Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Windows Networking > Possible hacker?

Reply
Thread Tools Display Modes

Possible hacker?

 
 
Dan
Guest
Posts: n/a

 
      08-20-2007, 08:34 PM
TCP server:3389 ip-122-152-181-170.asianetcom.net:32745
SYN_RECEIVED

when I perform a netstat I get this entry, sometimes it is in there twice.
How can I find out what is going on and how can I stop it? Currently this
client just has a cheap firewall which cannot block specific IPs and we need
to get the remote desktop port open for admin purposes.. sure we can change
the port, but that wouldnt really stop this.
 
Reply With Quote
 
 
 
 
Mathieu CHATEAU
Guest
Posts: n/a

 
      08-20-2007, 08:43 PM
Hello,

as it is not ESTABLISHED, this ip is not connected (but it contacted the tse
port). This computer may be scanning your server.

You may change the Terminal server port to get a more discrete door.

If this ip seems really bad, you can block it the cheap way:
route add -p 122.152.181.170 MASK 255.255.255.255 127.0.0.1 on the server.



--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Dan" <(E-Mail Removed)> wrote in message
news:FDEBA854-D55F-4A08-854C-(E-Mail Removed)...
> TCP server:3389 ip-122-152-181-170.asianetcom.net:32745
> SYN_RECEIVED
>
> when I perform a netstat I get this entry, sometimes it is in there twice.
> How can I find out what is going on and how can I stop it? Currently this
> client just has a cheap firewall which cannot block specific IPs and we
> need
> to get the remote desktop port open for admin purposes.. sure we can
> change
> the port, but that wouldnt really stop this.
>
>
 
Reply With Quote
 
Dan
Guest
Posts: n/a

 
      08-20-2007, 08:56 PM
Blocking it the cheap way sounds good, considering we are having other issues
and it continues to return whenever we reboot.

Thanks.

"Mathieu CHATEAU" wrote:

> Hello,
>
> as it is not ESTABLISHED, this ip is not connected (but it contacted the tse
> port). This computer may be scanning your server.
>
> You may change the Terminal server port to get a more discrete door.
>
> If this ip seems really bad, you can block it the cheap way:
> route add -p 122.152.181.170 MASK 255.255.255.255 127.0.0.1 on the server.
>
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Dan" <(E-Mail Removed)> wrote in message
> news:FDEBA854-D55F-4A08-854C-(E-Mail Removed)...
> > TCP server:3389 ip-122-152-181-170.asianetcom.net:32745
> > SYN_RECEIVED
> >
> > when I perform a netstat I get this entry, sometimes it is in there twice.
> > How can I find out what is going on and how can I stop it? Currently this
> > client just has a cheap firewall which cannot block specific IPs and we
> > need
> > to get the remote desktop port open for admin purposes.. sure we can
> > change
> > the port, but that wouldnt really stop this.
> >
> >
>
>
 
Reply With Quote
 
Mathieu CHATEAU
Guest
Posts: n/a

 
      08-20-2007, 09:10 PM
If you think it was really connected (mean logged), you are in a big issue.
Is your administrator password strong ?

You may also rename the administrator account to protect it more.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Dan" <(E-Mail Removed)> wrote in message
news:F048C3E0-1971-4C59-B6E1-(E-Mail Removed)...
> Blocking it the cheap way sounds good, considering we are having other
> issues
> and it continues to return whenever we reboot.
>
> Thanks.
>
> "Mathieu CHATEAU" wrote:
>
>> Hello,
>>
>> as it is not ESTABLISHED, this ip is not connected (but it contacted the
>> tse
>> port). This computer may be scanning your server.
>>
>> You may change the Terminal server port to get a more discrete door.
>>
>> If this ip seems really bad, you can block it the cheap way:
>> route add -p 122.152.181.170 MASK 255.255.255.255 127.0.0.1 on the
>> server.
>>
>>
>>
>> --
>> Cordialement,
>> Mathieu CHATEAU
>> http://lordoftheping.blogspot.com
>>
>>
>> "Dan" <(E-Mail Removed)> wrote in message
>> news:FDEBA854-D55F-4A08-854C-(E-Mail Removed)...
>> > TCP server:3389 ip-122-152-181-170.asianetcom.net:32745
>> > SYN_RECEIVED
>> >
>> > when I perform a netstat I get this entry, sometimes it is in there
>> > twice.
>> > How can I find out what is going on and how can I stop it? Currently
>> > this
>> > client just has a cheap firewall which cannot block specific IPs and we
>> > need
>> > to get the remote desktop port open for admin purposes.. sure we can
>> > change
>> > the port, but that wouldnt really stop this.
>> >
>> >
>>
>>
 
Reply With Quote
 
Mathieu CHATEAU
Guest
Posts: n/a

 
      08-20-2007, 09:24 PM
and change the admin password in case.
Also check that there isn't any new administrator account, and no
netbot/spyware

