Page 1 of 2 12 LastLast
Results 1 to 20 of 21

Thread: Help me understand all those open connections...

  1. #1
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72

    Help me understand all those open connections...

    if u like to have a curious disguse about internet, in this site....... plz......... stop hacking my pc.......... i can tell everything i know.......... and all staff i really know, is in my mind and not in my pc. what r u trying to manage doing that foolishness. r u 15 years old all u here?

    Who can really tell me about?
    So STOP doing my pc and my e-mail accounts a mess.

  2. #2
    ♫♪ ♫♪ ♫♪ ♫♪ downhill's Avatar
    Join Date
    Jan 2000
    Location
    My Own Private Idaho
    Posts
    34,796
    Quote Originally Posted by kinkymaster
    if u like to have a curious disguse about internet, in this site....... plz......... stop hacking my pc.......... i can tell everything i know.......... and all staff i really know, is in my mind and not in my pc. what r u trying to manage doing that foolishness. r u 15 years old all u here?

    Who can really tell me about?
    So STOP doing my pc and my e-mail accounts a mess.
    I can assure you there isn't anyone here doing anything like that. It's not possible for the general membership and the staff has better things to do than to waste time trying to hassle you.


    Locked.

  3. #3
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,530
    Blog Entries
    6
    Please do not cross-post.

    As I stated in the other thread:

    The only possible simulated "attack" from our server is a security scan, that is user generated, and has a clear disclaimer:
    http://www.speedguide.net/scan.php

    If not, I don't know what you're talking about. Your attempts to troll against the site, the TCP Optimizer and the staff will not be tolerated, unless you can produce evidence to back them up. We respect people's privacy, and we do not "hack" anyone's PCs.

  4. #4
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72

    who is the hacker here? !!!

    ok guys......... listen my story now.

    Since the time i got access in your site, my beautiful (3) scanners " alerts " me, a scanfit listening, from unknown ip adress.
    that is happening (uptil now), every time i connect to the internet ( and NOT necessary in yor site). So i decided to let this ip passing through.
    The result was the mess that configured to my pc. E-mail adresses, tweaked internet registry values (suspicious..... dont u think?), prefetch folder, internet accesss (stolen my account), start up services and some other that i dont remember now....... what a mess !!!
    after that, i decided to find who is, hiding my informations from u and waiting 4 you to answer. All that staff are knonw to me 3 weeks now.

    P.S. : No pro...... i found and remove all entries easily

    So, now im posting the bad scan fit ip adress that is attempting (uptill now) to be established
    IP = 127.0.0.1 / 63.217.30.70


    Resolve/Reverse Lookup: 127.0.0.1 resolved to speedguide.net DNS Query Results: speedguide.net.
    2388 IN A 63.217.30.70

    Domain Name: SPEEDGUIDE.NET
    Registrar: DOTSTER, INC.
    Whois Server: whois.dotster.com
    Referral URL: http://www.dotster.com
    Name Server: NS1.NAMERESOLVE.COM
    Name Server: NS2.NAMERESOLVE.COM
    Name Server: NS3.NAMERESOLVE.COM
    Name Server: NS4.NAMERESOLVE.COM
    Status: ACTIVE
    Updated Date: 16-jun-2004
    Creation Date: 05-may-1999
    Expiration Date: 19-oct-2007

    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 127.0.0.0 - 127.255.255.255
    CIDR: 127.0.0.0/8
    NetName: LOOPBACK
    NetHandle: NET-127-0-0-0-1
    Parent:
    NetType: IANA Special Use
    Comment: Please see RFC 3330 for additional information.
    RegDate:
    Updated: 2002-10-14

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: abuse@iana.org

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: abuse@iana.org


    GOODNIGHT.......... AND SEARCH FOR SOMEOTHER BEGGINERS TO PLAY WITH !!!
    Last edited by kinkymaster; 01-31-06 at 11:08 AM. Reason: changing uncomfortable title !

  5. #5
    SG Enthusiast koldchillah's Avatar
    Join Date
    Apr 2002
    Location
    Orlando, FL
    Posts
    4,611
    OMG!!! HACKERS HERE AT SPEEDGUIDE!! OMGIDKWTD!!!!! AAAAHHHH!!!!! QUICK! Unplug teh Intarwebs!!

    <<clears throat>>

    I take it you've never heard of "IP spoofing"?

    The only thing your post proves is that your box was most likely infected with malware before coming to this site. When you finally allowed the IP to pass through to your computer, the malware ran its course (stealing your info etc), using the IP address of the last visited website or random site from your history as its source and therefore infecting your host file's loopback entry making it apparent to you (and your 3 beautiful scanners) that the SG web server was targeting you meanwhile that was hardly the case. If there was a true "hacker" getting into your PC, he is probably laughing his a$$ off at the fact that you would actually "re-visit" the same site you suspect to have hacked you in the first place. DOH!

    Here, you definitely need to study this link before posting another dubious claim about Speedguide admins (or any other legit tech-site) hacking your computer : http://www.securityfocus.com/infocus/1674

    Have a good day.
    "Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru

  6. #6
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,530
    Blog Entries
    6
    As koldchillah already stated, it could easily be anyone out there. I asure you we're much more interested in securing our users' PCs than hacking them.

    From all the info you posted, there is very little useful information that one can get to help clear or resolve this issue.

    What 3 scanners are you using ?
    Why would you get infected if you are using 3 of them on the first place ?
    What did you get infected with ?
    What did they report that is coming from our domain/IP addresses (other than cookies used for you to remain logged in to the site) ?

    Believe me, it doesn't make any sense hacking your PC from our webserver's IP address, that would be just silly.

    P.S. I've merged both threads on the same topic from the same user

  7. #7
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72

    read this plz

    ok........ lets say that i believe u and i need some help........ so try to explain that to me. This is a scan analysis report 5 minutes ago. Of course before entering to yor site. Try to help me plz.

    + Created on: 5:20:22 μμ, 31/1/2006
    + Report-Checksum: CCD39AF2

    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1033 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:44501 0.0.0.0:0 LISTENING
    TCP **.***.**.***:139 0.0.0.0:0 LISTENING
    TCP **.***.**.***:1073 **.**.**.***:1863 ESTABLISHED
    TCP **.***.**.***:1090 **.**.**.***:5222 ESTABLISHED
    TCP **.***.**.***:1480 **.**.**.***:80 TIME_WAIT
    TCP **.***.**.***:1482 **.**.**.***:80 TIME_WAIT
    TCP **.***.**.***:1491 **.**.**.***:80 TIME_WAIT
    TCP **.***.**.***:1492 **.**.**.***:80 TIME_WAIT
    TCP **.***.**.***:1554 **.**.**.***:80 TIME_WAIT
    TCP **.***.**.***:1616 **.**.**.***:80 TIME_WAIT
    TCP **.***.**.***:1620 **.**.**.***:80 TIME_WAIT
    TCP **.***.**.***:1624 **.**.**.***:80 TIME_WAIT
    TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1025 127.0.0.1:1072 ESTABLISHED
    TCP 127.0.0.1:1025 127.0.0.1:1589 TIME_WAIT
    TCP 127.0.0.1:1025 127.0.0.1:1613 TIME_WAIT
    TCP 127.0.0.1:1026 127.0.0.1:44334 ESTABLISHED
    TCP 127.0.0.1:1028 127.0.0.1:1030 ESTABLISHED
    TCP 127.0.0.1:1030 127.0.0.1:1028 ESTABLISHED
    TCP 127.0.0.1:1031 127.0.0.1:44334 ESTABLISHED
    TCP 127.0.0.1:1033 127.0.0.1:1035 ESTABLISHED
    TCP 127.0.0.1:1035 127.0.0.1:1033 ESTABLISHED
    TCP 127.0.0.1:1036 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1049 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1072 127.0.0.1:1025 ESTABLISHED
    TCP 127.0.0.1:1093 127.0.0.1:1025 CLOSE_WAIT
    TCP 127.0.0.1:1095 127.0.0.1:1025 CLOSE_WAIT
    TCP 127.0.0.1:1097 127.0.0.1:1025 CLOSE_WAIT
    TCP 127.0.0.1:1099 127.0.0.1:1025 CLOSE_WAIT
    TCP 127.0.0.1:1447 127.0.0.1:1025 CLOSE_WAIT
    TCP 127.0.0.1:1615 127.0.0.1:1025 TIME_WAIT
    TCP 127.0.0.1:1623 127.0.0.1:1025 TIME_WAIT
    TCP 127.0.0.1:44334 127.0.0.1:1026 ESTABLISHED
    TCP 127.0.0.1:44334 127.0.0.1:1031 ESTABLISHED
    UDP 0.0.0.0:445
    UDP 0.0.0.0:500
    UDP 0.0.0.0:1027
    UDP 0.0.0.0:1029
    UDP 0.0.0.0:1032
    UDP 0.0.0.0:1034
    UDP 0.0.0.0:1069
    UDP 0.0.0.0:1166
    UDP 0.0.0.0:4500
    UDP 0.0.0.0:44334
    UDP 127.0.0.1:123
    UDP 127.0.0.1:1074
    UDP 127.0.0.1:1157
    UDP 127.0.0.1:1900


    Plz if u say that u dont doing that. try to understand that i believe u and i need yor help to find out what is going on.. I dont want to troll this site i dont need that. Im looking for " why yor ip is attempting or establish " since i get log in to network.

