Hi

I was wondering if anyone had any experience with their computers (behind a router) connecting to (or at least sending a request to) an external IP address's TCP port 31337? ex: 213.219.244.158:31337

I did some reading online, but I kept interpreting the online results as having my computer's 31337 port open, which is not the case. Instead random ports in the 1000s range are being used to connect out.

Given the port number, I assume the computer has been hacked, and I'm undergoing this site's standard steps to try to remove anything bad that is found.

I'm just curious if anyone out there has experienced or read about this particular type of hack? I'll probably be back with an HJT log later and set up shop over in the other forum. =)

Thanks

PS. I have noticed some strange behavior from my computer...for example it feels like the network connection goes loopy every once in a while as the domain names fail to resolve occasionally.

Might be this http://www.iss.net/security_center/advice/Exploits/Ports/31337/default.htm

Running this program http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx on your PCs might help you find the PC/program that's causing the problem.

Thanks for the reply tetak.

So I came across that reference to port 31337 in my online searchings, but I guess I was wondering if that meant that my computer's 31337 port was being used or if it meant the external IP's 31337 port was being used. (maybe i'm just in denial, but) I thought the latter, but wasn't sure. How do you read it?

Also, thanks for the lead to the TCP tool. Looks like it might be easier to use than netstat on DOS. Before I posted, I had done a little rummaging around with netstat to try to figure things out. I found that it was a program called RPCX1SQ234.exe. Except this program didn't show up in the active processes, so maybe it's some startup thing. I found only one reference to it in the Registry under: ../Software/Microsoft/Search Assistant/AcMru/5603.

Sorry I didn't post that earlier, but I wasn't sure I should turn this into a help me debug thread before I had gone through the whole MRP procedure (I'm just about done with that, btw), so I guess I'll be posting followups soon. At that point, I'm thinking I should make a new post in the HijackThis thread.

My original intent for this thread was just to see if anyone knew anything about this potential port hack.

Thanks!

Just as a followup, I ran through the MRP process and after using the latest Adaware, it seems the outward transmissions have stopped.

There were a couple viruses found on the machine so I'm guessing one of those was the culprit, but not positive which. Anyway...leaving this message in case anyone down the line sees something similar.