What is my secrect computer doing? Zombie comp?

provoko

Gawd
Joined
Aug 6, 2004
Messages
656
Hi, i'm in a strange situation. I have to let another computer access my internet, and I notice they're connecting to all kinds of strange IPs and ports. For the most part they're sending out information from all ports up to 65535. The IP addresses look like these:

87.15.248.197 - RIPE network
218.212.206.17 -APNIC Asian pacific

I wanna know if they're running some bittorrent program, a SKYPE program, an MMO, or if someone's made their computer a zombie?

What I've done is just block all ports from 11000 to 65535 because at times my connection gets throttled by their uploading to all these random IPs and ports.
 
On my forums most of my spam comes from RIPE and Asia, they might have some malware or spyware sending out info for advertising and stuff.
 
On my forums most of my spam comes from RIPE and Asia, they might have some malware or spyware sending out info for advertising and stuff.

Should I block more ports? I do notice 6881 6000 113 used a lot.

Here's a screenshot of the ports being used after I've blocked everything above 11k. The two WWW IPs visited were google and hulu.

strangecomp.png
 
Should I block more ports? I do notice 6881 6000 113 used a lot.

Here's a screenshot of the ports being used after I've blocked everything above 11k. The two WWW IPs visited were google and hulu.


How about scanning the computer using your internet to see if its spyware and you don't have to block anything. Wouldn't that be more reasonable?
 
Last edited:
yeah this seems like a technical approach vs an easier method to find out whats going on. run malwarebytes on machine you think is infected. good place to start.
 
yeah this seems like a technical approach vs an easier method to find out whats going on. run malwarebytes on machine you think is infected. good place to start.

Check the stickie at the top. Your headed in the right direction though ;)
 
How about scanning the computer using your internet to see if its spyware and you don't have to block anything. Wouldn't that be more reasonable?

yeah this seems like a technical approach vs an easier method to find out whats going on. run malwarebytes on machine you think is infected. good place to start.

Check the stickie at the top. Your headed in the right direction though ;)

Absolutely not, thats not an option. I mentioned I can't get to the computer, but it has to use my internet connection. It's really a strange situation.
 
Absolutely not, thats not an option. I mentioned I can't get to the computer, but it has to use my internet connection. It's really a strange situation.

Hmmm...."Has to use MY connection"...you have every right to suspect a problem with that computer based on evidence you already have. You should be aware of an infected computer spreading malware across local subnet (your LAN) to your own computer(s)..thus you should disconnect that computer and have the owner allow you to clean it.

An analogy....if someone had 50 pounds of mud and dogshit on their shoes..would you let them walk around your house smearing crap all over your floors and carpet? No..you'd probably make them either leave their shoes outside..or at the very least...clean them off before coming inside.
 
Hmmm...."Has to use MY connection"...you have every right to suspect a problem with that computer based on evidence you already have. You should be aware of an infected computer spreading malware across local subnet (your LAN) to your own computer(s)..thus you should disconnect that computer and have the owner allow you to clean it.

An analogy....if someone had 50 pounds of mud and dogshit on their shoes..would you let them walk around your house smearing crap all over your floors and carpet? No..you'd probably make them either leave their shoes outside..or at the very least...clean them off before coming inside.

You're right.
 
Put your machine on a hub (not a switch) with the other "secret comp" and sniff the traffic with wireshark. You'll know exactly what its doing then.
 
I've always been surprised at the amount of traffic I see my Cisco 3725 discard coming from APNIC. It's usually from some Thailand Telecomms or some crap, and I often wonder whether it's just me (or my router) or if they spam everyone else with all those packets too.

APNIC spam aside, I'd agree with the above and try to take a peek at what's going on. But first I'd probably configure a firewall on your own PC to block all traffic coming from that computer; don't let it get into your machine.
 
Back
Top