What is this See the .reverse. connect

pupa

Banned
Joined
Dec 5, 2003
Messages
3,890
Reaction score
12
What is this See the .reverse. connection on port 4342. I do not deal with this site at all.

C:\Documents and Settings\chris.CHRISTOFFEL>netstat

Active Connections


.....TCP christoffel:4342 125.70-86-99.reverse.theplanet.com:http CLOSE_WAIT
 
its not on port 4342, its going from your machine (port 4342) to thier machine on HTTP (port 80) reverse.theplanet.com and 125.70-86-99.reverse.theplanet.com do not resolve for me so either my ISP had a DNS problem or thats spoofed/old.

hard to say what it is seeing that it doesnt appear to be up any longer.. theplanet.com is a huge datacenter and alot of hosts buy servers from them so you might have dealt with a site like example.com and example.com could have had a slave server on theplanet and thats why you dont recognise the address

when did you do that netstat
 
Can this be becuase of the IP change remnant. As I checked the site... Never been there . It keeps on showing at times when I do netstat...since the last hour
 
ok dont download a thing, disconnect completely, make sure no app needing the net is open, then connect and wait 30 seconds and netstat... if it shows up soon after you connect like that you can assume its a zombie/drone bot and that you're infected, then ctrl + alt + delete and try track down the proccess/app name if you cant see anything obvious use netlimiter which will show you app names of apps using the connection.

Do you sometimes get a prompt popping out of nowhere asking ytou to connect if you're not connected to the net?
 
the planet as i said is a datacenter so sometimes people buy servers to set up IRCDs with high connection limits, then they compile thier own special zombie/drone bot they have the source for and those will go out infecting people by exploiting popular bugs in windows. Once connected the apps (ussually a dirivative of SDbot, RXBot etc) will copy themselves twice in the system directory (/winnt or /windows/system32) and then add start up registry entries. Then it connects to the persons IRCD on thier server and the "bot master" will ussually use that to steal data from you (they use it like a trojan, they steal cached password/CD Keys/CC numbers), Perform DDoS attacks (they sometime sdemand random or DDoS companies) or the most popular use is installing spyware which pays 50c per install or 10c if its a chinese box. So I think it makes sense its a zombie bot because your pc is still trying to connect to a dead server (the bot master has either lost a carded server, been caught or got a life).

Check the list of programs starting up by typing msconfig in Start -> Run and track down the bot that way, once you have found it (by the way search for all exe's that are less than a week old in Start -> Find) boot into safe mode and delete the sucker.

By the way anti virus apps are useless with these bots because these bots are distributed to bot masters with the source code and they each mod it a little so the anti virus only picks up the very ooooold variants which are about 2 years old and the new custom version on your box wont show up into any antivirus definitions untill its infected enough people to be noticed (bot nets dont get noticed till they're over 15 000 bots)

You should try sort it ASAP for your own security and others, remember the bot is trying to infect IPs in your range right now.
 
Last edited:
I would have to agree, chances are your machine is calling back to this location for some reason, perhaps for advert/spyware things or worse.

125.70-86-99.reverse.theplanet.com = 70.86.99.125
There only appears to be reverse lookup info in the DNS, which is why you cant forward resolve it.
 
Thanx. I think I will restore to a week ago when I started using these broadband tweakers and crap to see registry values they are tweaking and tested the individual effects. Maybe I got infected by one or other. If netstat still shows it persists I will search further. Want to get My PC back to before ADSL anyway to only implement what I learned is best recently.
 
Oh Good Signature is gone on all of them

Is there a program I can run to monitor this all the time?? I thought this PC is as clean as baby butt
 
use netstat and netlimiter to see what uses the connection, unfortunatly theres no completely automated way to stay safe from everything. Just keep watching its
 
Probably one of the best apps for viewing connections is TCPView from sysinternals.com

It will show you what process is listening on what port. Very nifty.
 
i just noticed this thread has like 3 people from east rand, word homies
 
More Rogues

Also from East Rand. Can we set up our own infrastructure????? with huge pipe ??

While watching with netstat I found more unwanted TCP traffic
Why does Netstat interval not work ?????
TCP christoffel:4476 125.70-86-99.reverse.theplanet.com:http ESTABLISHED 1188


TCP christoffel:3250 196.2.63.230:http ESTABLISHED 1328
TCP christoffel:3277 banner.coza.com:http ESTABLISHED 1328
TCP christoffel:4130 christoffel.mshome.net:49152 CLOSE_WAIT 1348
TCP christoffel:3566 125.70-86-99.reverse.theplanet.com:http TIME_WAIT 0
TCP christoffel:3569 www.users.uswest.net:http FIN_WAIT_1 1188
TCP christoffel:3571 adsl-208-188-62-156.greenbriar.com:http FIN_WAIT_1 1188
TCP christoffel:3573 wolverine.foxhome.com:http ESTABLISHED 1188

I tracked with "Who is Active and send Abuse E-mail reports. Wait and see what happens.
Two I traced
Banner.coza.com is hosted by Mweb ?????????
wolverine.foxhome.com is actually FOX Home entertainment. Doing spying??Who can You trust The fnuckers
 
Top
Sign up to the MyBroadband newsletter
X