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
news:O%(E-Mail Removed)...
> If you think it was really connected (mean logged), you are in a big
> issue.
> Is your administrator password strong ?
>
> You may also rename the administrator account to protect it more.
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Dan" <(E-Mail Removed)> wrote in message
> news:F048C3E0-1971-4C59-B6E1-(E-Mail Removed)...
>> Blocking it the cheap way sounds good, considering we are having other
>> issues
>> and it continues to return whenever we reboot.
>>
>> Thanks.
>>
>> "Mathieu CHATEAU" wrote:
>>
>>> Hello,
>>>
>>> as it is not ESTABLISHED, this ip is not connected (but it contacted the
>>> tse
>>> port). This computer may be scanning your server.
>>>
>>> You may change the Terminal server port to get a more discrete door.
>>>
>>> If this ip seems really bad, you can block it the cheap way:
>>> route add -p 122.152.181.170 MASK 255.255.255.255 127.0.0.1 on the
>>> server.
>>>
>>>
>>>
>>> --
>>> Cordialement,
>>> Mathieu CHATEAU
>>> http://lordoftheping.blogspot.com
>>>
>>>
>>> "Dan" <(E-Mail Removed)> wrote in message
>>> news:FDEBA854-D55F-4A08-854C-(E-Mail Removed)...
>>> > TCP server:3389 ip-122-152-181-170.asianetcom.net:32745
>>> > SYN_RECEIVED
>>> >
>>> > when I perform a netstat I get this entry, sometimes it is in there
>>> > twice.
>>> > How can I find out what is going on and how can I stop it? Currently
>>> > this
>>> > client just has a cheap firewall which cannot block specific IPs and
>>> > we
>>> > need
>>> > to get the remote desktop port open for admin purposes.. sure we can
>>> > change
>>> > the port, but that wouldnt really stop this.
>>> >
>>> >
>>>
>>>
>
 
Reply With Quote
 
Dan
Guest
Posts: n/a

 
      08-20-2007, 10:00 PM
Thanks for the info. I changed the Admin password and checked all the admin
groups to ensure knowone was added to it. Their doesnt seem to be any
suspicious applications running, but in my experience with spyware/bots they
are good at hidding.

"Mathieu CHATEAU" wrote:

> and change the admin password in case.
> Also check that there isn't any new administrator account, and no
> netbot/spyware
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
> news:O%(E-Mail Removed)...
> > If you think it was really connected (mean logged), you are in a big
> > issue.
> > Is your administrator password strong ?
> >
> > You may also rename the administrator account to protect it more.
> >
> >
> > --
> > Cordialement,
> > Mathieu CHATEAU
> > http://lordoftheping.blogspot.com
> >
> >
> > "Dan" <(E-Mail Removed)> wrote in message
> > news:F048C3E0-1971-4C59-B6E1-(E-Mail Removed)...
> >> Blocking it the cheap way sounds good, considering we are having other
> >> issues
> >> and it continues to return whenever we reboot.
> >>
> >> Thanks.
> >>
> >> "Mathieu CHATEAU" wrote:
> >>
> >>> Hello,
> >>>
> >>> as it is not ESTABLISHED, this ip is not connected (but it contacted the
> >>> tse
> >>> port). This computer may be scanning your server.
> >>>
> >>> You may change the Terminal server port to get a more discrete door.
> >>>
> >>> If this ip seems really bad, you can block it the cheap way:
> >>> route add -p 122.152.181.170 MASK 255.255.255.255 127.0.0.1 on the
> >>> server.
> >>>
> >>>
> >>>
> >>> --
> >>> Cordialement,
> >>> Mathieu CHATEAU
> >>> http://lordoftheping.blogspot.com
> >>>
> >>>
> >>> "Dan" <(E-Mail Removed)> wrote in message
> >>> news:FDEBA854-D55F-4A08-854C-(E-Mail Removed)...
> >>> > TCP server:3389 ip-122-152-181-170.asianetcom.net:32745
> >>> > SYN_RECEIVED
> >>> >
> >>> > when I perform a netstat I get this entry, sometimes it is in there
> >>> > twice.
> >>> > How can I find out what is going on and how can I stop it? Currently
> >>> > this
> >>> > client just has a cheap firewall which cannot block specific IPs and
> >>> > we
> >>> > need
> >>> > to get the remote desktop port open for admin purposes.. sure we can
> >>> > change
> >>> > the port, but that wouldnt really stop this.
> >>> >
> >>> >
> >>>
> >>>
> >
>
>
 
Reply With Quote
 
 
 
Reply

« Drive Mapping Vista Business | Forwarding http requests in Win 2003 »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hacker locking my accounts just bob Windows Networking 18 03-30-2008 08:17 AM
Neighbor or Hacker CSL Wireless Networks 1 09-12-2006 01:38 AM
Hacker System f5 lopi Broadband Hardware 0 12-19-2004 11:21 AM
Hacker System f5 bob lio Broadband Hardware 0 12-04-2004 09:48 AM
OT: Have I got a hacker? Ray Home Networking 2 08-29-2004 10:13 AM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11