Go Back   Tech Support Forum > Networking Forum > Networking Support

unknown connections showing in netstat

This is a discussion on unknown connections showing in netstat within the Networking Support forums, part of the Tech Support Forum category. I ran 'netstat -n' directly following a clean reboot (msconfig to clear all startup processes, etc.) and found 6 connections,


Reply
 
Thread Tools Search this Thread
Old 09-15-2010, 08:49 PM   #1
Registered Member
 
Join Date: May 2009
Posts: 221
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

I ran 'netstat -n' directly following a clean reboot (msconfig to clear all startup processes, etc.) and found 6 connections, 4 of which begin with 127.0.0.1 so I'm going to assume these are safe since that is localhost as far as I know regardless of port #. (was still strange to see that I can connected to 'myself, can someone explain why?)

I was also connected to 2 foreign IPs, one of which appears to belong to google. Both of these were on port 80. I have all software and extra processes disabled so why would I still have a connection to google even with TIME_WAIT as its state? My web browser was not open at the time.

And Lastly, the most important question i have involves an IP that I was unable to identify via google. 67.23.114.18 on port 80

Putting this in web browser took me to someones website I think? It is a very common format for simply hosting files, I don't know what to call it but.... It says 'Index of /" at the top and then shows a list of files/folders. The applications included things like Mozilla, not a particularly stunning website... So why on earth do I have a connection in the ESTABLISHED state to 67.23.114.18 after a clean reboot with no programs running at all?

edit: Also I was unaware that websites could connect you to other websites without your permission. For example I now have an ESTABLISHED connection to 66.220.153.11 which is facebook but I never use fb! I'm assuming its cause there is an ad for following TSF on facebook in the lower right...

__________________
joe7dust is offline   Reply With Quote
Old 09-16-2010, 01:51 PM   #2
Registered Member
 
Join Date: May 2009
Posts: 221
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Anyone have any idea what 67.23.114.18 is? Or my lesser questions?

__________________
joe7dust is offline   Reply With Quote
Old 09-17-2010, 07:06 AM   #3
Microsoft MVP
 
johnwill's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2002
Location: S.E. Pennsylvania, US
Posts: 50,845
OS: Windows 7, XP-Pro, Vista, Linux

My System


Looks like it might be some sort of ad site:

Quote:
Location: United States [City: Reston, Virginia]


Using 28 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

#
# Query terms are ambiguous. The query is assumed to be:
# "n 67.23.114.18"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=67...showARIN=false
#

NetRange: 67.23.96.0 - 67.23.127.255
CIDR: 67.23.96.0/19
OriginAS: AS40015
NetName: RST-RX-YELLOWFIBER-NET
NetHandle: NET-67-23-96-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YELLOWFIBER.NET
NameServer: NS2.YELLOWFIBER.NET
Comment: All Address Space is STATICLY ASSIGNED
RegDate: 2009-02-18
Updated: 2009-04-03
Ref: http://whois.arin.net/rest/net/NET-67-23-96-0-1


OrgName: Yellow Fiber Networks
OrgId: MOVEC
Address: 12100 Sunrisey valley dr
Address: Suite 290-3
City: Reston
StateProv: VA
PostalCode: 20191
Country: US
RegDate: 2006-05-15
Updated: 2009-03-30
Ref: http://whois.arin.net/rest/org/MOVEC

ReferralServer: rwhois://rwhois.moveclicks.com:4321

OrgNOCHandle: YFSUP-ARIN
OrgNOCName: YF Support
OrgNOCPhone: +1-800-424-0269
OrgNOCEmail: *******@yellowfiber.net
OrgNOCRef: http://whois.arin.net/rest/poc/YFSUP-ARIN

OrgTechHandle: ZAT-ARIN
OrgTechName: Thompson, Zachary Alan
OrgTechPhone: +1-703-209-5706
OrgTechEmail: ***@yellowfiber.net
OrgTechRef: http://whois.arin.net/rest/poc/ZAT-ARIN

OrgAbuseHandle: YFABU-ARIN
OrgAbuseName: YF Abuse
OrgAbusePhone: +1-800-424-0269
OrgAbuseEmail: *****@yellowfiber.net
OrgAbuseRef: http://whois.arin.net/rest/poc/YFABU-ARIN

RAbuseHandle: YFABU-ARIN
RAbuseName: YF Abuse
RAbusePhone: +1-800-424-0269
RAbuseEmail: *****@yellowfiber.net
RAbuseRef: http://whois.arin.net/rest/poc/YFABU-ARIN

RTechHandle: YFSUP-ARIN
RTechName: YF Support
RTechPhone: +1-800-424-0269
RTechEmail: *******@yellowfiber.net
RTechRef: http://whois.arin.net/rest/poc/YFSUP-ARIN

RNOCHandle: ZAT-ARIN
RNOCName: Thompson, Zachary Alan
RNOCPhone: +1-703-209-5706
RNOCEmail: ***@yellowfiber.net
RNOCRef: http://whois.arin.net/rest/poc/ZAT-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
__________________
If TSF has helped you, Tell us about it! or Donate to help keep the site up!

Microsoft MVP - Windows Desktop Experience
johnwill is offline   Reply With Quote
Old 09-17-2010, 03:06 PM   #4
Registered Member
 
Join Date: May 2009
Posts: 221
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Thanks for the info I found something very similar to that via google but I couldn't decipher it. (and still can't) Where do you see that it may be an ad server?

And most importantly why would I have an established connection to it after a minimal reboot and verification that I have only 9 processes running? Sounds like malware/adware... but MBAM and SAS didn't find anything.
__________________
joe7dust is offline   Reply With Quote
Old 09-17-2010, 03:08 PM   #5
Registered Member
 
Join Date: May 2009
Posts: 221
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Oh and also, I use a special hosts file with 10,000+ blocked ips, etc. This alone makes the ad server idea a little less likely imo. It would be the first ad connection I'm aware of not being blacklisted on my system already.
__________________
joe7dust is offline   Reply With Quote
Old 09-20-2010, 10:21 AM   #6
Registered Member
 
Join Date: May 2009
Posts: 221
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Well at any rate the unsolicited connection to facebook seems to be helping you guys out. # of people that like TSF has gone up like 50% in the last 2 weeks.
__________________
joe7dust is offline   Reply With Quote
Old 09-20-2010, 02:30 PM   #7
Microsoft MVP
 
johnwill's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2002
Location: S.E. Pennsylvania, US
Posts: 50,845
OS: Windows 7, XP-Pro, Vista, Linux

My System


Actually, the number of active users changed because the board software changed the way it logs them.
__________________
If TSF has helped you, Tell us about it! or Donate to help keep the site up!

Microsoft MVP - Windows Desktop Experience
johnwill is offline   Reply With Quote
Old 09-21-2010, 01:37 AM   #8
Registered Member
 
Join Date: May 2009
Posts: 221
OS: xp sp3


Send a message via Yahoo to joe7dust Send a message via Skype™ to joe7dust

Not the board software, I was referring to the facebook friend/like request ad in the lower left. It is not here today but has been all week. It is either because I just upgraded to windows 7 64bit from xp32 or the ad isn't running anymore.

__________________
joe7dust is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 10:53 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts