First let me say I am not sure if this is the right place but if not please
advise where to ask!
I have lately noticed that my D-Link router has the light on the front of it
for my XP Pro machine constantly flickering when it use to flicker no where
near as much. I used Norton Firewall and activated block connections and it
promptly stopped flickering so my machine must be requesting something
(other computers on the network exhibit normal flickering when requests or
such are made).
I then open command prompt (on fresh reboot machine, and after WinXP Pro
fully loaded after the flickering started with no known internet programs
running) and typed netstat and I see two connections: TCP machinename:2869
192.168.1.1:1026 close_wait and the one I am concerned about: TCP
machinename:1607 192.168.1.1:5678 established. The number after the
machine name always changes for the second one but the 5678 does not and
checking in Norton firewall shows a constant requests back and forth on that
port.
My question is what program can do this as it does not appear to go to the
DSL connection as the modem lamp does not flash (unless I am on WWW, or
mail) and I tried Spybot and AD Aware to search for any spyware and
corrected anything found. I do not fileshare over the net (only locally)
and tried GRC.COM with shields up for any open ports, so why or how can I
find out what is causing this and why only this particular machine (other
machines on this network have Win98 SE)??
Thanks for any input!!
Frank,
Port 5678 is Remote Replication Agent Connection (officially), and is selected
as a random number by unknown processes also.
<
http://isc.sans.org/port_details.php?port=5678>
<
http://www.iss.net/security_center/advice/Exploits/Ports/5678/>
Is this incoming or outgoing traffic?
Get Port Explorer (free) from
<
http://www.diamondcs.com.au/portexplorer/index.php?page=home> to show you what
network connections your computer is actually opening, and what processes are
opening them.
And Process Explorer (free) from
<
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides way more
information than Task Manager.
How current is your virus protection? Try one or more of these free online
virus scans, which should complement your current protection:
<
http://www.bitdefender.com/scan/license.php>
<
http://www.pandasoftware.com/activescan>
<
http://www.ravantivirus.com/scan/>
<
http://security.symantec.com/ssc/home.asp>
<
http://housecall.trendmicro.com/housecall/start_corp.asp>
Now check for, and learn to defend against, non-viral malware. Both AdAware and
Spybot S&D are good, but they are not 100% self-sufficient.
Start by downloading each of the following additional free tools:
AdAware <
http://www.lavasoftusa.com/>
HijackThis <
http://www.majorgeeks.com/download.php?det=3155>
LSP-Fix <
http://www.cexx.org/lspfix.htm>
WinsockXPFix <
http://www.spychecker.com/program/winsockxpfix.html>
Stinger <
http://us.mcafee.com/virusInfo/default.asp?id=stinger>
TrendMicro Engine <
http://www.trendmicro.com/download/dcs.asp>
TrendMicro Signatures <
http://www.trendmicro.com/download/pattern.asp>
TrendMicro Instructions <
http://www.trendmicro.com/ftp/products/tsc/readme.txt>
Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. Create a separate folder for the two TrendMicro files,
such as C:\TrendMicro - copy the downloaded files there (unzipped if necessary).
The other downloaded programs can be copied into, and run from, any convenient
folder.
First, run Stinger. Have it remove any problems found.
Next, close all Internet Explorer and Outlook windows, and run CWShredder. Have
it fix all problems found.
Next, disable System Restore.
<
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm>
Boot your computer into Safe Mode.
http://support.microsoft.com/?id=315222
Run C:\TrendMicro\Sysclean.com. Delete any infectors found. Reboot your
computer, and re enable System Restore.
Next, run AdAware again. First update it, configure for full scan
(<
http://forums.spywareinfo.com/index.php?showtopic=11150>), then scan. When
scanning finishes, remove all Critical Objects found.
Next, run Spybot S&D again. First update it, then run a scan. Trust Spybot,
and delete everything ("Fix Problems") that is displayed in Red.
Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
<
http://forums.spywareinfo.com/index.php?showtopic=227>
<
http://forums.spywareinfo.com/index.php?showtopic=11150>
Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: <
http://forum.aumha.org/index.php>
Net-Integration: <
http://forums.net-integration.net/>
Spyware Info: <
http://forums.spywareinfo.com/>
Spyware Warrior: <
http://spywarewarrior.com/index.php>
Tom Coyote: <
http://forums.tomcoyote.org/>
If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.
Finally, improve your chances for the future.
Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/
Block Internet Explorer ActiveX scripting from hostile websites (Restricted
Zone).
<
https://netfiles.uiuc.edu/ehowes/www/main.htm> (IE-SpyAd)
Block known dangerous scripts from running.
<
http://www.javacoolsoftware.com/spywareblaster.html>
Block known spyware from installing.
<
http://www.javacoolsoftware.com/spywareguard.html>
Make sure that the spyware detection / protection products that you use are
reliable:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Harden your operating system. Check at least monthly for security updates.
http://windowsupdate.microsoft.com/
Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).
Maintain your Hosts file (merge / eliminate duplicate entries) with:
eDexter <
http://www.accs-net.com/hosts/get_hosts.html>
Hostess <
http://accs-net.com/hostess/>
Secure your operating system, and applications. Don't use, or leave activated,
any accounts with names or passwords with trivial (guessable) values. Don't use
an account with administrative authority, except when you're intentionally doing
administrative tasks.
Use common sense. Yours. Don't install software based upon advice from unknown
sources. Don't install free software, without researching it carefully. Don't
open email unless you know who it's from, and how and why it was sent.
Educate yourself. Know what the risks are. Stay informed. Read Usenet, and
various web pages that discuss security problems. Check the logs from the
security products that you use regularly, look for things that don't belong, and
take action when necessary.
--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
