What Could This Mean?

Discussion in 'Port Explorer' started by Snook, May 19, 2004.

Thread Status:
Not open for further replies.
  1. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    In PortExplorer, I just had a remote port connection something like XX.XXX.XXX.pr. Whois could'nt resolve the address. I've never seen a remote address with pr at the end of it. Does this stand for port recorder or something like this?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Snook, Not sure either, I'll hazard a guess though - pr = Private ie. a private IP address? Especially if Whois could not resolve it :) "Reserved" addresses possibly.
     
  3. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    Thanks, makes sense.
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    In Port Explorer you can use the Lookup utility. Choose "Domain to Country" and type in .pr. The result: Puerto Rico

    TDS-3 also has a Country Code Lookup utility in the Utilities menu.
     
  5. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    Of course! pr = puerto rico (I think I was hacked). It showed up under *SYSTEM - remote port 1101 (known trojan port).

    Gotta run TDS3...!
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hacked or portscanned?
    Run TDS and Port Explorer and a good firewall and....... whatever more comes to mind on tools as adviced all time in this forum!
     
  7. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    Hacked! Port was status connected. I killed the port immediatley and lost some of the info I had on it.

    Anybody know of a way I can block all addresses by country in my firewall?
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This isn't possible. First, your firewall would have to resolve every IP address it encountered, which could fail even if that IP address was in the country you wanted to block - not all addresses resolve.
     
  9. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    Thanks for that info.
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You can block IP ranges though.

    It's a reason why i set my email client to not sending out my packets in Port Explorer when dealing with spam mail; no calling home, no validation of my email account, etc and no images either etc. Only afterwards you have to allow sending or you would not be able to receive and send new email yourself!

    For several firewalls are log analysers, like for ZoneAlarm VisualZone and ZoneLog for example, which make it much easier to understand the alarm and to report them if necessary.
    You could in the case of your connection put it in the socket spy and disable your side of sending, depending on what's happening, so you can see the data and what they're up to, while in the meantime you do some stuff like resolving and maybe tracing them, looking which port is used and find out if they should be reported to their ISP.
    Next question appears how could they pass your firewall and to which application were they connected?
    If you close the connection immediately you probably should not lose too much of your data.
     
  11. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    Thanks for your insight and suggestions. The application they were connected to was just a generic *SYSTEM with a process number 4.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In many cases those sockets you'll see in pairs:
    UDP 137 and TCP 137 for instance, or an application on a socket with it's icon and a *SYSTEM socket with the same number, etc.
    An example:
    this moment i see an application
    msimn.exe UDP localhost 1921 remote localhost 1921 LISTENING (so the loopback or thing like that) and lots of send/receive datapackets
    *SYSTEM TCP localhost 1921 remote localhost 0 LISTENING
    If you have TDS up with sockets configured, you'll see theeose values with the TDS icon and another series of the same ports numbers in the *SYSTEM area, etc etc.
    Not always with everything, or maybe there should and i'm overlooking some, anyway so you can see more.
    If your connection is there always, it's certainly good to look deeper into it; if it's a certain application then why doesn't it show up in the applications part with it's icon etc? But if you know it's ok, then you know it for future times it just belongs there.
     
Thread Status:
Not open for further replies.