Results 1 to 6 of 6

Thread: What the..?

  1. #1
    Drop it like it's hot Howard's Avatar
    Join Date
    Jul 2003
    Location
    Surrey, South East
    Posts
    11,731
    Thanks
    14
    Thanked
    42 times in 39 posts
    • Howard's system
      • Motherboard:
      • Asus P5B
      • CPU:
      • Core2Duo E6420 2.13GHz
      • Memory:
      • 2x1gb OCZ DDR2 6400
      • Storage:
      • 250GB & 500GB Seagate
      • Graphics card(s):
      • Inno3d iChill 7900GS
      • PSU:
      • Antec SmartPower 500W
      • Case:
      • Coolermaster Elite 330
      • Monitor(s):
      • 2x AG Neovo F419
      • Internet:
      • Virgin Media 20mbit

    What the..?

    Ok can someone take a look at the below code (command prompt/ netstat) and tell me why I have all these wierd connections?? I have throughly scanned my PC for viruses and spyware/adware etc and can notice no suspect processes running. I just upgraded from the XP firewall to ZoneAlarm pro and it's blocked about 860 connection attempts and rapidly rising - it mainly says ICMP under the protocol tab..

    Any ideas what the hell is happening?

    Code:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\Documents and Settings\Howard Canning>netstat
    
    Active Connections
    
      Proto  Local Address          Foreign Address        State
      TCP    howard:epmap           public1-ledn1-3-cust244.leed.broadband.ntl.com:2
    839  ESTABLISHED
      TCP    howard:epmap           public1-york2-3-cust85.leed.broadband.ntl.com:46
    93  ESTABLISHED
      TCP    howard:epmap           public2-epso1-6-cust176.hers.broadband.ntl.com:3
    256  ESTABLISHED
      TCP    howard:epmap           public2-port2-3-cust58.cosh.broadband.ntl.com:30
    71  ESTABLISHED
      TCP    howard:epmap           public1-walt4-3-cust8.walt.broadband.ntl.com:352
    8  ESTABLISHED
      TCP    howard:epmap           public2-bagu5-3-cust89.bagu.broadband.ntl.com:29
    34  ESTABLISHED
      TCP    howard:epmap           public2-bolt4-4-cust83.oldh.broadband.ntl.com:33
    29  ESTABLISHED
      TCP    howard:epmap           public2-cosh2-4-cust32.cosh.broadband.ntl.com:41
    37  ESTABLISHED
      TCP    howard:3017            api.ebay.com:https     CLOSE_WAIT
      TCP    howard:4580            baym-cs80.msgr.hotmail.com:1863  ESTABLISHED
      TCP    howard:4719            upload.ntlworld.com:ftp  ESTABLISHED
      TCP    howard:4721            upload.ntlworld.com:ftp  ESTABLISHED
      TCP    howard:4730            upload.ntlworld.com:ftp  ESTABLISHED
      TCP    howard:4732            upload.ntlworld.com:ftp  ESTABLISHED
      TCP    howard:3001            howard:4719            ESTABLISHED
      TCP    howard:3001            howard:4730            ESTABLISHED
    Home cinema: Toshiba 42XV555DB Full HD LCD | Onkyo TX-SR705 | NAD C352 | Monitor Audio Bronze B2 | Monitor Audio Bronze C | Monitor Audio Bronze BFX | Yamaha NSC120 | BK Monolith sub | Toshiba HD-EP35 HD-DVD | Samsung BD-P1400 BluRay Player | Pioneer DV-575 | Squeezebox3 | Virgin Media V+ Box
    PC: Asus P5B | Core2duo 2.13GHz | 2GB DDR2 PC6400 | Inno3d iChill 7900GS | Auzentech X-Plosion 7.1 | 250GB | 500GB | NEC DVDRW | Dual AG Neovo 19"
    HTPC: | Core2Duo E6420 2.13GHz | 2GB DDR2 | 250GBx2 | Radeon X1300 | Terratec Aureon 7.1 | Windows MCE 2005
    Laptop: 1.5GHz Centrino | 512MB | 60GB | 15" Wide TFT | Wifi | DVDRW


  2. #2
    Senior Member
    Join Date
    Jul 2003
    Location
    ZA ✈ UK
    Posts
    622
    Thanks
    0
    Thanked
    0 times in 0 posts
    ICMP = Internet Control Message Protocol or something like that. It's the protocol that programs like PING and TRACER[ou]T[e] use, so it's not something to worry about.

