Re: bytes sent seems to high?

From: shaunb (shaunb_at_discussions.microsoft.com)
Date: 07/08/04 

Date: Thu, 8 Jul 2004 01:03:01 -0700

this is a copy of my tcp view, might be diffcult to view clearly as can't reduce the font, but is there anything abnormal going on?

cheers
shaun

[System Process]:0 TCP shaun.mshome.net:11832 shaun.mshome.net:2869 TIME_WAIT
alg.exe:128 TCP Shaun:3002 Shaun:0 LISTENING
DialBTCAnytime.exe:3584 UDP Shaun:3014 *:*
explorer.exe:1836 TCP Shaun:1024 Shaun:0 LISTENING
explorer.exe:1836 TCP Shaun:1024 localhost:3001 ESTABLISHED
fxssvc.exe:1800 TCP Shaun:3001 Shaun:0 LISTENING
fxssvc.exe:1800 TCP Shaun:3001 localhost:1024 ESTABLISHED
iexplore.exe:2900 UDP Shaun:3022 *:*
Lexpps.exe:1916 TCP Shaun:1026 Shaun:0 LISTENING
lsass.exe:980 UDP Shaun:isakmp *:*
msmsgs.exe:3220 TCP shaun:15522 Shaun:0 LISTENING
msmsgs.exe:3220 TCP shaun.mshome.net:11974 Shaun:0 LISTENING
msmsgs.exe:3220 UDP Shaun:3024 *:*
msmsgs.exe:3220 UDP shaun:16590 *:*
msmsgs.exe:3220 UDP shaun:49038 *:*
msmsgs.exe:3220 UDP shaun.mshome.net:11754 *:*
msmsgs.exe:3220 UDP shaun.mshome.net:20171 *:*
NAVAPW32.EXE:368 TCP Shaun:1027 Shaun:0 LISTENING
OUTLOOK.EXE:3716 TCP Shaun:3066 Shaun:0 LISTENING
OUTLOOK.EXE:3716 TCP shaun:3066 194.129.49.214:imap ESTABLISHED
OUTLOOK.EXE:3716 UDP Shaun:3047 *:*
svchost.exe:1148 TCP Shaun:epmap Shaun:0 LISTENING
svchost.exe:1292 TCP Shaun:1025 Shaun:0 LISTENING
svchost.exe:1292 TCP Shaun:3003 Shaun:0 LISTENING
svchost.exe:1292 TCP Shaun:3004 Shaun:0 LISTENING
svchost.exe:1292 UDP Shaun:3010 *:*
svchost.exe:1292 UDP shaun:ntp *:*
svchost.exe:1292 UDP Shaun:ntp *:*
svchost.exe:1292 UDP Shaun:3011 *:*
svchost.exe:1292 UDP Shaun:3012 *:*
svchost.exe:1292 UDP shaun.mshome.net:domain *:*
svchost.exe:1292 UDP shaun.mshome.net:bootps *:*
svchost.exe:1292 UDP shaun.mshome.net:bootpc *:*
svchost.exe:1292 UDP shaun.mshome.net:ntp *:*
svchost.exe:1476 UDP Shaun:3019 *:*
svchost.exe:1476 UDP Shaun:3027 *:*
svchost.exe:1556 TCP Shaun:2869 Shaun:0 LISTENING
svchost.exe:1556 TCP Shaun:5000 Shaun:0 LISTENING
svchost.exe:1556 UDP shaun:1900 *:*
svchost.exe:1556 UDP Shaun:1900 *:*
svchost.exe:1556 UDP shaun.mshome.net:1900 *:*
System:4 TCP Shaun:microsoft-ds Shaun:0 LISTENING
System:4 TCP Shaun:1028 Shaun:0 LISTENING
System:4 TCP shaun.mshome.net:netbios-ssn Shaun:0 LISTENING
System:4 UDP Shaun:microsoft-ds *:*
System:4 UDP shaun.mshome.net:netbios-ns *:*
System:4 UDP shaun.mshome.net:netbios-dgm *:*

"N. Miller" wrote:

> In article <F6CD01B8-A47E-45BC-8A6A-750D704600BA@microsoft.com>, =?Utf-8?B?
> c2hhdW5i?= says...
>
> > for some reason my bytes sent is very active, even when not doing
> > anything. Have firewall enabled, have updated my norton virus definitions
> > and have run a full system scan, also scaned system with spy sweeper, but
> > everything comes back as ok????
>
> > this problem only started a few days ago and i'm concerned i might have
> > picked up something but not sure how else to diagnose it.
>
> > any ideas or suggestions? please
>
> Run netstat -an, and post the results here. It should look something like
> this:
>
> > Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
> > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
> > TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
> > TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
> > TCP 0.0.0.0:143 0.0.0.0:0 LISTENING
> > TCP 0.0.0.0:1268 0.0.0.0:0 LISTENING
> > TCP 127.0.0.1:1034 0.0.0.0:0 LISTENING
> > TCP 172.29.61.1:139 0.0.0.0:0 LISTENING
> > TCP 192.168.102.100:139 0.0.0.0:0 LISTENING
> > TCP 192.168.102.100:1268 204.1.226.226:119 ESTABLISHED
> > UDP 0.0.0.0:514 *:*
> > UDP 0.0.0.0:44334 *:*
> > UDP 0.0.0.0:162 *:*
> > UDP 127.0.0.1:1031 *:*
> > UDP 172.29.61.1:1900 *:*
> > UDP 172.29.61.1:137 *:*
> > UDP 172.29.61.1:138 *:*
> > UDP 192.168.102.100:1900 *:*
> > UDP 192.168.102.100:137 *:*
> > UDP 192.168.102.100:138 *:*
>
> It won't be identical to mine; the result is dependent on a lot of variables
> between different computer setups. But I can identify ever entry in my list,
> and even tell you which ones are visible to the Internet; most are not.
>
> You might want to check your process viewer from time to time, as well. Post
> the results of a process view check, too.
>
> It may be something ordinary, but it may be a spammer's hijack, as well. The
> latest trick for spammers is to sneak a proxy onto a residential customer's
> high speed Internet connected computer through which to send spam to port 25
> on MTA's, such as mine. Because you posted on the web site, with the CDO
> HTTP-to-NNTP process, I can't tell who your ISP is. But here is a sample
> from my mail server logs, showing a Comcast customer infection:
>
> > T 20040705 043839 40e8a7a7 Connection from 67.173.113.83
> > T 20040705 043840 40e8a7a7 HELO c-67-173-113-83.client.comcast.net
> > T 20040705 043840 40e8a7a7 MAIL FROM: <ptribs@hotmail.com>
> > E 20040705 043840 40e8a7a7 Host 67.173.113.83 blocked by Spamhaus - message rejected.
> > T 20040705 043841 40e8a7a7 QUIT
> > T 20040705 043841 40e8a7a7 Connection closed with 67.173.113.83, 2 sec. elapsed.
>
> In this case, 'c-67-173-113-83.client.comcast.net' is a residential gateway,
> and it should not be sending email directly to my MTA. My MTA sent a '5xx'
> error back to the sending computer, but the owner never saw it; the proxy
> probably either dumped it, or returned it to the spamming software on
> another remote computer beyond the proxy.
>
> Again, you may not be so infected, but you do want to run some checks to be
> sure. If everybody with a high speed Internet connection would check their
> computers periodically, a lot of spam could be choked off.
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint
>

Relevant Pages

  • Re: bytes sent seems to high?
    ... > and have run a full system scan, also scaned system with spy sweeper, but ... latest trick for spammers is to sneak a proxy onto a residential customer's ... and it should not be sending email directly to my MTA. ... If everybody with a high speed Internet connection would check their ...
    (microsoft.public.security)
  • Re: Shared Files and Internet Question
    ... like you should be able to do that via a high speed internet connection ... You do have to find the rare station that streams a low enough bandwidth with no video ads so as to fit in ... Another thing is Bob tries to help people so calling him an idiot is ...
    (alt.sys.pc-clone.dell)
  • Re: Speed up dialin connection via proxy?
    ... > I cannot get high speed internet access at home. ... > My dialup is my FreeBSD machine. ... > I am wondering if I setup a proxy on the FreeBSD machine, ... what would be a good proxy to use? ...
    (freebsd-questions)
  • Re: Shared Files and Internet Question
    ... like you should be able to do that via a high speed internet connection ... The normal path records off DSL streamed Imus, but sometimes the DSL drops and the rest of the phone line ... You do have to find the rare station that streams a low enough bandwidth with no video ads so as to fit in ...
    (alt.sys.pc-clone.dell)
  • Re: Speed up dialin connection via proxy?
    ... > I cannot get high speed internet access at home. ... > I am wondering if I setup a proxy on the FreeBSD machine, ... what would be a good proxy to use? ...
    (freebsd-questions)