Re This is getting worse

(THIS IS MY 4th ATTEMPT TO POST THIS FROM VARIOUS COMPUTERS AFTER BEING BLOCKED ON ANOTHER COMPUTER)

For the past few days I have suspected that something had gone wrong with my main computer (the one I do most Internet activity through).

Symptoms were

1) Zone Alarm stopped warning me of unexpected connections to my computer

2) Every now and then I seemed to lose control of my mouse & keyboard and at the same time there was taffic on my DSL modem (& Zome Alarm was saying nothing)

3) a few days ago A small Netscape window popped up saying that there was an update to Netscape and to click to apply it - because I had just installed Netscape 7 some weeks ago I clicked it then almost immediatel thought - thats a bit odd & tried stopping netscape but I have a feeling that loaded a trojan or back-door. My wife later said she has been getting that same Netscape message almost every 4 or 5 times she starts her Notebook up (it too has NS7).

Anyway, tonight what really satisfied me that someone into my computer was that when the mouse & keyboard froze & the cable activity falshed up, a message appeard on my screen that file 'InfoSec Policies' was no longer mounted - well that is a file I have on a memory stick & I had removed that memory stick earlier in the night. Then another file name came up for a security file I also keep on that memstick. These files were listed in my documents list as recent accessed files.

So after all the other funies with posting to IWETHEY, I think I am the target of someones security service. Being in China, my first suspicion is that it is local. I am not aware of any damage being done o any of my computers just a constant bombardment of emails with what I have always considered viruii attached & which I avoid like the plague they are.

So maybe I will need to rebuild this computer from scratch in the hope I can clean out any back-door software & as for Zone Alarm - it is supposed to warn me *any* time a bit of software tries to open a port to anything. I have removed and reinstalled it - I half wonder if there is some coperation between MS Netscape ZoneAlarm etc: with US security agencies who want to access peoples computers. I have no proof that is what is happenin here.

I am not sure what program is listening on port 49213 - looks odd - I also notice I am getting occasional flashes on my DSL modem (but I have shut down the network card).
The flashes look like what a back-door client seeking to access a backdoor-server, might make. What also puzzels me is the ports 192.168.0.3:137 192.168.0.3:138 as I have disabled sharing on that network adapter ???

Any comments on the ports in use allowing that I have ZoneAlarm Pro active, is welcomed

Cheers

Doug Marker

PS below is my netstat 192.10.100.x is my internal network
192.168.0.x is my WI_Fi network with router

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 127.0.0.1:1032 ESTABLISHED
TCP 127.0.0.1:1032 127.0.0.1:1031 ESTABLISHED
TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49213 0.0.0.0:0 LISTENING
TCP 192.10.200.11:139 0.0.0.0:0 LISTENING
TCP 192.168.0.3:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 192.10.200.11:137 *:*
UDP 192.10.200.11:138 *:*
UDP 192.10.200.11:500 *:*

UDP 192.168.0.3:500 *:

Cheers

Doug Marker

I thought the number seemed familiar.

Thanks - Doug

#1 - hmmm this post didn't get blocked - the one above got blocked 4 times over 4 hrs until I dialled into to a different ISP port & it got thru.

I am begining to suspect that the entry into my computer may have been thru remote login as I had been using auto start-up for primary user. I have stopped that now & activated requiring ctl-alt-del

I have noticed a steady pattern of pings coming to my computers. Zone Alarm seems to be again picking up this stuff(after I did a reinstall).

Just now thoug, I noticed one of my computers with an alien ip addr with ports 137 & 138 open ???

