Comments on: Help me find out if someone is spying on my computer

Question: Help me find out if someone is spying on my computer

RustyBrooks — Thu, 04 Jan 2007 10:08:23 -0800

Can you help me diagnose if someone is spying on my computer?

I think there is some kind of spyware installed on my computer, and I somewhat suspect that there is an actual person using it to spy on my (as opposed to generic spyware that is sort of a bot sending info about me somewhere).

(Note, my computer is a Win XP machine)

I first noticed that sometimes my cursor would jump around kind of suspiciously, jumping often to the start menu location or maybe one of the other corners of the screen. There are a few other symptoms but no point in going into it here. I started poking around, starting first with the normal standard tools. HijackThis, AdAware, Spybot Search and Destroy, etc. Not much is coming up.

I do an nmap from a trusted computer on the computer I think is being spied upon. I do a TCP and UDP scan and here are some select entries:

1664/udp open|filtered netview-aix-4
1666/tcp open netview-aix-6

A quick google search shows that this is usually some kind of network monitoring program. Note that this doesn't necessarily mean that's what is running on that port... I telnet to that port and I get:

TTxfiles5server3server220revver5nocasefunprotocol

No idea what this is supposed to be.

Of course, my network is fairly locked down so I don't think anyone can GET to this port from outside, but I think it might indicate that something nefarious is running, and that nefarious thing might connect from my network to some other computer somewhere.

There is also something running at port 8080. 8080 is usually a web proxy port but I don't think I have anything running which would qualify as a web proxy.

I have a lot of experience with computers and a decent amount of experience with computer security. I'm hoping someone can help me find out what might be running on my computer (if anything), how to get rid of it, and, to my mind, how to find out who or what it is.

As sort of a caveat/afterthought... I play poker to supplement my income (it amounts to about 1/4 to 1/3 of my total income) so if someone is watching me, this would be very, very bad, and honestly, I've had some reason to believe that someone might be watching me, in this regard.

I've started doing ethernet packet capturing both on the affected machine and on the network as a whole, and I hope to find something in that. There's an awful lot of data to go through, though.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 10:12:46 -0800

As a side note, is there a reliable way in windows to find out what programs are listening to a given port?

By: b1tr0t

b1tr0t — Thu, 04 Jan 2007 10:24:21 -0800

I first noticed that sometimes my cursor would jump around kind of suspiciously, jumping often to the start menu location or maybe one of the other corners of the screen.

Try a diferent mouse. Some poorly built optical mice will exhibit eratic behavior like this from time to time. The Microsoft "S+ark" mouse exhibits this behavior with a period of 15-20 minutes.

Windows XP has enough inherently eratic behavior that it would probably be easy for a skilled hacker or spy to hide among all the noise.

By: friedrice

friedrice — Thu, 04 Jan 2007 10:24:46 -0800

Might not be much help, but when my mouse starting jumping around like that it was because my downstairs neighbor was using the same brand of wireless mouse.

By: Pastabagel

Pastabagel — Thu, 04 Jan 2007 10:29:55 -0800

I have a wired/usb optical mouse, and it jumps or moves around on its own as well. Cleaning the desk under the mouse seems to help (I don't use a mouse pad).

By: poppo

poppo — Thu, 04 Jan 2007 10:35:23 -0800

Like others say, the mouse may not be related, but I might be worried about finding that banner waiting for me.

Do a Google search for "funprotocol" and you'll find that it is spyware, according to them. There may be a funprotocol.dll file you can remove. Have a look at a few of those results.

By: cerebus19

cerebus19 — Thu, 04 Jan 2007 10:37:07 -0800

is there a reliable way in windows to find out what programs are listening to a given port?

At a command prompt, type:

netstat -a -b

It can take a few minutes to generate the list, but that should do it.

By: poppo

poppo — Thu, 04 Jan 2007 10:38:32 -0800

Active Ports will tell you the names of the processes that are running on ports 1664 and 1666.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 10:38:46 -0800

I did searches on variations of that string from the server but apparently not just plain "funprotocol". That did return a few hits, I'll see if I can get anything from that.

