Home General Chat
If you need urgent support, call 999 or go to your nearest A&E. To contact our Crisis Messenger (open 24/7) text THEMIX to 85258.
Read the community guidelines before posting ✨
Aged 16-25? Share your experience of using the discussion boards and receive a £25 voucher! Take part via text-chat, video or phone. Click here to find out more and to take part.
Options

Unexpected SYN_SENT's to port 445

Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
I just ran the netstat -n command and there's loads of "SYN_SENT" messages that are being sent to port 445 to 81.157.xxx.xxx. Does anyone know what this could be?

Comments

  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Secure internet network traffic.. Does it happen all the time or just when you are on a particular site?
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    sorry if this sound svery daft but, How do you run the netstat - n command ?
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Google what netstat is before you use it.

    Go to Start>>Run>>Type cmd

    then type netstat -a or -n, check out Google for it's other commands.
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    ok cheers
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    445?

    common port used by trojans in conjunction with security holes
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Here's a snipit from netstat -a:
    TCP home-khbik4tf3l:1031 192.168.35.186:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1032 192.168.24.76:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1033 192.168.208.198:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1034 192.168.244.138:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1035 192.168.104.131:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1036 192.168.195.146:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1037 192.168.247.76:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1038 192.168.94.183:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1039 192.168.205.190:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1040 192.168.91.193:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1041 192.168.254.202:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1042 192.168.11.38:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1043 192.168.212.27:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1044 192.168.154.105:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1045 192.168.33.76:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1046 192.168.94.133:microsoft-ds SYN_SENT
    TCP home-khbik4tf3l:1047 192.168.81.102:microsoft-ds SYN_SENT

    A snipit from netstat -n
    TCP 192.168.2.2:4306 192.168.56.175:445 SYN_SENT
    TCP 192.168.2.2:4307 192.168.66.180:445 SYN_SENT
    TCP 192.168.2.2:4308 192.168.202.11:445 SYN_SENT
    TCP 192.168.2.2:4309 192.168.165.1:445 SYN_SENT
    TCP 192.168.2.2:4310 192.168.133.61:445 SYN_SENT
    TCP 192.168.2.2:4311 192.168.129.242:445 SYN_SENT
    TCP 192.168.2.2:4312 192.168.224.90:445 SYN_SENT
    TCP 192.168.2.2:4313 192.168.38.98:445 SYN_SENT
    TCP 192.168.2.2:4314 192.168.189.222:445 SYN_SENT
    TCP 192.168.2.2:4315 192.168.66.122:445 SYN_SENT
    TCP 192.168.2.2:4316 192.168.125.179:445 SYN_SENT
    TCP 192.168.2.2:4317 192.168.175.86:445 SYN_SENT
    TCP 192.168.2.2:4318 192.168.228.42:445 SYN_SENT
    TCP 192.168.2.2:4319 192.168.228.91:445 SYN_SENT
    TCP 192.168.2.2:4320 192.168.196.96:445 SYN_SENT
    TCP 192.168.2.2:4321 192.168.35.5:445 SYN_SENT

    I'm not sure, what do you think. Also, I always seem to be connected to warrick.ac.uk, not sure what that's about.
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    i would be scared because if that domain isnt misspelled then it doesnt actually exist

    though if you have made an error with the spelling its a university site
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Would a DDoS attack use SYN flooding to attack a server?? I notice that a program called dveldr.exe is trying to connect to 137.205.110.13 on TCP port 7001. That address is something to do with the University of Warwick. I also know that the Freak 2000 trojan connects to that port and is used as a Distributed DoS tool. I'm confussed, I've ran a Trojan scan and virus scan but nothing has come up matching my quary.
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    its not just that trojan that connects to that port, many malicious things do

    are your virus definitions up to date?
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    They were updated last week. Will update them now and scan my system again.
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    http://www.rohitab.com/discuss/static/topic-3-13-10023-0.html

    would seem to imply a possible virus problem. Isn't there a specific sasser checker you could download?
  • Options
    Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Ohh cheers Jim. I deleted that file along with the winxp34.exe and since then the SYN_SENT messages have gone. There was also 2 connections to irc.cubanlink.org - not sure what that is but that's also gone as well now. I will check for a direct sasser fix as well just incase there is files still lef ton my system.

    Cheers.
Sign In or Register to comment.