Re: Netstat command - remote attachments

From: Doug Holtz NOSPAM in adress (dholtzNOSPAM_at_wi.rr.com)
Date: 01/14/05 

Date: Fri, 14 Jan 2005 04:15:47 GMT

"Jem Berkes" <jb@users.pc9.org> wrote in message
news:Xns95DCD87A95670jbuserspc9org@130.179.16.24...
>> When I run netstat I see connections to remote users all over the
>> globe: usually universities in tw, se, pl, it, and ru.
>>
>> I realize this should cause me to reformat my machine, but I want to
>> learn from this first. My niece used this machine before me at
>> college.
>>
>> What do I look for on my hard drive as a running program? It is a
>> windose XP machine.
>
> Heh, I've seen this before. Those kids are probably trading movies, games,
> or other illegal content through your internet connection. You'll probably
> find some pretty neat stuff on your hard drive. But yeah, your computer is
> toast. You will have to reinstall everything, starting from scratch.
>
> I'm sorry to say that there are a zillion ways that computer could have
> become compromised. These are probably the most likely ways:
>
> - Windows XP was not kept up to date with Windows Update patches
> - There was no firewall, making exploit of vulnerable windows easier
> - The user was probably always logged in as Administrator (dangerous)
> - And the user was probably careless when installing new software
>
> I don't know what program you should be looking for. I doubt there's much
> to gain from doing that anyway. You should focus on preventing this from
> happening the next time you install.
>
> --
> Jem Berkes
> Windows, UNIX software and system design
> http://www.pc-tools.net/

Thanks Jem;

The machine originally was my brother's. It's ThinkPad laptop. It had W2K
on it. Then my niece got it for school. When I got it, I upgraded to XP
without reformatting so I could retain my brother's setting in case his IT
department wanted it back (there is a "restore procedure" built into the
startup of the machine so it can be "corporate".) Seeing he works for a
large bank, I contacted him about the connections. Spyware found some stuff
in his directories last night. At any rate, I will be re-formatting in the
near future. I did a regedit to find URL's, and didn't. Something is going
on, though.

Doug

Relevant Pages

  • Re: windows xp home edition taking ages to boot up
    ... access the net on the laptop my pc popped up with a windows message ... internet as well as giving network access to your daughter. ... that in network connections you have 1 local area connection is that ... You can access Event Viewer by selecting Start, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Event ID: 1006 and multiple login screens
    ... > This means that from the Windows point of view, ... > server is making multiple RDP connections from the same IP ... > number of simultaneous username/password login screens. ... > using per-device licenses, the other is using per-user licenses. ...
    (microsoft.public.windows.terminal_services)
  • RE: Network Path Lost
    ... Windows Update web page. ... By Default windows XP limits Max. TCP connections to 10 at one time. ... SynAttackProtect is set to 1, ensure that this value is lower than the AFD ...
    (microsoft.public.windowsxp.network_web)
  • Re: winsock error 10060
    ... How to determine and to recover from Winsock2 corruption in Windows ... third-party add-ons hooking up on your beowser and causing the timing out! ... Connections>> Double click Internet Options, ... Click on General Tab and you will see a Button ...
    (microsoft.public.windowsxp.general)
  • Event ID: 1006 and multiple login screens
    ... architecture is that the thin clients are just dumb graphics and I/O ... Windows point of view, the Sun Ray server is making multiple RDP ... "The terminal server received large number of incomplete connections. ... simultaneous username/password login screens. ...
    (microsoft.public.windows.terminal_services)