# Computer under constant UDP attack



## RussW (Sep 28, 2010)

Hello-

I have a laptop that seems to be getting regular attacks from an outside source (across the internet). This started back around July 4 when I was using a wi-fi network that was unsecured but password protected. At the time there was an immediate attept to access my files; and for some unknown reason the Windows Firewall was down (although on the Security Settings Control Panel it said the firewall was "UP"). I immediately turned the firewall on and refuesd a .NET connection from a user attempting to access my files.

So at this point I am still getting regular UDP port access requests from multiple IPs. I don't know if they are getting through the McAfee security; or why these port requests are getting through the Firewall on my ISP's router (AT&T U-Verse).

Is there a way to diagnose hacking like this and block it? I called AT&T and got no answer; unless I agree to pay them for technical support :upset:

Thanks for any help you can give; I really appreciate the help I have gotten here recently from Ried on the virus problems. You guys are great!ray:


----------



## johnwill (Sep 26, 2002)

Hold the *Windows* key and press *R*, then type *CMD* then press *Enter* to open a command prompt:

In the command prompt window that opens, type type the following command:


NETSTAT -a

Right click in the command window and choose *Select All*, then hit *Enter* to copy the contents to the clipboard.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.


----------



## RussW (Sep 28, 2010)

I was looking at my McAfee logs again; and the amount of inbound traffic has died down, although it seems to be coming from many different IP's now but not as frequently.

The log you asked me to generate does not show any UDP traffic although there is lots of TCP traffic that is probably tracking cookies, and/or programs that report to a server (don't know; but would like to keep the "watching my computer" to a minimum).

Here are some text clips from my McAfee log (this is just the latest):
10/6/2010 06:37:09PM 204.246.235.218 UDP port 22561
10/5/2010 09:18:28PM 207.138.101.138 UDP port 22559
10/4/2010 04:09:18PM 207.138.101.138 UDP port 22569
10/4/2010 03:44:39PM 207.138.101.138 UDP port 22557
10/3/2010 11:42:13PM 207.138.101.138 UDP port 22575
10/2/2010 11:32:25PM 207.138.101.138 UDP port 22567


Here is the log of the netstat:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Russ>NETSTAT -a
Active Connections
Proto Local Address Foreign Address State
TCP RUSS_SONY:epmap RUSS_SONY:0 LISTENING
TCP RUSS_SONY:microsoft-ds RUSS_SONY:0 LISTENING
TCP RUSS_SONY:6646 RUSS_SONY:0 LISTENING
TCP RUSS_SONY:1033 RUSS_SONY:0 LISTENING
TCP RUSS_SONY:1441 localhost:27015 ESTABLISHED
TCP RUSS_SONY:5152 RUSS_SONY:0 LISTENING
TCP RUSS_SONY:5152 localhost:2610 CLOSE_WAIT
TCP RUSS_SONY:5354 RUSS_SONY:0 LISTENING
TCP RUSS_SONY:27015 RUSS_SONY:0 LISTENING
TCP RUSS_SONY:27015 localhost:1441 ESTABLISHED
TCP RUSS_SONY:netbios-ssn RUSS_SONY:0 LISTENING
TCP RUSS_SONY:2592 89.149.159.115:25793 ESTABLISHED
TCP RUSS_SONY:2614 nuq04s01-in-f165.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2615 nuq04s01-in-f154.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2617 cdce.lax011.internap.com:http ESTABLISHED
TCP RUSS_SONY:2618 nuq04s01-in-f154.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2620 www-13-02.snc5.facebook.com:http ESTABLISHED
TCP RUSS_SONY:2621 a96-16-200-74.deploy.akamaitechnologies.com:http
ESTABLISHED
TCP RUSS_SONY:2622 63.217.232.115:http ESTABLISHED
TCP RUSS_SONY:2623 65.49.92.34:http ESTABLISHED
TCP RUSS_SONY:2625 nuq04s01-in-f148.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2627 nuq04s01-in-f149.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2644 nuq04s01-in-f154.1e100.net:http TIME_WAIT
TCP RUSS_SONY:2647 nuq04s01-in-f96.1e100.net:http TIME_WAIT
TCP RUSS_SONY:2649 nuq04s01-in-f96.1e100.net:http TIME_WAIT
TCP RUSS_SONY:2651 nuq04s01-in-f154.1e100.net:http TIME_WAIT
TCP RUSS_SONY:2652 nuq04s01-in-f154.1e100.net:http TIME_WAIT
TCP RUSS_SONY:2661 65.49.92.34:http ESTABLISHED
TCP RUSS_SONY:2672 community.xv.dc.openx.org:http TIME_WAIT
TCP RUSS_SONY:2674 cdce.lax011.internap.com:http ESTABLISHED
TCP RUSS_SONY:2676 nuq04s01-in-f154.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2678 a96-16-200-74.deploy.akamaitechnologies.com:http
ESTABLISHED
TCP RUSS_SONY:2679 nuq04s01-in-f157.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2680 74.122.140.21:http ESTABLISHED
TCP RUSS_SONY:2696 nuq04s01-in-f154.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2699 nuq04s01-in-f96.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2702 nuq04s01-in-f154.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2703 nuq04s01-in-f96.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2704 nuq04s01-in-f154.1e100.net:http ESTABLISHED
TCP RUSS_SONY:2709 us.mcafee.com:http TIME_WAIT
TCP RUSS_SONY:2710 63.217.232.137:http ESTABLISHED
TCP RUSS_SONY:2711 63.217.232.137:http ESTABLISHED
TCP RUSS_SONY:2722 mpr6.ngd.vip.sp2.yahoo.com:http TIME_WAIT
TCP RUSS_SONY:2724 sm.mcafee.com:https ESTABLISHED
UDP RUSS_SONY:snmp *:*
UDP RUSS_SONY:microsoft-ds *:*
UDP RUSS_SONY:isakmp *:*
UDP RUSS_SONY:1025 *:*
UDP RUSS_SONY:1900 *:*
UDP RUSS_SONY:4500 *:*
UDP RUSS_SONY:50856 *:*
UDP RUSS_SONY:ntp *:*
UDP RUSS_SONY:1900 *:*
UDP RUSS_SONY:2593 *:*
UDP RUSS_SONY:2594 *:*
UDP RUSS_SONY:2595 *:*
UDP RUSS_SONY:2596 *:*
UDP RUSS_SONY:2600 *:*
UDP RUSS_SONY:2611 *:*
UDP RUSS_SONY:2723 *:*
UDP RUSS_SONY:ntp *:*
UDP RUSS_SONY:netbios-ns *:*
UDP RUSS_SONY:netbios-dgm *:*
UDP RUSS_SONY:1900 *:*
UDP RUSS_SONY:5353 *:*
UDP RUSS_SONY:6646 *:*
UDP RUSS_SONY:22564 *:*
UDP RUSS_SONY:22565 *:*
C:\Documents and Settings\Russ>


----------



## johnwill (Sep 26, 2002)

Hmm... Boot in *Safe Mode with Networking* using a wired connection and see if the USB probes still occur.


----------

