Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Blocking Hackers

  • Please log in to reply
4 replies to this topic

#1 Cullyinwestfork


  • Members
  • 2 posts
  • Local time:12:54 AM

Posted 08 November 2014 - 08:50 PM

I have noticed some odd things happening on my system. I did a netstat -ano and found several ESTABLISHED states, I have traced several to places in DC and Kansas. Is there a good software so I can block these connections? I have a RT-AC66R router. I am trying to figure out what is bringing in all these connections. In the past Zonealarm was a mainstream but I don't hear much about it any more.


BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • Gender:Male
  • Location:@localhost
  • Local time:01:54 AM

Posted 09 November 2014 - 10:30 AM

A established tcp/ip connection in netstat dosnt mean its malware/hackers. A machine could have many legitimate established connections and states. If you want to look farther than a netstat -b or tasklist would match the PID or .exe to the process.

Assuming it was malware you wouldnt block it, you would remove the offending process from your machine with updated antivirus/antimalware apps.

A firewall could also alert you to a chatty process.


How Can I Reduce My Risk to Malware?

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • Gender:Male
  • Local time:07:54 AM

Posted 09 November 2014 - 04:51 PM

You can use Sysinternals' Tcpview to have the same information, with process names, in a GUI application.

Didier Stevens

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019


If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.


Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

#4 Ezzah


  • Members
  • 438 posts
  • Gender:Male
  • Location:Australia
  • Local time:03:54 PM

Posted 15 November 2014 - 12:25 AM

As been stated above, established connections doesn't mean that you have a virus, or establishment with a botnet server or RAT. Your best way of blocking anything like that wouldn't be through your router, but rather, killing/removal of the offending malware.


Again, as above, run some AV scans (updated of course), or look for suspiciously named processes through "netstat -b" (must be run with elevation). Take note, however, if you are infected with botnet malware, they only connect to their master-server at a periodic level, not a continuous stream, so netstat may not account for it. In these cases, other sources of weird behaviour account to their existence.


However, in your case, I highly doubt that you have an issue.


#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,744 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:54 AM

Posted 05 December 2014 - 05:56 PM

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users