    The four upload.ntlworld.com:ftp entries are, obviously, for an FTP server that you were connected to.

    api.ebay.com:https is also harmless (You were on ebay earlier and closed the browser, correct?)

    baym-cs80.msgr.hotmail.com would be that evil MSN Messenger, I do believe.

    The two howard: ones are local services running on your machine, usually something to do with Windows' internal workings.

    EPMAP I do not recognize. Google tells me it's port 135. This is cause for concern, because this is a port related to the MSBlaster worm that is still doing the rounds. It seems you are infected with it, and it's odd that your antivirus didn't pick it up. Either way, follow the removal instructions just to be safe: http://securityresponse.symantec.com...ster.worm.html

  3. #3
    Goat Boy
    Join Date
    Jul 2003
    Location
    Alexandra Park, London
    Posts
    2,428
    Thanks
    0
    Thanked
    0 times in 0 posts
    api.ebay.com:https is also harmless (You were on ebay earlier and closed the browser, correct?)
    Ah yes, Internet Explorer maintaining zombie connections. Good old microsoft
    "All our beliefs are being challenged now, and rightfully so, they're stupid." - Bill Hicks

  4. #4
    Cable Guy Jonny M's Avatar
    Join Date
    Jul 2003
    Location
    Loughborough Uni
    Posts
    4,263
    Thanks
    0
    Thanked
    4 times in 1 post
    IMHO ditch ZoneAlarm and use Sygate Personal Firewall - http://soho.sygate.com . I find it a lot better as a firewall, and it's free for personal use.

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Location
    ZA ✈ UK
    Posts
    622
    Thanks
    0
    Thanked
    0 times in 0 posts
    Originally posted by DaBeeeenster
    Ah yes, Internet Explorer maintaining zombie connections. Good old microsoft
    Gozilla 4[.11] also has this problem under Win9x, though it's more fatal. It's not so much Gozilla's fault as it is Microsoft's Winsock 2, which contains a nice little bug.

    This bug basically results in sockets not getting closed correctly, leaving them in the CLOSE_WAIT state. Seeing as Gozilla is the intelligent "multiple pieces at once" downloader that it is, it's continually opening new sockets, which, when "closed," remain open in the CLOSE_WAIT state until you exit Gozilla. Now, under 9x, at least, sockets are not an infinite commodity - my 98SE capped out at around 60 sockets. When you get to the point that all availible sockets are used (Or, in this case, stuck in CLOSE_WAIT), it gives the illusion that your ISP's DNS servers are down. Nothing works. It's took me several hours of bugging my ISP's tech support, reinstalling TCP/IP, etc., etc to finally sort the problem.

    Of course, I did report this to Aureate (I think the makers of Gozilla are called), giving exact links to Microsoft's KB articles where they describe the problem as well as work-arounds. Last I checked, Aureate had done absolutely nothing about it. So I no longer use Gozilla.

  6. #6
    Goat Boy
    Join Date
    Jul 2003
    Location
    Alexandra Park, London
    Posts
    2,428
    Thanks
    0
    Thanked
    0 times in 0 posts
    Originally posted by Caged
    IMHO ditch ZoneAlarm and use Sygate Personal Firewall - http://soho.sygate.com . I find it a lot better as a firewall, and it's free for personal use.
    I agree spf is good. Not as good as linux for a firewall, but it's the best windows one I've used...
    "All our beliefs are being challenged now, and rightfully so, they're stupid." - Bill Hicks

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •