Generally speaking...this looks safe, although looks can be deceiving.
These connections are all outbound connections. Something is sending mail, or at least
attempting to look like it is. A quick look at the service your computer is connecting
to reveals this:
telnet smtp2.oneintranet.com.ph 1069
Connecting To smtp2.oneintranet.com.ph...Could not open a connection to host on port
1069
: Connect failed
telnet smtp2.oneintranet.com.ph 1115
Connecting To smtp2.oneintranet.com.ph...Could not open a connection to host on port
1115
: Connect failed
Using a browser to connect to 216.33.199.96 on port 80 gives this:
216.33.199.96 - /
--------------------------------------------------------------------------------
6/15/00 6:07 PM <dir> Ads
looks like an ad server of some kind.
Finally, a quick connection to 216.35.217.189 on port 17027 reveals:
telnet 216.35.217.189:17027
Connecting To 216.35.217.189:17027...Could not open a connection to host: Connect
failed
This leads me to believe that your computer is getting what it's asking for.
And it is allowed access to these host/port combinations, mine isn't. Here is the
registration info on the IP addresses:
Exodus Commnications Inc. (NETBLK-ECI-7)
1605 Wyatt Dr. Santa Clara, CA
95054US
US
Netname: ECI-7
Netblock: 216.32.0.0 - 216.35.255.255
Maintainer: ECI
Coordinator:
Center, Network Control (NOC44-ARIN) [EMAIL PROTECTED]
1.888.2.Exodus (FAX) 1.888.2.Exodus
Domain System inverse mapping provided by:
NS.EXODUS.NET 206.79.230.10
NS2.EXODUS.NET 207.82.198.150
* Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Record last updated on 09-Mar-2000.
Database last updated on 16-Jun-2000 06:49:10 EDT.
Is this your ISP???
smtp2.oneintranet.com.ph
I dunno about this one...I can't resolve that hostname to an IP. That is usually a bad
sign for a home user. If you can resolve it but no one else can you have something
strange going on there...check for a file named "hosts" using the search function. If
there is one open it in notepad and see if there are any entries referring to that
hostname.
I don't want to give you cause for alarm. This is probably something your ISP is
doing. I'd check with them just to be sure...sometimes looks can be deceiving. Better
safe than sorry.
Be sure to check us out at http://infosec.20m.com
_________________________________________________
On Fri, 16 June 2000, Ronneil Camara wrote:
>
> Hi. I'm really wondering about my win95 at home. I feel that it has been
> installed by a malicious freeware. After I connect to my ISP, I can see my
> modem send packets. I'm really wondering why because I don't have any
> programs running in the taskbar. I don't even run any web browser. As in, my
> desktop is clean. So I did a netstat.
>
> I'm a bit curious of the 216.x.x.x process shown below. Do you have any
> idea?
>
> C:\W95>netstat
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP a:1033 smtp2.oneintranet.com.ph:nbsession
> ESTABLISHED
> TCP a:1054 smtp2.oneintranet.com.ph:1069 ESTABLISHED
> TCP a:1058 smtp2.oneintranet.com.ph:1115 ESTABLISHED
> TCP a:1067 smtp2.oneintranet.com.ph:1069 ESTABLISHED
> TCP a:1071 smtp2.oneintranet.com.ph:1115 ESTABLISHED
> TCP a:1148 216.33.199.96:80 FIN_WAIT_2
> TCP a:1219 216.35.217.189:17027 LAST_ACK
> TCP a:1228 216.35.217.189:17027 LAST_ACK
> TCP a:1230 216.35.217.189:17027 SYN_SENT
>
>
> Ronneil
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-------------------------------------------------
Join a North Sky Community Today!
http://communities.northsky.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
