Help me find out if someone is spying on my computer
January 4, 2007 10:08 AM Subscribe
Can you help me diagnose if someone is spying on my computer?
I think there is some kind of spyware installed on my computer, and I somewhat suspect that there is an actual person using it to spy on my (as opposed to generic spyware that is sort of a bot sending info about me somewhere).
(Note, my computer is a Win XP machine)
I first noticed that sometimes my cursor would jump around kind of suspiciously, jumping often to the start menu location or maybe one of the other corners of the screen. There are a few other symptoms but no point in going into it here. I started poking around, starting first with the normal standard tools. HijackThis, AdAware, Spybot Search and Destroy, etc. Not much is coming up.
I do an nmap from a trusted computer on the computer I think is being spied upon. I do a TCP and UDP scan and here are some select entries:
1664/udp open|filtered netview-aix-4
1666/tcp open netview-aix-6
A quick google search shows that this is usually some kind of network monitoring program. Note that this doesn't necessarily mean that's what is running on that port... I telnet to that port and I get:
TTxfiles5server3server220revver5nocasefunprotocol
No idea what this is supposed to be.
Of course, my network is fairly locked down so I don't think anyone can GET to this port from outside, but I think it might indicate that something nefarious is running, and that nefarious thing might connect from my network to some other computer somewhere.
There is also something running at port 8080. 8080 is usually a web proxy port but I don't think I have anything running which would qualify as a web proxy.
I have a lot of experience with computers and a decent amount of experience with computer security. I'm hoping someone can help me find out what might be running on my computer (if anything), how to get rid of it, and, to my mind, how to find out who or what it is.
As sort of a caveat/afterthought... I play poker to supplement my income (it amounts to about 1/4 to 1/3 of my total income) so if someone is watching me, this would be very, very bad, and honestly, I've had some reason to believe that someone might be watching me, in this regard.
I've started doing ethernet packet capturing both on the affected machine and on the network as a whole, and I hope to find something in that. There's an awful lot of data to go through, though.
I think there is some kind of spyware installed on my computer, and I somewhat suspect that there is an actual person using it to spy on my (as opposed to generic spyware that is sort of a bot sending info about me somewhere).
(Note, my computer is a Win XP machine)
I first noticed that sometimes my cursor would jump around kind of suspiciously, jumping often to the start menu location or maybe one of the other corners of the screen. There are a few other symptoms but no point in going into it here. I started poking around, starting first with the normal standard tools. HijackThis, AdAware, Spybot Search and Destroy, etc. Not much is coming up.
I do an nmap from a trusted computer on the computer I think is being spied upon. I do a TCP and UDP scan and here are some select entries:
1664/udp open|filtered netview-aix-4
1666/tcp open netview-aix-6
A quick google search shows that this is usually some kind of network monitoring program. Note that this doesn't necessarily mean that's what is running on that port... I telnet to that port and I get:
TTxfiles5server3server220revver5nocasefunprotocol
No idea what this is supposed to be.
Of course, my network is fairly locked down so I don't think anyone can GET to this port from outside, but I think it might indicate that something nefarious is running, and that nefarious thing might connect from my network to some other computer somewhere.
There is also something running at port 8080. 8080 is usually a web proxy port but I don't think I have anything running which would qualify as a web proxy.
I have a lot of experience with computers and a decent amount of experience with computer security. I'm hoping someone can help me find out what might be running on my computer (if anything), how to get rid of it, and, to my mind, how to find out who or what it is.
As sort of a caveat/afterthought... I play poker to supplement my income (it amounts to about 1/4 to 1/3 of my total income) so if someone is watching me, this would be very, very bad, and honestly, I've had some reason to believe that someone might be watching me, in this regard.
I've started doing ethernet packet capturing both on the affected machine and on the network as a whole, and I hope to find something in that. There's an awful lot of data to go through, though.
Might not be much help, but when my mouse starting jumping around like that it was because my downstairs neighbor was using the same brand of wireless mouse.
posted by friedrice at 10:24 AM on January 4, 2007
posted by friedrice at 10:24 AM on January 4, 2007
I have a wired/usb optical mouse, and it jumps or moves around on its own as well. Cleaning the desk under the mouse seems to help (I don't use a mouse pad).
posted by Pastabagel at 10:29 AM on January 4, 2007
posted by Pastabagel at 10:29 AM on January 4, 2007
Like others say, the mouse may not be related, but I might be worried about finding that banner waiting for me.
Do a Google search for "funprotocol" and you'll find that it is spyware, according to them. There may be a funprotocol.dll file you can remove. Have a look at a few of those results.
posted by poppo at 10:35 AM on January 4, 2007
Do a Google search for "funprotocol" and you'll find that it is spyware, according to them. There may be a funprotocol.dll file you can remove. Have a look at a few of those results.
posted by poppo at 10:35 AM on January 4, 2007
is there a reliable way in windows to find out what programs are listening to a given port?
