerable ports:
* Shields Up will alert users of any ports that have been opened through firewalls or NAT routers.
* Online Port Scan allows you to scan individual TCP ports to determine if the device is listening on that port.
* Subnet Online Port Scanner allows you to scan a host or IP for an open or closed TCP port.
* MxToolbox Port Scan allows you to check what services are running and open.
* Open Port Check Tool allows you to check your external IP address and detect open ports on your connection.
* AuditMyPc Firewall Test will check your computer for ports that are commonly left open and could allow your computer to be compromised.

There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote IP addresses, state of TCP connections and the process that opened the port:You can investigate IP addresses and gather additional information at:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fullerdav

fullerdav
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 11 March 2014 - 08:35 AM

Thanks for your detailed response.  I will need to do some digging  and try to find out what is going on.

 

I understand that a properly configured firewall should block malicious activity but these appear to be TCP connections opened

by my own browser and my firewall will accept responses from requests initiated by me.  There seem to be a lot more of these when

I use Chrome as opposed to Firefox.   I open Chrome, go to a few well known sites and I have 3 or 4 of these "zombie" connections.

 

I'll read up and begin using the tools you mentioned.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:49 PM

Posted 11 March 2014 - 04:57 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users