[Donegal]

Part of me thinks that both my Computers are (or have been) taken over by hackers: The crunch of my questions is -- how does a non-techie (like me) know when looking at my Firewall "Active Connections" of my Fairpoint Security Suite as to which are are true and good (and "needed") connections and which ones (if any)might be "hacker" connections. Below are what shows (today) for Active Connections in both of these Computers. CAN ANYONE HELP ONE WHO DOES NOT KNOW ANYTHING TECHNICAL????

Older Dell Dimension Computer w/ XP Operating System
Firewall Active Connections:
Generic Host Process for Win32 Services
Windows Operating System
Fairpoint Security Suite
Spooler Sub System
Radialpoint 9.0



Laptop HP G60-235DX Notebook w/ Vista Operating System
Firewall Active Connections:
Local Security Authority Process
Host Processing for Windows Services
Windows Startup Application
Windows Operating System
Service and Controller App
Avg IDS Application
Fairpoint Security Suite


MANY - MANY THANKS TO WHOEVER CAN HELP

[Advertisements]

Close all browsers then:

Start, All Programs, Accessories, (Vista must: right click on Command Prompt and Run as Administrator, XP just choose Command Prompt), (Vista: Continue.) Type with an Enter after the line:

netstat  -n  >  \junk.txt
notepad  \junk.txt

This will bring up a list of TCP connections in notepad. Something like this:


Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:49352 127.0.0.1:49353 ESTABLISHED
TCP 127.0.0.1:49353 127.0.0.1:49352 ESTABLISHED
TCP 192.168.11.47:49157 77.234.41.51:80 ESTABLISHED
TCP 192.168.11.47:49349 213.199.179.149:40002 ESTABLISHED
TCP 192.168.11.47:49350 193.120.199.15:12350 ESTABLISHED
TCP 192.168.11.47:49351 65.55.71.46:443 ESTABLISHED
TCP 192.168.11.47:51700 67.228.86.176:80 CLOSE_WAIT
TCP 192.168.11.47:51701 67.228.86.176:80 CLOSE_WAIT
TCP 192.168.11.47:51702 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:51703 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:51704 173.194.33.40:80 CLOSE_WAIT
TCP 192.168.11.47:51705 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:51706 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:52071 157.238.74.194:80 LAST_ACK
TCP 192.168.11.47:52078 74.125.129.147:443 ESTABLISHED
TCP 192.168.11.47:52079 173.194.33.34:443 ESTABLISHED
TCP 192.168.11.47:52080 173.194.33.47:443 ESTABLISHED
TCP 192.168.11.47:52081 173.194.33.41:443 ESTABLISHED
TCP 192.168.11.47:52082 173.194.33.39:443 TIME_WAIT
TCP 192.168.11.47:52083 173.194.33.40:443 ESTABLISHED

You can ignore (or delete since you are in notepad) the ones that have 127.0.0.1:something in the Foreign Address column. Those are just local connections. Using a Browser go to:

http://www.findip-address.com/

and input in the first non-local IP address from the Foreign Address column that says ESTABLISHED in the State column and then hit Find IP-Address. (Ignore the stuff after the : )
In my case it's 77.234.41.51

which gives a result of:

IP address 77.234.41.51
Hostname r-051-041-234-077.avast.com
City
State/Province
Country Czech Republic
ISP AVAST Software a.s.
Organisation AVAST cloud

Since I have the free Avast Anti-virus on my PC this is a valid connection.

Continue with each connection. You may find some multiple connections to the same location - sometimes with different numbers after the : but that is normal. As long as the IP address goes to a destination you recognize it's OK. If you don't recognize it and especially if it is not in the US that is a suspicious connection. Come back here and ask me about them.