At a command prompt, type:
netstat -a -b
It can take a few minutes to generate the list, but that should do it.
posted by cerebus19 at 10:37 AM on January 4, 2007
At a command prompt, type:
netstat -a -b
It can take a few minutes to generate the list, but that should do it.
posted by cerebus19 at 10:37 AM on January 4, 2007
Active Ports will tell you the names of the processes that are running on ports 1664 and 1666.
posted by poppo at 10:38 AM on January 4, 2007
posted by poppo at 10:38 AM on January 4, 2007
Response by poster: I did searches on variations of that string from the server but apparently not just plain "funprotocol". That did return a few hits, I'll see if I can get anything from that.
Regarding the mouse, maybe it's not related. But I've had and used this particular mouse for at least 2 years and the behaviour I've described has been happening only over the last few months. It's definitely strange enough to have caught my attention.
posted by RustyBrooks at 10:38 AM on January 4, 2007
Regarding the mouse, maybe it's not related. But I've had and used this particular mouse for at least 2 years and the behaviour I've described has been happening only over the last few months. It's definitely strange enough to have caught my attention.
posted by RustyBrooks at 10:38 AM on January 4, 2007
Response by poster: I'm not sure that I trust netstat to give me the proper results, but I'll try that also. And I'll definitely try Active Ports.
posted by RustyBrooks at 10:39 AM on January 4, 2007
posted by RustyBrooks at 10:39 AM on January 4, 2007
Give us a list of all of the poker programs that you've installed. Perhaps the culprit is there. Have you ever run ad-aware or even the microsoft anti-spyware app?
Another option is perhaps to get a second computer, do all of the poker playing from that machine and nothing else. Don't install IM apps or anything. Lock it down as tight as you can, disallow any unnecessary outbound traffic, and run everything as a non-privileged user. If you're making decent cash, it might be worth thinking about.
posted by drstein at 11:12 AM on January 4, 2007
Another option is perhaps to get a second computer, do all of the poker playing from that machine and nothing else. Don't install IM apps or anything. Lock it down as tight as you can, disallow any unnecessary outbound traffic, and run everything as a non-privileged user. If you're making decent cash, it might be worth thinking about.
posted by drstein at 11:12 AM on January 4, 2007
Why don't you simply disconnect your computer from the internet/network, and then see if the mouse problems persist, and run all the tests you describe above again.
posted by eustacescrubb at 11:20 AM on January 4, 2007
posted by eustacescrubb at 11:20 AM on January 4, 2007
The two ports you listed seem "legit" in general -- Google seems to show that they're opened by some sort of database server.
If you don't have anything that could be running a SOCKS server or web proxy, port 8080 is rather suspect.
Have you tried running a free spyware program like AdAware and/or SpyBot?
posted by NucleophilicAttack at 11:40 AM on January 4, 2007
If you don't have anything that could be running a SOCKS server or web proxy, port 8080 is rather suspect.
Have you tried running a free spyware program like AdAware and/or SpyBot?
posted by NucleophilicAttack at 11:40 AM on January 4, 2007
Response by poster: See original post: I've run a lot of spyware detectors.
The "legit" ports seem tied to funprotocol.dll (given the string returned when I attach to those ports).
I'm currently playing poker via a virtual machine on another computer with nothing on it.
posted by RustyBrooks at 11:42 AM on January 4, 2007
The "legit" ports seem tied to funprotocol.dll (given the string returned when I attach to those ports).
I'm currently playing poker via a virtual machine on another computer with nothing on it.
posted by RustyBrooks at 11:42 AM on January 4, 2007
Best answer: It wouldn't hurt to try Rootkit Revealer from Sysinternals. It's designed to find files that try to hide from the Windows API.
But I also second the idea of unplugging your NIC for a few days and seeing if the behavior persists.
posted by molybdenum at 12:11 PM on January 4, 2007
But I also second the idea of unplugging your NIC for a few days and seeing if the behavior persists.
posted by molybdenum at 12:11 PM on January 4, 2007
Response by poster: For some reason I forgot to mention that I attached to port 8080 also. I tried 2 requests, one to / and one to /poo (just to see what I got). Here are the results:
telnet 192.168.0.16 8080
Trying 192.168.0.16...
Connected to 192.168.0.16.
Escape character is '^]'.
GET /
HTTP/1.0 301 OK
Content-Length: 0
location: http://valve:8080/@md=d&cd=//&c=1Xp@//?ac=83
---------------------------------------------------
telnet 192.168.0.16 8080
Trying 192.168.0.16...
Connected to 192.168.0.16.
Escape character is '^]'.
