NTL connections in netstat
 

My parents are on Virgin Media cable broadband. They connect directly to the network using a standard Virgin Media modem, no router involved.

In netstat I've been seeing what appear to be private internet addresses, the kind allocated to users.

Here's a sample with the numbers starred out:

TCP ----:epmap cpc2-oldh6-0-0cust***.manc.cable.ntl.com:1818
TIME_WAIT
TCP ----:epmap cpc1-mfld6-0-0cust***.nott.cable.ntl.com:15253
TIME_WAIT
TCP ----:epmap cpc1-mfld6-0-0cust***.nott.cable.ntl.com:48271
ESTABLISHED
TCP ----:epmap cpc3-grnk3-0-0cust***.renf.cable.ntl.com:1025
TIME_WAIT
TCP ----:epmap cpc3-grnk3-0-0cust***.renf.cable.ntl.com:4894
TIME_WAIT

Ordinarily I would think this was some kind of Trojan activity or P2P program / Worm running. However the addresses are *always* NTL and no other network. So I though it might be normal for the network. I plan to put them behind a router later this week and probably reinstall windows. The latest scan with ESET and the Port probe at hackerwatch.org show all clear.

Just wondered if anyone could shed any light on the netstat entries. Thanks Matt.

Re: NTL connections in netstat
 

Do you use Live Messenger? If you do its just the reverse DNS addresses of the people you are talking to.

Re: NTL connections in netstat
 

Thanks for the reply:

It's not MSN, my parents don't use any chat programs :)

I thought it might be some kind of redirection by the DHCP server at Virgin. I always connect via a router myself and I have checked netstat every day for over a year and never seen these entries.

Re: NTL connections in netstat
 

I think netstat -b tells you which program is using the connection.

Re: NTL connections in netstat
 

The remote hosts are probably virus infected, and trying to infect your parent's machine in turn by scanning the network.

epmap (port 135) is the RPC port on Windows - don't allow anything you don't trust to connect to it - always have a NATting router or some other form of firewall between you and the internet.