169.254.174.15

I have no idea what that ip address is

Cheers

Doug

Post #64,486 by dmarker 11/22/02 11:26:34 AM Reply	Re This is getting worse (THIS IS MY 4th ATTEMPT TO POST THIS FROM VARIOUS COMPUTERS AFTER BEING BLOCKED ON ANOTHER COMPUTER) For the past few days I have suspected that something had gone wrong with my main computer (the one I do most Internet activity through). Symptoms were 1) Zone Alarm stopped warning me of unexpected connections to my computer 2) Every now and then I seemed to lose control of my mouse & keyboard and at the same time there was taffic on my DSL modem (& Zome Alarm was saying nothing) 3) a few days ago A small Netscape window popped up saying that there was an update to Netscape and to click to apply it - because I had just installed Netscape 7 some weeks ago I clicked it then almost immediatel thought - thats a bit odd & tried stopping netscape but I have a feeling that loaded a trojan or back-door. My wife later said she has been getting that same Netscape message almost every 4 or 5 times she starts her Notebook up (it too has NS7). Anyway, tonight what really satisfied me that someone into my computer was that when the mouse & keyboard froze & the cable activity falshed up, a message appeard on my screen that file 'InfoSec Policies' was no longer mounted - well that is a file I have on a memory stick & I had removed that memory stick earlier in the night. Then another file name came up for a security file I also keep on that memstick. These files were listed in my documents list as recent accessed files. So after all the other funies with posting to IWETHEY, I think I am the target of someones security service. Being in China, my first suspicion is that it is local. I am not aware of any damage being done o any of my computers just a constant bombardment of emails with what I have always considered viruii attached & which I avoid like the plague they are. So maybe I will need to rebuild this computer from scratch in the hope I can clean out any back-door software & as for Zone Alarm - it is supposed to warn me any time a bit of software tries to open a port to anything. I have removed and reinstalled it - I half wonder if there is some coperation between MS Netscape ZoneAlarm etc: with US security agencies who want to access peoples computers. I have no proof that is what is happenin here. I am not sure what program is listening on port 49213 - looks odd - I also notice I am getting occasional flashes on my DSL modem (but I have shut down the network card). The flashes look like what a back-door client seeking to access a backdoor-server, might make. What also puzzels me is the ports 192.168.0.3:137 192.168.0.3:138 as I have disabled sharing on that network adapter ??? Any comments on the ports in use allowing that I have ZoneAlarm Pro active, is welcomed Cheers Doug Marker PS below is my netstat 192.10.100.x is my internal network 192.168.0.x is my WI_Fi network with router TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING TCP 127.0.0.1:1031 127.0.0.1:1032 ESTABLISHED TCP 127.0.0.1:1032 127.0.0.1:1031 ESTABLISHED TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING TCP 127.0.0.1:49213 0.0.0.0:0 LISTENING TCP 192.10.200.11:139 0.0.0.0:0 LISTENING TCP 192.168.0.3:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 : UDP 0.0.0.0:445 : UDP 0.0.0.0:1026 : UDP 192.10.200.11:137 : UDP 192.10.200.11:138 : UDP 192.10.200.11:500 : UDP 192.168.0.3:500 *: Cheers Doug Marker
Post #64,496 by folkert 11/22/02 11:49:37 AM Reply	Didja ever use... Ever use DB2 on that machine? Cause the "default" search server runs on that port as a service to the localhost only. Also, the HTML help browser service for Visual Age comes to mind too... I think it was on that port for localhost only also. Seems NetQuestion (part of UDB) also uses that port... All these products are form the SAME venodr... IBM. `[link\|mailto:curley95@attbi.com\|greg] - Grand-Master Artist in IT [link\|http://www.iwethey.org/ed_curry/\|REMEMBER ED CURRY!!!] Your friendly Homeland Security Officer reminds: Hold Thumbprint to Screen for 5 seconds, we'll take the imprint, or Just continue to type on your keyboard, and we'll just sample your DNA.`
Post #64,500 by dmarker2 11/22/02 11:56:46 AM 11/22/02 12:01:24 PM Reply	Re: Yes both - still have VA Smalltalk Installed I thought the number seemed familiar. Thanks - Doug #1 - hmmm this post didn't get blocked - the one above got blocked 4 times over 4 hrs until I dialled into to a different ISP port & it got thru. I am begining to suspect that the entry into my computer may have been thru remote login as I had been using auto start-up for primary user. I have stopped that now & activated requiring ctl-alt-del I have noticed a steady pattern of pings coming to my computers. Zone Alarm seems to be again picking up this stuff(after I did a reinstall). Just now thoug, I noticed one of my computers with an alien ip addr with ports 137 & 138 open ??? 169.254.174.15 I have no idea what that ip address is Cheers Doug Edited by dmarker2 Nov. 22, 2002, 12:01:24 PM EST Expand All History
Post #64,524 by Steve Lowe 11/22/02 2:56:03 PM Reply	Re: Yes both - still have VA Smalltalk Installed The 169.254 address is the 'automatic' IP address Micosoft networking gives your machine when it can't find a DHCPish server on the network, or there's no static IP defined. Also, 192.168.x.x is a valid address range to use for an internal network, however 192.10.x.x is not..those are public addresses. ----- Steve

Welcome to IWETHEY!