Ron

[RKinner]

Close all browsers then:

Start, All Programs, Accessories, (Vista must: right click on Command Prompt and Run as Administrator, XP just choose Command Prompt), (Vista: Continue.) Type with an Enter after the line:

netstat  -n  >  \junk.txt
notepad  \junk.txt

This will bring up a list of TCP connections in notepad. Something like this:


Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:49352 127.0.0.1:49353 ESTABLISHED
TCP 127.0.0.1:49353 127.0.0.1:49352 ESTABLISHED
TCP 192.168.11.47:49157 77.234.41.51:80 ESTABLISHED
TCP 192.168.11.47:49349 213.199.179.149:40002 ESTABLISHED
TCP 192.168.11.47:49350 193.120.199.15:12350 ESTABLISHED
TCP 192.168.11.47:49351 65.55.71.46:443 ESTABLISHED
TCP 192.168.11.47:51700 67.228.86.176:80 CLOSE_WAIT
TCP 192.168.11.47:51701 67.228.86.176:80 CLOSE_WAIT
TCP 192.168.11.47:51702 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:51703 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:51704 173.194.33.40:80 CLOSE_WAIT
TCP 192.168.11.47:51705 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:51706 23.34.78.13:80 CLOSE_WAIT
TCP 192.168.11.47:52071 157.238.74.194:80 LAST_ACK
TCP 192.168.11.47:52078 74.125.129.147:443 ESTABLISHED
TCP 192.168.11.47:52079 173.194.33.34:443 ESTABLISHED
TCP 192.168.11.47:52080 173.194.33.47:443 ESTABLISHED
TCP 192.168.11.47:52081 173.194.33.41:443 ESTABLISHED
TCP 192.168.11.47:52082 173.194.33.39:443 TIME_WAIT
TCP 192.168.11.47:52083 173.194.33.40:443 ESTABLISHED

You can ignore (or delete since you are in notepad) the ones that have 127.0.0.1:something in the Foreign Address column. Those are just local connections. Using a Browser go to:

http://www.findip-address.com/

and input in the first non-local IP address from the Foreign Address column that says ESTABLISHED in the State column and then hit Find IP-Address. (Ignore the stuff after the : )
In my case it's 77.234.41.51

which gives a result of:

IP address 77.234.41.51
Hostname r-051-041-234-077.avast.com
City
State/Province
Country Czech Republic
ISP AVAST Software a.s.
Organisation AVAST cloud

Since I have the free Avast Anti-virus on my PC this is a valid connection.

Continue with each connection. You may find some multiple connections to the same location - sometimes with different numbers after the : but that is normal. As long as the IP address goes to a destination you recognize it's OK. If you don't recognize it and especially if it is not in the US that is a suspicious connection. Come back here and ask me about them.

Ron

[Donegal]

RKinner -- MANY THANKS -- I did (or at least started) just what you mentioned. And how great that you gave that website that looks up the address. Two of them I didn't know but they stil turned out to be ligit -- they were Realnetworks in Seattle and Radialpoint in Canada that a google says is connected with Verizon? Just TWO REFINING QUESTIONS:
1) Can one do just as you mentioned when you ARE connected with the Internet with a Browser Open and would this see if anyone was hacking after you open your Browser???
2) If in doubt on any Firewall connection -- is it too hard to say if one were to block this connection could you then screw-up (high techie term) your internet connection in a way you don't know how to fix????
MANY, MANY THANKS RKINNER -- your help is GREAT

[RKinner]

You can do it with a browser open. I just thought it would have fewer entries without the browsers. I would suggest running either Firefox or Chrome with the AdBlock Plus add-on (and with Java Uninstalled). That will cut down on the number of stray connections. (Ads on a website are served from a totally different IP address.)

You can probably screw up some software so it can't work but you usually know you blocked something that caused it. Usually Firewalls have a way of resetting themselves to the original condition if all else fails (tho I am not familiar with your firewall) .

You might like to run though the shields up test from Steve Gibson: You can get to it from their home page. http://www.grc.com

Just click on Shields up until you get to the actually test. Proceed. Then click on All Service Ports Wait until it finishes and see if you have all green squares. That's a sign you have a good firewall.

[Donegal]

AGAIN, Many Thanks RKinner -- I used that SHEILDS UP on one Computer -- now just need to do the other one. Thanks for GREAT HELP!!!