I find some stealthy connections with my computer, and I want to find out what program is doing this on my computer, what shall I do?
The firewall does not work, because the outgoing ip automatically changes to several new ips and they seam got plenty of available ips for that.
I must find out the source .

You're going to have to use clearer, more precise english before I have any idea what you are asking.

I think he's saying there are incomming connections and he wants to track down their source. Still no clue: are they UDP, TCP, and what ports are they hitting?

Originally posted by evildave
I think he's saying there are incomming connections and he wants to track down their source. Still no clue: are they UDP, TCP, and what ports are they hitting?
TCP
Port 80
ip range vary from 219.*.*.* to 61.*.*.* or 193.*.*.*,etc.
I use cmd/netstat to find the connections.

Originally posted by SezMe
You're going to have to use clearer, more precise english before I have any idea what you are asking.
I just want to know who is using what connection and if it is harmful.

Do a google search for "whois" and that will give you some reverse DNS lookups after a few false starts. This will tell you if there is a domain registered to the IP (and there usually is).

You can try "netstat -o", and tell the task manager to show the PID in the process tab. That will at least tell you what process has it open. That can be very revealing for spyware.

I generally block unwanted things like 'doubleclick.net' with my C:\WINDOWS\system32\drivers\etc\hosts file, but doing so will cause certain things to appear to be more sinister, as the loopback address you use will tend to show the earliest alphabetic entry, such as 'ad.doubleclick.net', so add an 'AAAloopback' to flag loopback connections a little better.

Some of the 'stealth' connections are actually opened by your own computer to external agents, such as your name server. Mine says 'ppp.gsta.net' for that.

Be sure and check your own computer's address with ipconfig. If the first three numbers (or however many match with the '255' in the subnet mask) in the IP address match up with your own, it's generally on your LAN with you.

Originally posted by yinyinwang
TCP
Port 80
I use cmd/netstat to find the connections.


If you dont' mean to be running a webserver on port 80, then for goodness sake, disable (or uninstall or completel remove) the webserver!!!!!!!

If you ARE running a webserver on port 80, then what's the big deal? That's how people connect to your website.

It's that simple. If you don't want people to connect to port 80, STOP TAKING REQUESTS ON PORT 80!

Originally posted by evildave
Do a google search for "whois" and that will give you some reverse DNS lookups after a few false starts. This will tell you if there is a domain registered to the IP (and there usually is).

You can try "netstat -o", and tell the task manager to show the PID in the process tab. That will at least tell you what process has it open. That can be very revealing for spyware.

I generally block unwanted things like 'doubleclick.net' with my C:\WINDOWS\system32\drivers\etc\hosts file, but doing so will cause certain things to appear to be more sinister, as the loopback address you use will tend to show the earliest alphabetic entry, such as 'ad.doubleclick.net', so add an 'AAAloopback' to flag loopback connections a little better.

Some of the 'stealth' connections are actually opened by your own computer to external agents, such as your name server. Mine says 'ppp.gsta.net' for that.

Be sure and check your own computer's address with ipconfig. If the first three numbers (or however many match with the '255' in the subnet mask) in the IP address match up with your own, it's generally on your LAN with you.
what does the PID stands for?thks.

Process Identifier.