GET /poo
HTTP/1.0 200 OK
Content-Type: text/html
<tr>
<td>
<img src="/clearpixelIcon?ac=20" height="5" width="0" border="0" alt="" title=""></td>
</tr>
<tr>
<td colspan="6" nowrap>
<Font color="red">
//poo - must refer to client 'guest'.
</Font>
</td>
</tr>
<tr>
<td>
<img src="/clearpixelIcon?ac=20" height="5" width="0" border="0" alt="" title=""></td>
</tr>
posted by RustyBrooks at 12:22 PM on January 4, 2007
telnet 192.168.0.16 8080
Trying 192.168.0.16...
Connected to 192.168.0.16.
Escape character is '^]'.
GET /
HTTP/1.0 301 OK
Content-Length: 0
location: http://valve:8080/@md=d&cd=//&c=1Xp@//?ac=83
---------------------------------------------------
telnet 192.168.0.16 8080
Trying 192.168.0.16...
Connected to 192.168.0.16.
Escape character is '^]'.
GET /poo
HTTP/1.0 200 OK
Content-Type: text/html
<tr>
<td>
<img src="/clearpixelIcon?ac=20" height="5" width="0" border="0" alt="" title=""></td>
</tr>
<tr>
<td colspan="6" nowrap>
<Font color="red">
//poo - must refer to client 'guest'.
</Font>
</td>
</tr>
<tr>
<td>
<img src="/clearpixelIcon?ac=20" height="5" width="0" border="0" alt="" title=""></td>
</tr>
posted by RustyBrooks at 12:22 PM on January 4, 2007
What happens when you telnet to port 8080? Have you tried issuing a GET / HTTP/1.0 ? 8080 is often used by a number of webserver type applications, but could also be a firly easy place to disguise another malicious app.
I'll second Rootkit Revealer.
Also, try using TCPView from Sysinternals for viewing network activity. See what process is attaching to ports 1664,1666,& 8080.
You can also use Wireshark (new name for Ethereal) to capture packets. Try capturing anything on ports 1664,1666, and 8080.
Lots of malicious programs like to phone home to an IRC channel to get instructions on how to proceed, so you may look for suspicious IRC traffic on those ports.
posted by stovenator at 12:31 PM on January 4, 2007
I'll second Rootkit Revealer.
Also, try using TCPView from Sysinternals for viewing network activity. See what process is attaching to ports 1664,1666,& 8080.
You can also use Wireshark (new name for Ethereal) to capture packets. Try capturing anything on ports 1664,1666, and 8080.
Lots of malicious programs like to phone home to an IRC channel to get instructions on how to proceed, so you may look for suspicious IRC traffic on those ports.
posted by stovenator at 12:31 PM on January 4, 2007
Also, be sure to check your HOSTS file, to see if there's anything suspicious in there.
Is the name of your machine "valve" ? Try opening http://valve:8080 in your browser.
posted by stovenator at 12:33 PM on January 4, 2007
Is the name of your machine "valve" ? Try opening http://valve:8080 in your browser.
posted by stovenator at 12:33 PM on January 4, 2007
The top google hits on "must refer to client" seem to indicate that this is a perforce server. Perforce, if you're not familiar with it, is for source code control.
posted by cotterpin at 12:36 PM on January 4, 2007
posted by cotterpin at 12:36 PM on January 4, 2007
Cotterpin is correct. It looks like this is the perforce web server. The format of the request (@md=d&cd=//&c=1Xp@//?ac=83) even matches how P4Web formats it's connect strings too.
posted by stovenator at 12:40 PM on January 4, 2007
posted by stovenator at 12:40 PM on January 4, 2007
Response by poster: Yes, my machine is valve. Opening valve:8080 just returns a blank page, but I think cotterpin is right about 8080.
I am running perforce, so that is probably what the 8080 is. I'll be able to tell better when I get home (right now I'm connecting to all of these ports from a linux machine in my home network, don't have direct access to the affected machine)
posted by RustyBrooks at 12:42 PM on January 4, 2007
I am running perforce, so that is probably what the 8080 is. I'll be able to tell better when I get home (right now I'm connecting to all of these ports from a linux machine in my home network, don't have direct access to the affected machine)
posted by RustyBrooks at 12:42 PM on January 4, 2007
Since you seem to have a Linux/Unix box handy, you might try having it "masquerade" your network connection.
Valve --- linux --- Internet
Make it network properly, and then you can use the linux box to snoop the bits on the wire.
posted by cmiller at 1:35 PM on January 4, 2007
Valve --- linux --- Internet
Make it network properly, and then you can use the linux box to snoop the bits on the wire.
posted by cmiller at 1:35 PM on January 4, 2007
Response by poster: I'm using a plain hub (i.e. not a switch) to attach the linux box and the windows box over ethernet. Doing this, I can use the linux box to snoop on the data. I've had it capturing today, I'll look at the results when I get home.
posted by RustyBrooks at 2:05 PM on January 4, 2007
posted by RustyBrooks at 2:05 PM on January 4, 2007
So safely assuming 8080 is the perforce web server, that still leaves the other two. If it IS indeed funprotocol spyware isn't it odd that none of your anti-spyware scans picked up on it? Did you search the drive for "funprotocol"? What are your netstat/active ports/hijack this results?
