In PortExplorer, I just had a remote port connection something like XX.XXX.XXX.pr. Whois could'nt resolve the address. I've never seen a remote address with pr at the end of it. Does this stand for port recorder or something like this?
Hi Snook, Not sure either, I'll hazard a guess though - pr = Private ie. a private IP address? Especially if Whois could not resolve it "Reserved" addresses possibly.
In Port Explorer you can use the Lookup utility. Choose "Domain to Country" and type in .pr. The result: Puerto Rico TDS-3 also has a Country Code Lookup utility in the Utilities menu.
Of course! pr = puerto rico (I think I was hacked). It showed up under *SYSTEM - remote port 1101 (known trojan port). Gotta run TDS3...!
Hacked or portscanned? Run TDS and Port Explorer and a good firewall and....... whatever more comes to mind on tools as adviced all time in this forum!
Hacked! Port was status connected. I killed the port immediatley and lost some of the info I had on it. Anybody know of a way I can block all addresses by country in my firewall?
This isn't possible. First, your firewall would have to resolve every IP address it encountered, which could fail even if that IP address was in the country you wanted to block - not all addresses resolve.
You can block IP ranges though. It's a reason why i set my email client to not sending out my packets in Port Explorer when dealing with spam mail; no calling home, no validation of my email account, etc and no images either etc. Only afterwards you have to allow sending or you would not be able to receive and send new email yourself! For several firewalls are log analysers, like for ZoneAlarm VisualZone and ZoneLog for example, which make it much easier to understand the alarm and to report them if necessary. You could in the case of your connection put it in the socket spy and disable your side of sending, depending on what's happening, so you can see the data and what they're up to, while in the meantime you do some stuff like resolving and maybe tracing them, looking which port is used and find out if they should be reported to their ISP. Next question appears how could they pass your firewall and to which application were they connected? If you close the connection immediately you probably should not lose too much of your data.
Thanks for your insight and suggestions. The application they were connected to was just a generic *SYSTEM with a process number 4.
In many cases those sockets you'll see in pairs: UDP 137 and TCP 137 for instance, or an application on a socket with it's icon and a *SYSTEM socket with the same number, etc. An example: this moment i see an application msimn.exe UDP localhost 1921 remote localhost 1921 LISTENING (so the loopback or thing like that) and lots of send/receive datapackets *SYSTEM TCP localhost 1921 remote localhost 0 LISTENING If you have TDS up with sockets configured, you'll see theeose values with the TDS icon and another series of the same ports numbers in the *SYSTEM area, etc etc. Not always with everything, or maybe there should and i'm overlooking some, anyway so you can see more. If your connection is there always, it's certainly good to look deeper into it; if it's a certain application then why doesn't it show up in the applications part with it's icon etc? But if you know it's ok, then you know it for future times it just belongs there.