2

I really think someone is accessing my pc illegally and I've read it on many sites that netstat can help me how to trace it.

I'm really not into networking so it's hard for me to interpret these outputs. How could I know if someone is illegally connecting to my pc through the output of netstat -sp TCP?

JkAlombro
  • 121
  • 4
  • You need to read up and learn this tool if you want to be good at it and so you know. Do more reading and digging into it and look over `netstat /?` from command line. No better way to learn than to start playing with it, reading about it, and doing it more and more and more and more and more and more, and so forth – Vomit IT - Chunky Mess Style Aug 03 '17 at 03:00
  • @McDonald's I'm not really trying to be a networking professional or something alike. I just wanna troubleshoot this problem. I did read about netstat in so many sources but it is still confusing especially when you're not really into networking and datacom that's why I'm asking here hoping to find someone that could explain it in the most understandable way possible. – JkAlombro Aug 03 '17 at 03:36
  • Okay, well here's something I wrote for someone about [The meaning of netstat output](https://superuser.com/questions/1101420/meaning-of-netstat-output/1101431#1101431) in case it helps you understand maybe even that small portion of it. Just learning a little can go a long way sometimes more than you may think. If you're going to use a tool for troubleshooting, you might as well learn it well at least. – Vomit IT - Chunky Mess Style Aug 03 '17 at 03:40
  • No problem, I think what you are asking for is a break down of each of the protocol's statistics (per-protocol statistics) and what those mean for the output of the command when you use the `-sp`—obviously right, I know. I'd sure like to know what is best to read on this subject as there are many stats so interpreting the output in a meaningful manner would mean you'd need to understand what these mean. I'd like to see a simple explanation and breakdown myself, but seems way too broad for the wording of your question as-is. Tag me back if you find anything great or get such an answer posted. – Vomit IT - Chunky Mess Style Aug 03 '17 at 04:29

1 Answers1

0

You can start copying the ip's (numbers in the form of x.x.x.x) into a web browser or bulk lookup like this: https://www.infobyip.com/ipbulklookup.php those ip's are tied to websites like google or microsoft. if one of them is located near you ( just like a home address) it could be a nosey neighbor.

there are typical ports ( the number after the ip x.x.x.x:#####) that are used for malicious activity those are here:

http://www.dummies.com/programming/networking/commonly-hacked-ports/

check your programs and features for unwanted installations too start>control panel>programs features look for keyloggers, cameras, file transfer or management. if your not sure what the program is, google it before uninstalling.

lastly, you can log on to your router to see if there are any unusual changes to setting. your isp can help you there.

Kevin G
  • 1
  • are those ip locators that are mostly not running in https even safe? – JkAlombro Aug 03 '17 at 03:32
  • yea, but you can just type each into your browser if you don't want to use anything but the tools at hand. typing an ip into your browser is the same as typing facebook.com,its just another way to express a website or location like youe house. if you google whatsmyip and the type you own ip into google you get your own physical adress. or at least the region you live in – Kevin G Aug 03 '17 at 03:39
  • I looked up at my active connections and I noticed that there are lots of established processes with PID 8904 and 19152. I tried to find those processes in my task manager but I can't find those PIDS – JkAlombro Aug 03 '17 at 03:39
  • established just means that something was sent and received over a connection. when you go to facebook.com you establish a connection in the same way. that is why you would need to investigate further each of them and where they are from. – Kevin G Aug 03 '17 at 03:43
  • Now I guess this is the part where it gets confusing again. I'll try to explain what happened first. I downloaded and installed an app (Nox Android emu), days after that, our server connections messed up a bit so I assumed that was the cause and I uninstalled it. Just in case that app really was the medium of the attack, can the attacker still access my network even though i already uninstalled it? – JkAlombro Aug 03 '17 at 03:53
  • you're still in the right place. if it was malicious and the program installed some sort of trojan or backdoor, you'd still have a port open. check the list i sent you for ips with those ports. if you find them, go from there about blocking them or consider a virus removal service. – Kevin G Aug 03 '17 at 03:57
  • I checked the connections and it seems like nothing suspicious is connecting to those ports. I already scanned my whole pc 2 times with Smadav and Sophos as well and they didn't find anything. Yet there are still times where server connections really mess up. P.S. I'm not an admin to our network, I'm just one of the users – JkAlombro Aug 03 '17 at 05:16
  • The more likely cause is a bad switch or cable :) sounds like you're clean though! Or at least i hope you've gained a better understanding of netstat – Kevin G Aug 04 '17 at 11:49