  8. #8
    SG Enthusiast koldchillah's Avatar
    Join Date
    Apr 2002
    Location
    Orlando, FL
    Posts
    4,611
    You definitely need to run some scans but before you do so, it would be a good idea to disable the "system restore" feature if you are using Windows XP. To disable system restore, right click "My Computer" and choose properties, then on the System Restore tab you can check the box that says "Turn off System Restore on all drives".

    Is your antivirus software up to date with the latest virus definitions? That would be the first thing to take care of. Then immediately scan your entire system once you have validated that your antivirus software no longer needs any updates.

    Next, I'd install and scan with both of these tools:

    Microsoft Antispyware Tool:

    http://www.microsoft.com/downloads/d...displaylang=en

    Ad Aware:

    http://www.lavasoftusa.com/software/adaware/

    Finally, check if you system is clean with a utility known as HijackThis!, found on this page:

    http://www.spywareinfo.com/~merijn/downloads.html

    Be careful what you choose to repair with hijackthis. If you feel uncertain about what to delete, post your hijackthis log here for us to look at and we'll try to help.
    "Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru

  9. #9
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72
    im infected clean.... i just want somehow, idont know how, with yor coorporate to stop yor ip attempting. Its propably a third person with yor traceout, what can i do? Any suggestion?

    Philip i need yor help here. I know that both of us (i mean all speedguide team) have the skills to do everything in pcs. But i dont program anymore. Dont ask me about my security soft. Just believe me and try let us try to solve this problem. Oo.... i dont think that is one of u When attempting stop, ill inform u about and Ill post a "Huge" sorry if u think that my comments have bad feelings, but also, get to my place, i have to defense myself !!!

    Try to find out who is hero 7595 that answered to my post in general DSL forum about " test it " thread. I think that this is the guy ( May be i am hero.... how knows ). Because he got a member the exact day that i let yor ip passed and thread just one post to me. Then he dissapeared. do not run or better delete his mail he wrote about. It is probably a script.

    Respects

  10. #10
    IATL

  11. #11
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,530
    Blog Entries
    6
    I'd be happy to get to the bottom of this as well, and I can understand your frustration.

    For the record, our webserver's IP address is 63.217.30.70

    127.0.0.1 is a loopback network connection. This means that if you try to connect to 127.0.0.1, you are immediately looped back to your own machine. If you telnet, ftp, etc... to 127.0.0.1, you are connected to your own machine.

    In other words, 127.0.0.1 is you. Just Google "loopback address" and lookup the definition. You can even get a T-Shirt, "There is no place like 127.0.0.1" (home) at ThinkGeek

    Note in your own Resolve/Reverse Lookups, that our IP is reported as 63.217.20.70, and 127.0.0.1 is reported as "IANA Special Use, see RFC 3330"... Special use meaning loopback IP.


    With that out of the way, I don't see any connections to 63.217.30.70, or speedguide.net in your netstat report.




    From what I see in your netstat...

    TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    You're running either Tiny Personal Firewall, or Kerio Personal Firewall - they open port 44334 for administration, here's a possible exploit: http://www.securiteam.com/exploits/5HP0A2AA1Y.html

    TCP 0.0.0.0:44501 0.0.0.0:0 LISTENING
    Port used by Kerio Personal Firewall pop-up blocking for sending information about blocked pages ?

    TCP **.***.**.***:1073 **.**.**.***:1863 ESTABLISHED
    I believe port 1863 is used by MSN Messenger...

    TCP **.***.**.***:1090 **.**.**.***:5222 ESTABLISHED
    port ususally used by Jabber instant messaging...

    TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1033 0.0.0.0:0 LISTENING
    and any other ports in the 1024-1033 range: dynamic ports, could be anything. Some trojans also use them.

    Ports 135. 139 and 445... Normal Windows ports that should be blocked by a firewall.

    Etc. etc. etc.

    As koldchillah said, you might want to uptade your virus scan, and anti-spyware and check for possible intrusions.


    I hope this helps

  12. #12
    Elite Member Lobo's Avatar
    Join Date
    Nov 2000
    Location
    Panama City, FL and a FAN of Dale Earnhardt Jr. Bud Chevy & NASCAR , and the Atlanta Braves
    Posts
    17,660
    It's G,W. Bush doing it, he's tapping are phones too, lol

  13. #13
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72
    thnx for answering guys,

    First i believe that the word dissapointed vs frustration is likely to myself, because i think that yor sit, is one of the favorites.

    Izzo, i think that u completly crazy guy, . I got nothing

    Lobo, i think u r crazy too, u must be friends with izzo
    take it,

    MTU = 1500
    MTU is fully optimized for broadband.
    MSS = 1460
    Maximum useful data in each packet = 1460, which equals MSS.

