Where do you find your lost car keys? You find them in the same place every time and the answer is easy.
You find them the last place you look.
When it came to XP I never got past netstat to find out who’s invaiding my privacy because it wasn’t necessary. Now there are some interesting things about DOS that I forgot but since analyzing Vista is a whole new ballgame, I thought I better refersh myself. The command of the day was netstat -ano with a few modifiers to give me a hand. After all this is still a computer and it should be able to follow a few simple commands. Check the following:
C:\>netstat -ano 10 >> fred.txt
Now this command is fairly straight forward when you learn DOS. The netstat -ano gives a listing of the protocal, the local port, the foriegn IP and port, the state and the Process ID. The 10 means the command for that information is repeated every 10 secods and since you really can’t do much with DOS output and the retained DOS data is finite, the >> fred.txt command sends it to a text file named fred and adds the new information being generated every 10 seconds to the bottom of the file.
Because of the slow speed of Vista and all the Simon Says rules, I set up DOS with the above command the night before and a second DOS window with “notepad fred.txt”. Since they were set up the night before, all I have to do when the machine comes out of hibernation is to press enter on the netstat command and about 2 minutes later press enter on the other DOS window to see wat I have captured in notepad.
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 432
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1148
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 516
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 988
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 500
TCP 12.197.60.34:139 0.0.0.0:0 LISTENING 4
TCP 12.197.60.34:53044 72.14.203.101:80 CLOSE_WAIT 1028
TCP 12.197.60.34:53045 209.85.163.125:5222 ESTABLISHED 1028
TCP 12.197.60.34:53046 64.233.163.189:80 TIME_WAIT 0
TCP 12.197.60.34:53047 207.46.235.29:443 ESTABLISHED 2060
TCP 12.197.60.34:53049 8.12.213.124:80 ESTABLISHED 2060
TCP 12.197.60.34:53050 8.12.213.124:80 ESTABLISHED 988
The first three external IP’s belong to Google Talk. The third Google connection drops out after 2 minutes and the first 2 stay connected all day. The forth IP is Microsoft and the last IP using two different processes belongs to Level 3.
Now Level 3 is an untrusted, uninvited quest but the connection only lasts for less than a minute. By the time I check the task manage and get through “Simon Says” and “processes from all users“, it’s too late to find out who is doing what to me and I have yet to discover a meaningful list of subprocesses for each PID that I might block to block the intruder. Blocking the IP is a waste of time because there are billions and the task of invading my privacy can be shifted to another server. The only perminant way is to identify and kill the process.
Tomorrow, I’ll discuss a new DOS command, at least it’s new to me and does not exist in Windows XP Dos.
But the only thing for sure right now is that I have an univited intruder invading my privacy which has made it past Windows Defender and I dont have a clue on how to stop it.