If the process isn't funprotocol, you could try submitting whatever you find to virustotal and have it scanned, or post it to rapidshare and see if someone here can identify it.
If it isn't listed in netstat or active ports, I second the recommendation of root kit revealer. You have to be careful interpreting the results though.
Barring that, I third the recommendation of disconnecting and seeing what happens.
posted by crypticgeek at 3:00 PM on January 4, 2007
If the process isn't funprotocol, you could try submitting whatever you find to virustotal and have it scanned, or post it to rapidshare and see if someone here can identify it.
If it isn't listed in netstat or active ports, I second the recommendation of root kit revealer. You have to be careful interpreting the results though.
Barring that, I third the recommendation of disconnecting and seeing what happens.
posted by crypticgeek at 3:00 PM on January 4, 2007
Response by poster: Disconnecting would be tough. This is the machine I do the bulk of my day-to-day work on. Maybe this weekend I can try that.
I haven't had a chance to try any of the diag methods mentioned in this post yet because the machine is at home and I'm not (will be soon though)
Thanks for all the suggestions and I will definitely post back here if I find anything else out.
There is a non-zero chance that these ports (the funprotocol ones) are *also* a side effect of something I'm not thinking of (like 8080 was) but "funprotocol" showing up when you telnet to the port seems to make that unlikely.
No idea why the spyware apps did not find this, if I find where it's coming from I may have some info to provide them.
posted by RustyBrooks at 3:13 PM on January 4, 2007
I haven't had a chance to try any of the diag methods mentioned in this post yet because the machine is at home and I'm not (will be soon though)
Thanks for all the suggestions and I will definitely post back here if I find anything else out.
There is a non-zero chance that these ports (the funprotocol ones) are *also* a side effect of something I'm not thinking of (like 8080 was) but "funprotocol" showing up when you telnet to the port seems to make that unlikely.
No idea why the spyware apps did not find this, if I find where it's coming from I may have some info to provide them.
posted by RustyBrooks at 3:13 PM on January 4, 2007
"As sort of a caveat/afterthought... I play poker to supplement my income (it amounts to about 1/4 to 1/3 of my total income) so if someone is watching me, this would be very, very bad, and honestly, I've had some reason to believe that someone might be watching me, in this regard."
I wouldn't advertise that. If you're playing online, that's now illegal where you live. If you simply meant you play it and that you have a computer which is acting up, that's cool. Otherwise, don't talk about your illegal activities :-P
posted by jesirose at 5:06 PM on January 4, 2007
I wouldn't advertise that. If you're playing online, that's now illegal where you live. If you simply meant you play it and that you have a computer which is acting up, that's cool. Otherwise, don't talk about your illegal activities :-P
posted by jesirose at 5:06 PM on January 4, 2007
Response by poster: I wouldn't advertise that. If you're playing online, that's now illegal where you live. If you simply meant you play it and that you have a computer which is acting up, that's cool. Otherwise, don't talk about your illegal activities
Frankly, I don't think you know what you're talking about.
posted by RustyBrooks at 7:47 PM on January 4, 2007
Frankly, I don't think you know what you're talking about.
posted by RustyBrooks at 7:47 PM on January 4, 2007
Off topic, but RustyBrooks is probably right. Unless there is a Texas statute I am aware of, his online gambling is perfectly legal. The recent federal law you are probably basing your view on did not making online gambling illegal, it make it illegal to fund from credit card, wire transfer, check, etc online gambling and wagering. This doesn't stop one from transferring money to a non-us financial institution, and then playing to play from there.
posted by crypticgeek at 8:03 PM on January 4, 2007
posted by crypticgeek at 8:03 PM on January 4, 2007
Response by poster: For reference, 1666 was also perforce, and 1664 was for Steam (a game delivery service). So no go there. Between my paranoia and maybe a shitty mouse, perhaps there's nothing wrong with my system.
posted by RustyBrooks at 8:55 PM on January 4, 2007
posted by RustyBrooks at 8:55 PM on January 4, 2007
Interesting.
It's a little amusing actually. Considering perforce is used for source control at Valve, your machine is named valve, and the suspicious port was Steam.
posted by crypticgeek at 4:39 PM on January 5, 2007
It's a little amusing actually. Considering perforce is used for source control at Valve, your machine is named valve, and the suspicious port was Steam.
posted by crypticgeek at 4:39 PM on January 5, 2007
This thread is closed to new comments.
posted by RustyBrooks at 10:12 AM on January 4, 2007