Regarding the mouse, maybe it's not related. But I've had and used this particular mouse for at least 2 years and the behaviour I've described has been happening only over the last few months. It's definitely strange enough to have caught my attention.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 10:39:42 -0800

I'm not sure that I trust netstat to give me the proper results, but I'll try that also. And I'll definitely try Active Ports.

By: drstein

drstein — Thu, 04 Jan 2007 11:12:13 -0800

Give us a list of all of the poker programs that you've installed. Perhaps the culprit is there. Have you ever run ad-aware or even the microsoft anti-spyware app?

Another option is perhaps to get a second computer, do all of the poker playing from that machine and nothing else. Don't install IM apps or anything. Lock it down as tight as you can, disallow any unnecessary outbound traffic, and run everything as a non-privileged user. If you're making decent cash, it might be worth thinking about.

By: eustacescrubb

eustacescrubb — Thu, 04 Jan 2007 11:20:23 -0800

Why don't you simply disconnect your computer from the internet/network, and then see if the mouse problems persist, and run all the tests you describe above again.

By: NucleophilicAttack

NucleophilicAttack — Thu, 04 Jan 2007 11:40:42 -0800

The two ports you listed seem "legit" in general -- Google seems to show that they're opened by some sort of database server.

If you don't have anything that could be running a SOCKS server or web proxy, port 8080 is rather suspect.

Have you tried running a free spyware program like AdAware and/or SpyBot?

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 11:42:13 -0800

See original post: I've run a lot of spyware detectors.

The "legit" ports seem tied to funprotocol.dll (given the string returned when I attach to those ports).

I'm currently playing poker via a virtual machine on another computer with nothing on it.

By: molybdenum

molybdenum — Thu, 04 Jan 2007 12:11:17 -0800

It wouldn't hurt to try Rootkit Revealer from Sysinternals. It's designed to find files that try to hide from the Windows API.

But I also second the idea of unplugging your NIC for a few days and seeing if the behavior persists.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 12:22:15 -0800

For some reason I forgot to mention that I attached to port 8080 also. I tried 2 requests, one to / and one to /poo (just to see what I got). Here are the results:

telnet 192.168.0.16 8080
Trying 192.168.0.16...
Connected to 192.168.0.16.
Escape character is '^]'.
GET /

HTTP/1.0 301 OK
Content-Length: 0
location: http://valve:8080/@md=d&cd=//&c=1Xp@//?ac=83

---------------------------------------------------

telnet 192.168.0.16 8080
Trying 192.168.0.16...
Connected to 192.168.0.16.
Escape character is '^]'.
GET /poo

HTTP/1.0 200 OK
Content-Type: text/html

<tr>
<td>
<img src="/clearpixelIcon?ac=20" height="5" width="0" border="0" alt="" title=""></td>
</tr>
<tr>
<td colspan="6" nowrap>
<Font color="red">
//poo - must refer to client 'guest'.

</Font>
</td>
</tr>
<tr>
<td>
<img src="/clearpixelIcon?ac=20" height="5" width="0" border="0" alt="" title=""></td>
</tr>

By: stovenator

stovenator — Thu, 04 Jan 2007 12:31:46 -0800

What happens when you telnet to port 8080? Have you tried issuing a GET / HTTP/1.0 ? 8080 is often used by a number of webserver type applications, but could also be a firly easy place to disguise another malicious app.

I'll second Rootkit Revealer.

Also, try using TCPView from Sysinternals for viewing network activity. See what process is attaching to ports 1664,1666,& 8080.

You can also use Wireshark (new name for Ethereal) to capture packets. Try capturing anything on ports 1664,1666, and 8080.

Lots of malicious programs like to phone home to an IRC channel to get instructions on how to proceed, so you may look for suspicious IRC traffic on those ports.

By: stovenator

stovenator — Thu, 04 Jan 2007 12:33:56 -0800

Also, be sure to check your HOSTS file, to see if there's anything suspicious in there.

Is the name of your machine "valve" ? Try opening http://valve:8080 in your browser.

By: cotterpin

cotterpin — Thu, 04 Jan 2007 12:36:06 -0800

The top google hits on "must refer to client" seem to indicate that this is a perforce server. Perforce, if you're not familiar with it, is for source code control.

