Someone trying to hack me?

spluff · 9 Nov 2011 at 14:20

Hi all,

I noticed this in my netstat earlier - reading somewhere it is something to do with remote desktop connection....

The port number keeps incrememnting by 1....

Is someone trying to hack me or port scan me?

Proto Local Address Foreign Address State
TCP 192.168.1.64:50697 api:2555 TIME_WAIT
TCP 192.168.1.64:50698 api:2555 TIME_WAIT
TCP 192.168.1.64:50699 api:2555 TIME_WAIT
TCP 192.168.1.64:50700 api:2555 TIME_WAIT
TCP 192.168.1.64:50701 api:2555 TIME_WAIT
TCP 192.168.1.64:50702 api:2555 TIME_WAIT
TCP 192.168.1.64:50703 api:2555 TIME_WAIT
TCP 192.168.1.64:50704 api:2555 TIME_WAIT
TCP 192.168.1.64:50705 api:2555 TIME_WAIT
TCP 192.168.1.64:50706 api:2555 TIME_WAIT
TCP 192.168.1.64:50707 api:2555 TIME_WAIT
TCP 192.168.1.64:50708 api:2555 TIME_WAIT
TCP 192.168.1.64:50709 api:2555 TIME_WAIT
TCP 192.168.1.64:50710 api:2555 TIME_WAIT
TCP 192.168.1.64:50711 api:2555 TIME_WAIT
TCP 192.168.1.64:50712 api:2555 TIME_WAIT
TCP 192.168.1.64:50713 api:2555 TIME_WAIT
TCP 192.168.1.64:50714 api:2555 TIME_WAIT
TCP 192.168.1.64:50715 api:2555 TIME_WAIT
TCP 192.168.1.64:50716 api:2555 TIME_WAIT
TCP 192.168.1.64:50717 api:2555 TIME_WAIT
TCP 192.168.1.64:50718 api:2555 TIME_WAIT
TCP 192.168.1.64:50719 api:2555 TIME_WAIT
TCP 192.168.1.64:50720 api:2555 TIME_WAIT
CryptSvc

PistolPete · 9 Nov 2011 at 14:46

You need to find out what API resolves to.

As you are running in a private address range (192.168.x.x) then it's less likely to be someone from outside trying to get in through your router as I'm guessing you are running NAT, so it's something either on your machine or on your network.

What makes you think it's something to do with RDC? The destination port is changing each time, and the source port gives little clue.

spluff · 9 Nov 2011 at 15:03

I have a rule set up on my router which forwards RDC traffic to my PC - the cryptsvc which is mentioned at the bottom of the list is to do with RDC...

My internal private network is 192.168.x.x

192.168.1.64 is the internal address of the PC

In my router firewall log I also have loads of entries saying....

Port forwarding rule added via UPnP. protocol: UDP, external ports: any->59619, internal ports: 59619, internal client: 192.168.1.64 ...... any ideas if this is connected or what it is?

NOTE: I have removed my actual connected entry to RDC.

PistolPete · 9 Nov 2011 at 18:30

So it looks like your PC is actually trying to communication out to whatever host "API" is on TCP port 2555, failing and retrying.

Might be an idea to use TCPView to show you what process is doing this:
http://technet.microsoft.com/en-us/sysinternals/bb897437

spluff · 10 Nov 2011 at 08:06

it says api.home and the local port constantly increases by 1 all day - in chunks of about 10. The process says [System Process] - It wont give me the system process that it is.

Any ideas?

PistolPete · 10 Nov 2011 at 11:21

If it says System Process:0 with a status of time wait, then the process has already discarded the connection.

You'll need to watch the screen and look at which process is creating the new connections (they turn green so should be easy to spot)

DragonQ · 10 Nov 2011 at 11:50

Isn't "api.home" the thing that lets you access your BT Home Hub config page by typing "homehub.home" or something?

spluff · 10 Nov 2011 at 13:10

reading from a different post - yes
But how is that on my local PC and repeatidly opening ports and closing....?

thanks for all replies

StonedPenguin · 10 Nov 2011 at 13:11

paradigm · 10 Nov 2011 at 14:49

Packet sniff it with Wireshark and actually look at some of the raw data held within, might give you a clue.