Peculiar Netstat Output (Microsoft fighting back?)

Discussion in 'Windows 7' started by topdnbass, Oct 26, 2009.

  1. topdnbass

    topdnbass MDL Novice

    Sep 28, 2009
    10
    0
    0
  2. kukubau

    kukubau MDL Addicted

    Dec 15, 2008
    691
    45
    30
    "activate"? That's all that says? Another server address would come in handy.
     
  3. sam3971

    sam3971 MDL Guru

    Nov 14, 2008
    2,220
    303
    90
    notice that all the IP's are 127.0.0.1? That specific IP is used for local stuff only. For example if you want to block a site using Hosts then type 127.0.0.1 then the site you want. This works by loopbacking a packet from your computer back to your computer so I would not worry about it dude. If you can get another IP or something then you can block them individually using your firewall
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. myexige

    myexige MDL Novice

    Jul 30, 2009
    17
    0
    0
    You are probably running a cracked version of an Adobe product!!!
     
  5. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    netstat always only shows the word before the first dot, so that would probably be activate.microsoft.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sam3971

    sam3971 MDL Guru

    Nov 14, 2008
    2,220
    303
    90
    yea, lol, this will also happen if you have any entry in your Hosts file like adobe cracks or system mechanic cracks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. W0lfdale

    W0lfdale MDL Junior Member

    Aug 28, 2009
    80
    0
    0
    #7 W0lfdale, Oct 26, 2009
    Last edited by a moderator: Apr 20, 2017
    Rerun it again using the following command:
    Code:
    netstat -bf
     
  8. kukubau

    kukubau MDL Addicted

    Dec 15, 2008
    691
    45
    30
    127.0.0.1 activate.microsoft.com

    100% he has that line added in the HOST file.

    Nothing to worry dude. En contraire that line is for your own benefit. It blocks MS to snoop into your pc.
     
  9. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    I just noticed something VERY odd!

    Because i was curious i just ran a netstat -bfo and found that there are 4 connections to mpa.microsoft.com via firefox! (Actually i have that address in my hosts file so normally it should be routed to the loopback.) Anyhow, i thought how odd and exited firefox and opened opera instead. No connections to mpa. Then i got even more curious and openend thunderbird, just to see what happens. And in deed the same thing happened: 4 connections to mpa via thunderbird!

    So unless i am totally misinterpreting this now, something in 7 seems to be hijacking the executables of the standard email and browser programs in order to communicate right through the firewall with the mpa server. Obviously i will have to do more investigating here, but perhaps you could check if you experience something similar.

    commandline: netstat -bfo
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. topdnbass

    topdnbass MDL Novice

    Sep 28, 2009
    10
    0
    0
    Thanks for the responses guys.

    I'm quite aware of the etc/hosts file and the localhost loopback "phenomenon".
    The thing that worried me is how come it says state established instead of state closed?
    Just making sure that the address in hosts is preventing access.

    Adding the -bf tag made me see it was indeed adobe :D
    So nothing to worry about yet fellas.

    @Phazor i'm not getting anything like that, but we should investigate.
     
  11. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    Well i can say that much: It is 100% reproducible here.

    FF and TB off: No conns to mpa.

    FF and TB on: 4 conns to mpa via FF and 4 more via TB.

    FF and TB off: No conns to mpa.

    I can repeat that endlessly...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Dolorous Edd

    Dolorous Edd MDL Expert

    Aug 31, 2009
    1,054
    194
    60
    #12 Dolorous Edd, Oct 26, 2009
    Last edited: Oct 26, 2009
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    I have only 3 plugins in FF, namely AcrobatReader, MozillaDefault and ShockWave.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    OK, apparently it is being routed to the loopback as it should be.

    Still it is rather curious that this would occur in the 1st place. Will take a closer look at this tomorrow and let you know if i find anything of importance...



    http://forums.mydigitallife.net/attachment.php?attachmentid=3921&stc=1&d=1256601200
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. oneextraid

    oneextraid MDL Member

    Jul 29, 2009
    178
    19
    10
    I too have this same thing happening. However, I see it with Avast and Utorrent if FF is not running.
     
  17. Dolorous Edd

    Dolorous Edd MDL Expert

    Aug 31, 2009
    1,054
    194
    60
    I have a genuine retail key and I do not see this behavior. Been running cports for a while and nothing. No call backs to microsoft at all.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. oneextraid

    oneextraid MDL Member

    Jul 29, 2009
    178
    19
    10
    Just rebooted to Vista, which has a loader as well, and get the very same thing. I see it with AppleMobileDevice from iTunes.
     
  19. Lich King

    Lich King MDL Addicted

    Sep 24, 2009
    500
    24
    30
    Same here.. on retail keys..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. 3sidedcube

    3sidedcube MDL Member

    Oct 1, 2009
    118
    12
    10
    Guy's
    firstly 127.0.0.1 is the internal loop back ip address for your machine and yes you will get a connection established but only to your machine and not the said site - also if you have hostlist blocking microsoft mpa and office then you will get the same result - pannic when it dont say 127.0.0.1 :D:D:D

    you can also check out the sysinternal's site for tool's to monitor connection and all sort's of monitoring tool's all free...

    I can assure you that everything is ok with what you are getting on netstat if you are not sure try tracert to 127.0.0.1 and you will just get one hop to 127.0.0.1 :)

    let me know how you get on :) TA !
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...