By: stovenator

stovenator — Thu, 04 Jan 2007 12:40:12 -0800

Cotterpin is correct. It looks like this is the perforce web server. The format of the request (@md=d&cd=//&c=1Xp@//?ac=83) even matches how P4Web formats it's connect strings too.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 12:42:07 -0800

Yes, my machine is valve. Opening valve:8080 just returns a blank page, but I think cotterpin is right about 8080.

I am running perforce, so that is probably what the 8080 is. I'll be able to tell better when I get home (right now I'm connecting to all of these ports from a linux machine in my home network, don't have direct access to the affected machine)

By: cmiller

cmiller — Thu, 04 Jan 2007 13:35:17 -0800

Since you seem to have a Linux/Unix box handy, you might try having it "masquerade" your network connection.

Valve --- linux --- Internet

Make it network properly, and then you can use the linux box to snoop the bits on the wire.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 14:05:04 -0800

I'm using a plain hub (i.e. not a switch) to attach the linux box and the windows box over ethernet. Doing this, I can use the linux box to snoop on the data. I've had it capturing today, I'll look at the results when I get home.

By: crypticgeek

crypticgeek — Thu, 04 Jan 2007 15:00:55 -0800

So safely assuming 8080 is the perforce web server, that still leaves the other two. If it IS indeed funprotocol spyware isn't it odd that none of your anti-spyware scans picked up on it? Did you search the drive for "funprotocol"? What are your netstat/active ports/hijack this results?

If the process isn't funprotocol, you could try submitting whatever you find to virustotal and have it scanned, or post it to rapidshare and see if someone here can identify it.

If it isn't listed in netstat or active ports, I second the recommendation of root kit revealer. You have to be careful interpreting the results though.

Barring that, I third the recommendation of disconnecting and seeing what happens.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 15:13:48 -0800

Disconnecting would be tough. This is the machine I do the bulk of my day-to-day work on. Maybe this weekend I can try that.

I haven't had a chance to try any of the diag methods mentioned in this post yet because the machine is at home and I'm not (will be soon though)

Thanks for all the suggestions and I will definitely post back here if I find anything else out.

There is a non-zero chance that these ports (the funprotocol ones) are *also* a side effect of something I'm not thinking of (like 8080 was) but "funprotocol" showing up when you telnet to the port seems to make that unlikely.

No idea why the spyware apps did not find this, if I find where it's coming from I may have some info to provide them.

By: theora55

theora55 — Thu, 04 Jan 2007 15:30:52 -0800

Firefox made my mouse really erratic.

By: jesirose

jesirose — Thu, 04 Jan 2007 17:06:59 -0800

"As sort of a caveat/afterthought... I play poker to supplement my income (it amounts to about 1/4 to 1/3 of my total income) so if someone is watching me, this would be very, very bad, and honestly, I've had some reason to believe that someone might be watching me, in this regard."

I wouldn't advertise that. If you're playing online, that's now illegal where you live. If you simply meant you play it and that you have a computer which is acting up, that's cool. Otherwise, don't talk about your illegal activities :-P

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 19:47:07 -0800

I wouldn't advertise that. If you're playing online, that's now illegal where you live. If you simply meant you play it and that you have a computer which is acting up, that's cool. Otherwise, don't talk about your illegal activities

Frankly, I don't think you know what you're talking about.

By: crypticgeek

crypticgeek — Thu, 04 Jan 2007 20:03:04 -0800

Off topic, but RustyBrooks is probably right. Unless there is a Texas statute I am aware of, his online gambling is perfectly legal. The recent federal law you are probably basing your view on did not making online gambling illegal, it make it illegal to fund from credit card, wire transfer, check, etc online gambling and wagering. This doesn't stop one from transferring money to a non-us financial institution, and then playing to play from there.

By: RustyBrooks

RustyBrooks — Thu, 04 Jan 2007 20:55:07 -0800

For reference, 1666 was also perforce, and 1664 was for Steam (a game delivery service). So no go there. Between my paranoia and maybe a shitty mouse, perhaps there's nothing wrong with my system.

By: crypticgeek

crypticgeek — Fri, 05 Jan 2007 16:39:34 -0800

Interesting.

It's a little amusing actually. Considering perforce is used for source control at Valve, your machine is named valve, and the suspicious port was Steam.