    Default Receive Window (RWIN) = 256960
    RWIN Scaling (RFC1323) = 2 bits (scale factor of 4)
    Unscaled Receive Window = 64240

    RWIN is a multiple of MSS
    Other values for RWIN that might work well with your current MTU/MSS:
    513920 (MSS x 44 * scale factor of 8)
    128480 (MSS x 44 * scale factor of 2)
    64240 (MSS x 44)
    bandwidth * delay product (Note this is not a speed test):

    Your RcvWindow limits you to: 10278.4 kbps (1284.8 KBytes/s) @ 200ms
    Your RcvWindow limits you to: 4111.36 kbps (513.92 KBytes/s) @ 500ms
    MTU Discovery (RFC1191) = ON
    Time to live left = 52 hops

    TTL value is ok.
    Timestamps (RFC1323) = OFF
    Selective Acknowledgements (RFC2018) = ON
    IP type of service field (RFC1349) = 00000000 (0)

  14. #14
    x-guest
    Guest

    Thumbs down

    Dude there is absolutely positively without-a-doubt nothing going on. You screwed up your own f'ing computer because you're a paranoid knuckleheaded noobster. Start using your brain to make judgements on whats going on in that noob-toy infested machine of yours instead of relying on like a fukillion av & security programs running one on top of the other on teh yu0r l337 b0xorz.


  15. #15
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72
    wait and dont force to answer, characterizing myself,

    i agree with philip, that now, only the loopback address is running and repeat to myself. but that is happening now. not yesterday. Also now, the firewall stops logging and alert me the port scanning by the loopback.it see it only like loopback but it doesnt let me remove it. My pc was not in that situation. it just happened. As u saw above the "who is" had the speedguides ip under and not mine. im lookin for, how to close that think. i cant do the exploit. something more flexible. if there is something.

    PS : is anybody tried to find out what is going on with the hero7595 that answer in "test it" thread at general dsl forum? i dont know why, but i think that this is the guy we are looking for. Anybody who run to his mail?

    PS : Im trying man......... the hijack that passed, when i said permit the pass to the ip, put an .exe in the prefetch, was running in start up, changed enough registry settings, stole my emails, stole my logon account, changed all security settings in explorer, put his own password account, put and permits some .exe in firewall, disable the second firewall, disable all security soft updates and im still searching. I make some breaks......... for lunch.......sometimes . I dont think that the pc is ok right now but the scanners (fixed them), are now updated, but finds nothing. the only viewing problem i can see now, is deleting the fault ip. i believe ill find the other probs by the time, if something exists. no matter, this is a test pc anyway
    Last edited by kinkymaster; 02-01-06 at 10:18 AM.

  16. #16
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72
    Join Date: Sep 2002
    Location: Athens, Greece
    Posts: 65


    Re megale......... boitha ligo tin katastasi pou brizeis kai esi......... perase spy mesa apo tin ip tous.

  17. #17
    damn that phillip is a clever guy... and that is no joke..

    i am in the process of going through a MCSE qualification.. well i have about another year to go ... damn man clever **** lol

  18. #18
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72

    philip.... check this out plz !

    i cought this log just before. check it.

    [01/Feb/2006 12:45:24] "Ids" action = 'detected', raddr = '63.217.30.65', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan

    Thnx god that im not crazy and damn

  19. #19
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,530
    Blog Entries
    6
    63.217.30.65 to 63.217.30.93 are all our IPs. If you got scanned from 63.217.30.65, it was probably initiated by you, running our web security audit (portscan) here: http://www.speedguide.net/scan.php

  20. #20
    Member kinkymaster's Avatar
    Join Date
    Jan 2006
    Location
    Between the legs !
    Posts
    72
    u r right........... i tested it now
    Last edited by kinkymaster; 02-01-06 at 05:06 PM.

Similar Threads

  1. How do I close my open ports?
    By EvilAngel in forum Network Security
    Replies: 20
    Last Post: 07-06-06, 12:04 PM
  2. Security Test reveals a port open.. how do I close it?
    By TrevGlas in forum Network Security
    Replies: 7
    Last Post: 10-07-03, 12:59 AM
  3. files wont scan???
    By Chris in forum Software Forum
    Replies: 7
    Last Post: 09-30-01, 06:49 AM
  4. : A Christian is asking about the Muslim attitude towards Catholicism
    By islamq&a in forum General Discussion Board
    Replies: 25
    Last Post: 09-29-01, 11:56 AM
  5. "Microsoft Attacks Open Source" Want to know why?
    By Stef in forum Software Forum
    Replies: 12
    Last Post: 07-08-01, 01:48 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •