Suspicious netstat connections. Any cause for concern?

[Gary Busey]

From time to time I get suspicious netstat connections listed with DNS names
containing "dialup" or "DSL" or "ADSL". The reason these DNS names sound
suspicious to me is because I am doing nothing more than browsing regular
web pages. I do not have any other programs running that would have my
computer make connections with any "dialup", "DSL", or "ADSL" DNS names -
any programs such as P2P software or AOL AIM, streaming videos, etc. I am
just using normal web web browsing, yet I still get these persistent
connections from these "dialup" or "DSL" or "ADSL" DNS names. I would think
that thru regular web browsing, my computer shouldn't be making any
connections to any DNS names with "dialup", "DSL", or "ADSL" in their
names.




An example of the suspicious offenders from my netstat results:


TCP leonardo:epmap dialup-67.30.107.18.Dial1.SanJose1.Level3.net:3757
ESTABLISHED

TCP leonardo:epmap adsl-33-163-234.asm.bellsouth.net:1348 ESTABLISHED


DNS names with 'Level3.net' seem to be a frequent offender.


I am running Windows XP Pro. I've searched through the running processes in
the Task Manager, everything looks normal. I see all the usual running
processes, nothing out of the ordinary. I've looked at my startup, RUN
entries in the registry via regedit. Nothing unusual is loading. I have all
the latest patches, and virus scan done and definitions up to date.

Do these connections sound suspicious to anyone? Any cause for concern?

 

[Karl Levinson [x y] mvp]

Doesn't sound good to me. Get a firewall. There are even free ones,
including www.kerio.com and www.sygate.com

This could be nothing, but at this point you may also want to inspect
your computer for signs of intrusion using antivirus with the latest
updates such as www.grisoft.com which is free antivirus. Other things
you may want to consider doing are here:

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden

These appear to be inbound RPC connections TO your computer.

 

[Mike]

From time to time I get suspicious netstat connections listed with DNS names
containing "dialup" or "DSL" or "ADSL". The reason these DNS names sound
suspicious to me is because I am doing nothing more than browsing regular
web pages. I do not have any other programs running that would have my
computer make connections with any "dialup", "DSL", or "ADSL" DNS names -
any programs such as P2P software or AOL AIM, streaming videos, etc. I am
just using normal web web browsing, yet I still get these persistent
connections from these "dialup" or "DSL" or "ADSL" DNS names. I would think
that thru regular web browsing, my computer shouldn't be making any
connections to any DNS names with "dialup", "DSL", or "ADSL" in their
names.




An example of the suspicious offenders from my netstat results:


TCP leonardo:epmap dialup-67.30.107.18.Dial1.SanJose1.Level3.net:3757
ESTABLISHED

TCP leonardo:epmap adsl-33-163-234.asm.bellsouth.net:1348 ESTABLISHED


DNS names with 'Level3.net' seem to be a frequent offender.


I am running Windows XP Pro. I've searched through the running processes in
the Task Manager, everything looks normal. I see all the usual running
processes, nothing out of the ordinary. I've looked at my startup, RUN
entries in the registry via regedit. Nothing unusual is loading. I have all
the latest patches, and virus scan done and definitions up to date.

Do these connections sound suspicious to anyone? Any cause for concern?

Sounds like the blaster worm is in your midst.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

 

[Gary Busey]

Sounds like the blaster worm is in your midst.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Yeah, I kinda thought the same thing, Blaster worm doing its thing trying to
get in (the patch was already in place). The software firewall built into
Win XP isn't turned on, but I'll turn it on now. Thanks for your inputs.