Urgent: netstat -a results contain 'Listen'

[MacBoobsPro]

Hopefully with that title I will get a educated response.

My internet speeds have slowed to a crawl recently and after many an hour on the phone to Virgin Media I have given up and will be cancelling my subscription after 5 years of being a loyal customer. Anyhoo... thats another story.

I managed to get something out of them after they told me they dont support 10.4 (for them to fix my problem I would have to downgrade to 10.3). They said open terminal and type 'netstat -a' "this will check for spyware" they said. I was confident there would be none but ran it anyway. The results came up 'listen' on many of listings. But they couldnt help me any further because "we dont support 10.4".

So does this mean I have Spyware blocking my bandwidth or what? I fecking hope not but just incase whats the best way to remove said stuff i.e. which program, and is this the first known case of spyware on OSX?

Please help ASAP. If I dont have Spyware I will be cancelling my subscription with Virgin because they are again trying to fob me off with idiotic information.

Thanks guys.

EDIT: I have turned on Firewall Logging to see whats happening and have

'Mar 19 17:49:15 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:49876 from 195.173.72.67:80' this listed again and again. Is some bastard trying to hack my mac and has somehow got spyware on my machine?

 

[Eidorian]

Did you check what was listening and on what port? I got ssh, netinfo, and Apple Remote Desktop.

 

[MacBoobsPro]

Did you check what was listening and on what port? I got ssh, netinfo, and Apple Remote Desktop.

Its all a bit alien to me but this is part of what i got:

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.svrloc *.* LISTEN
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.afpovertcp *.* LISTEN
tcp46 0 0 *.afpovertcp *.* LISTEN
tcp4 0 0 *.ipp *.* LISTEN
tcp4 0 0 localhost.netinfo-loca localhost.1017 ESTABLISHED
tcp4 0 0 localhost.1017 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca localhost.1021 ESTABLISHED
tcp4 0 0 localhost.1021 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca *.* LISTEN
tcp4 0 0 *.printer *.* LISTEN
tcp6 0 0 *.515 *.* LISTEN
udp4 0 0 *.* *.*

 

[Eidorian]

afpovertcp = Apple File Protocol over TCP
ipp = Internet Printing Protocol
printer = Probably Line Printer Daemon
svrloc = Service Location Protocol (Sounds like Bonjour)
netinfo = Netinfo

 

[MacBoobsPro]

afpovertcp = Apple File Protocol over TCP
ipp = Internet Printing Protocol
printer = Probably Line Printer Daemon
svrloc = Service Location Protocol
netinfo = Netinfo

So you are not sure about .515?

 

[Eidorian]

So you are not sure about the others?

What other ones?

LPD works over port 515.

http://www.iss.net/security_center/advice/Exploits/Ports/515/default.htm

There's absolutely nothing out of the ordinary that's listening.

 

[MacBoobsPro]

And whats all this crap in my firewall log?

I have stealthmode on.


Mar 19 19:16:19 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50892 from 80.67.87.6:80
Mar 19 19:16:57 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50892 from 80.67.87.6:80
Mar 19 19:18:38 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50976 from 66.98.218.12:80
Mar 19 19:18:38 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50977 from 66.98.218.12:80
Mar 19 19:18:41 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50976 from 66.9

 

[Eidorian]

And whats all this crap in my firewall log?

I have stealthmode on.


Mar 19 19:16:19 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50892 from 80.67.87.6:80
Mar 19 19:16:57 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50892 from 80.67.87.6:80
Mar 19 19:18:38 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50976 from 66.98.218.12:80
Mar 19 19:18:38 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50977 from 66.98.218.12:80
Mar 19 19:18:41 G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:50976 from 66.9

External connection attempts from outside and the IP addresses that they came from via port 80.

 

[MacBoobsPro]

External connection attempts from outside and the IP addresses that they came from.

Ok thanks for your kind help. Have 100s and 100s of these attempts popping up every minute. Could this be whats slowing down my connection and how can I attempt to put stop to it?

 

[Eidorian]

Ok thanks for your kind help. Have 100s and 100s of these attempts popping up every minute. Could this be whats slowing down my connection and how can I attempt to put stop to it?

Sticking behind your firewall and/or router is the best you can do for that. The internet is crawling with background noise (a.k.a. internet background radiation) from zombie computers and machines trying to make connections. Those connections to your machine are being denied a reply since you're in stealth mode.

The only real option is not to connect at all if you don't want the random noise.

 

[Mr.Texor]

Ok thanks for your kind help. Have 100s and 100s of these attempts popping up every minute. Could this be whats slowing down my connection and how can I attempt to put stop to it?

There's nothing you can do about those... every computer connected to the internet is being hammered constantly by worms, hackers, etc.. It's just stupid

 

[MacBoobsPro]

There's nothing you can do about those... every computer connected to the internet is being hammered constantly by worms, hackers, etc.. It's just stupid

Yes but Im paying £30 a month for 4mb broadband and only getting speeds of 20kbs.

 

[apfhex]

Could this be whats slowing down my connection

No, that's normal (unfortunately).

trying to fob me off with idiotic information.

Sounds like that's the case. I guess if you really wanted to prove it wasn't your Mac, you'd have to get one running 10.3.x and see if nothing changes with your connection. But I think it's them.

 

[Mr.Texor]

are you using a cable conection? if yes.. check your power level, signal to nose ratio, etc. To do so, you have to connect to your modem. Usually, the modem will be running on these addresses: 192.168.100.1 , 192.168.1.1 or 192.168.0.1

then compare the signal values with those in here

 

[savar]

And whats all this crap in my firewall log?

I have stealthmode on.

Nothing to worry about. Stealth mode doesn't produce these messages, this is a different thing. One of those IPs belongs to interfacelift.com, the other one I couldn't find. But sporadic messages like this are pretty common. Nothing to worry about if they are each spaced out a few seconds or so.

 

[savar]

Yes but Im paying £30 a month for 4mb broadband and only getting speeds of 20kbs.

Can you borrow a friend's laptop? Or install 10.3 onto a spare hard drive? Or just switch ISPs?

 

[Eidorian]

Nothing to worry about. Stealth mode doesn't produce these messages, this is a different thing. One of those IPs belongs to interfacelift.com, the other one I couldn't find. But sporadic messages like this are pretty common. Nothing to worry about if they are each spaced out a few seconds or so.

Which one is related to InterfaceLIFT?

 

[MacBoobsPro]

Can you borrow a friend's laptop? Or install 10.3 onto a spare hard drive? Or just switch ISPs?

I remembered I could use my MB to check too and get the same slow net speeds. Using both wireless and wired connections so its defo something to do with ISP.

Ive had to stop now because im too busy so I am h=going to have to carry on with this crap on Friday as Thursday is a crazy ass 14 hour print deadline day for me.

Im very pissed off right now!

Thanks for the help and input guys. I may return with an update depending on what bullsh*t they feed me.