Netstat Cmd shows something fishy...

Data that travels over the air and how to protect (or decipher) it

Netstat Cmd shows something fishy...

Post by Sl1ck_x on Wed Feb 06, 2013 3:31 pm
([msg=73515]see Netstat Cmd shows something fishy...[/msg])

Hey, it's been awhile since I've gone on this site. I use to come here religiously for months, but then school got in the way. Ultimately, I ended up not taking care of my computer properly, when downloading or viewing sites and had a kind of care free attitude for awhile. Well, bottom line is I think I fucked up my computer some where along the way, and that I might have trojans or viruses or RAT's...

Here is a copy of my netstat -ano command, that i used to watch what was connecting where and to who...
*SideNote* I changed my IP address to the 111.111.1.111 that you see below AND I had literally just restarted my computer, let it boot up and then ran the netstat cmd without opening any programs!

C:\Users\victor>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 860
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 560
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 960
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 656
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 1020
TCP 0.0.0.0:49159 0.0.0.0:0 LISTENING 624
TCP 0.0.0.0:49160 0.0.0.0:0 LISTENING 2896
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 2052
TCP 127.0.0.1:5354 127.0.0.1:49158 ESTABLISHED 2052
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 3888
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING 2012
TCP 127.0.0.1:27015 127.0.0.1:49191 ESTABLISHED 2012
TCP 127.0.0.1:49158 127.0.0.1:5354 ESTABLISHED 2012
TCP 127.0.0.1:49191 127.0.0.1:27015 ESTABLISHED 3432
TCP 111.111.1.111:139 0.0.0.0:0 LISTENING 4
TCP 111.111.1.111:49163 23.62.97.67:80 TIME_WAIT 0
TCP 111.111.1.111:49164 23.62.97.67:80 TIME_WAIT 0
TCP 111.111.1.111:49165 23.62.97.67:80 TIME_WAIT 0
TCP 111.111.1.111:49166 23.62.97.67:80 TIME_WAIT 0
TCP 111.111.1.111:49167 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49168 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49169 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49170 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49171 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49172 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49173 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49174 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49175 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49176 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49177 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49178 96.17.77.35:80 TIME_WAIT 0
TCP 111.111.1.111:49179 96.17.77.64:80 TIME_WAIT 0
TCP 111.111.1.111:49182 23.62.97.112:80 TIME_WAIT 0
TCP 111.111.1.111:49185 23.62.97.112:80 TIME_WAIT 0
TCP 111.111.1.111:49186 23.62.97.112:80 TIME_WAIT 0
TCP 111.111.1.111:49187 23.62.97.112:80 TIME_WAIT 0
TCP 111.111.1.111:49198 209.87.211.146:443 TIME_WAIT 0
TCP 111.111.1.111:49199 96.17.77.178:80 TIME_WAIT 0
TCP 111.111.1.111:49200 96.17.77.178:80 TIME_WAIT 0
TCP 111.111.1.111:49201 96.17.77.178:80 TIME_WAIT 0
TCP 111.111.1.111:49202 96.17.77.178:80 TIME_WAIT 0
TCP 111.111.1.111:49203 96.17.77.178:80 TIME_WAIT 0
TCP 111.111.1.111:49206 23.62.97.67:80 TIME_WAIT 0
TCP 111.111.1.111:49207 96.17.77.64:80 TIME_WAIT 0
TCP 111.111.1.111:49209 96.17.77.64:80 TIME_WAIT 0
TCP 111.111.1.111:49210 96.17.77.64:80 TIME_WAIT 0
TCP [::]:135 [::]:0 LISTENING 860
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 560
TCP [::]:49153 [::]:0 LISTENING 960
TCP [::]:49154 [::]:0 LISTENING 656
TCP [::]:49155 [::]:0 LISTENING 1020
TCP [::]:49159 [::]:0 LISTENING 624
TCP [::]:49160 [::]:0 LISTENING 2896
UDP 0.0.0.0:500 *:* 1020
UDP 0.0.0.0:3702 *:* 1944
UDP 0.0.0.0:3702 *:* 1944
UDP 0.0.0.0:4500 *:* 1020
UDP 0.0.0.0:5355 *:* 1080
UDP 0.0.0.0:57868 *:* 2052
UDP 0.0.0.0:61606 *:* 1944
UDP 127.0.0.1:1900 *:* 2116
UDP 127.0.0.1:57866 *:* 2012
UDP 127.0.0.1:57867 *:* 2012
UDP 127.0.0.1:58673 *:* 2116
UDP 127.0.0.1:58674 *:* 3432
UDP 127.0.0.1:58675 *:* 3432
UDP 111.111.1.111:137 *:* 4
UDP 111.111.1.111:138 *:* 4
UDP 111.111.1.111:1900 *:* 2116
UDP 111.111.1.111:5353 *:* 2052
UDP 111.111.1.111:58672 *:* 2116
UDP [::]:500 *:* 1020
UDP [::]:4500 *:* 1020
UDP [::]:5355 *:* 1080
UDP [::]:57869 *:* 2052


