Intruders?

I have mentioned how web sites may draw on other servers for some of their content. There are many things in web pages that, as part of how they function, will cause connections to other servers or sites. This is all quite normal and usually nothing to be worried about - at least on reputable sites.

A simple test you could do to see some of these extra connections based on content/links in a web page is to view the first page of this post while monitoring connections. You will see the initial connection to wilderssecurity.com followed by connections to web.icq.com, opi.yahoo.com and status.icq.com because of active links in the page.

Code:

08/01/2004  08:04:12:521

Action:              Permitted Outbound TCP connection
Local IP, Port:      192.168.1.5, 1332
Remote IP, Port:   http://64.91.255.104 (www.wilderssecurity.com), 80 (http)

08/01/2004  08:05:12:317

Action:              Permitted Outbound TCP connection
Local IP, Port:      192.168.1.5, 1336
Remote IP, Port:   http://64.12.164.249 (web.icq.com), 80 (http)

08/01/2004  08:05:12:377

Action:              Permitted Outbound TCP connection
Local IP, Port:      192.168.1.5, 1338
Remote IP, Port:   http://216.155.194.208 (opi.yahoo.com), 80 (http)

08/01/2004  08:05:19:697

Action:              Permitted Outbound TCP connection
Local IP, Port:      192.168.1.5, 1340
Remote IP, Port:   http://205.188.253.25 (status.icq.com), 80 (http)

Regards,

CrazyM

 

Can Port Explorer currently show these servers that are drawn upon? If not, do you think this capability might be added in the future?

I have blocked the IP above and the one I mentioned earlier. I haven't been able to tell if these were used as drawn upon servers or not. The site above did not have a corresponding site with as much time on it. I would think a coresponding parent server would have as much or more time associated with it in my log.

Also, how can I determine if a site if reputable or not?

 

I have multiple svchost entries running that I can see with PE, their local port are : 3136, 1900, 5000, etc.. none of them on 53 or 123.
Is this suspicious?
thanks

 

Rightclick on them to see which application exactly is using them: svchost can be many different things, like an av/at scanner, life update, a multimediatool accessing internet, anything.
All depends on if you know the process or not, what they are associated with, what you might see in their packets, etc.
It can be your DHCS talking with your ADSL (modem?) to verify your IP (then i guess you'll see porty 53), you will see lots going on there:
you might like to enable logging file and window to look deeper, as it's all going so fast!

 

Hi lolos, If they are showing as Listening - Remote Address = localhost or *.*.*.* then that is your own machine.
If they are established what are the remote addresses?

 

No answers to my questions from yesterday?

 

Paul sent me an email with some information. I appreciate that. I think everyone else has given up on me. My Port Explorer still doesn't work and I paid for it in December.

 

As far as my information reaches Gavin personally has sent you for the third time a new keyfile and has given for the third time a new unlock code which belongs only to this keyfile.
All the other two keyfiles and unlockcodes with those you can just ignore, only the last combination will work.

If there are any specific error messages other then "insert keyfile" or "insert unlock code" it would be very helpful to know about it.

You did try the LSPfix if that was an issue,
you did reboot,
you disabled every av/at and most of all any resident protection,
registry protection,
wormguard protection,
so after windows startup the only program running should be the PE installer to have it installed properly.
The older or demo install should be gone,
check for the file dcsws2.dll to be gone after your uninstall and reboot before installing the full version
put in the latest keyfile
reboot
start PE and type in the unlock code: look carefully, if it is given in CAPITALS you do use CAPITALS as well, if there are small characters you use small characters, etc, exactly as in your own members area. Look well for possible O (character capital o) or 0 (zero) differences in the code.

Promiss if it still doesn't work you post a screenshot so we can see the exact error.
If there is anything specific Jason might want you to run a specific testfile, depending on your next results.

BTW: did you after installing PE reboot in safe mode and tried to add the unlock code in that way, reboot to normal mode and try to run PE again?

Either you put in/type in a wrong combination, or something is blocking your system in the most irritating way (a registry protection? disable it please till PE is unlocked properly!!)

 

I have not seen a third email. I have only received two emails with port.pkf files. The initial one and another from Gavin a while ago.

I will try some of these things you have suggested tonight. Thanks for your ideas on this.

 

Fingers crossed!
Am thinking, you are on XP, aren't you? Aer you installing as an Admin and trying to unlock from there too etc, which i guess should be the way?
After that you should be able to run PE from any user level too, where you will see in the console it is using some Admin rights to do it's job properly.
You might like to print the ideas out and write down your results per step.
I might have misunderstood Gavin of being intending to send you a third couple if it would still be problematic, but maybe waiting for your results with this first.
Make very sure you don't confuse the first key with the second unlock code or the first code with the second keyfile, as that will not work.
So before deleting anything at all please try those suggestions!