Now the PID process 2052 and 2012 are not located in my task manager and although the 3432 was located (harmless), what does it mean when I can't find the PID? Also, I Noticed alot of the ports that were being LISTENED too are of 49000 or greater, which indicates that a trojan is infected in my computer?

I've been running McAfee and Zone alarm but they never find anything .... Can you guys help me decode that netstat cmd and help figure out what's going on? My general impression of it is that someone is spoofing their IP address to fit mine.... Thoughts on any of this?

*Sorry it's all close together*
Sl1ck_x
New User
New User
 
Posts: 11
Joined: Sat Aug 04, 2012 12:55 pm
Blog: View Blog (0)


Re: Netstat Cmd shows something fishy...

Post by WallShadow on Wed Feb 06, 2013 5:59 pm
([msg=73527]see Re: Netstat Cmd shows something fishy...[/msg])

Here's a few things you can do:

run a command prompt as the administrator and run the command 'netstat -abno' , that should tell you the name of the process using the port.

task manager doesn't normally show all of your programs unless you hit 'show programs from all users'

to view the process which is doing this using the PID, use the command ' tasklist /FI "PID eq YOURPIDHERE" ' or ' tasklist /FI "PID eq YOURPIDHERE" /SVC ' to see what services are running on that process. Honestly, a quick google search tells me that it's not always malicious.

Now, your theory on someone spoofing their IP to fit yours seems pretty wrong to me. To spoof your IP, you don't really need to actually root someone else's computer. Although it is simple that way, there are better ways to approach this problem.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 614
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Netstat Cmd shows something fishy...

Post by Sl1ck_x on Thu Feb 07, 2013 12:35 am
([msg=73538]see Re: Netstat Cmd shows something fishy...[/msg])

I was using the netstat -b command, but I never knew I could combine it with the -ano to view the processes and their PIDs. I seemed to find only programs for like itunes helper or the web browswer, along with maybe a window's programs like mDNSmessenger, nothing out of the ordinary. But occassionally I would find processes that say "Cannot obtain Ownership Information". So I would try and do a tracert on their IP address or hostname (if it was visible but not identifiable), and sometimes I would find out it was just Aklami Technology or some other benign program. However, I tried the tracert earlier today and the route showed about 11 'jumps' before slowing down, and then started repeating "Request timed out" for each additional jump, which would take even longer than the one before it...

I'm probably just being paranoid about the situation, but I don't understand why I have such a long list for a netstat command. I was looking at examples of other people who have documented their findings online, and they have less than half of what I have, while I'm not even running anything on my desktop and they are.

Just seems fishy to me ... Even if the ports are only "LISTENING".
Sl1ck_x
New User
New User
 
Posts: 11
Joined: Sat Aug 04, 2012 12:55 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests