[Dshield] Transient Netstat Output

Jeffrey Pike jpike at gpl.org
Tue Apr 20 22:12:41 GMT 2004


I'm seeing entries like this from "netstat -an" on a Windows NT 4.0 Server
machine with IIS 4.0. They come and go. I checked the first foreign IP at
RIPE. It belongs to a service provider in the Netherlands. My system runs at
a public library in Massachusetts.

I ran the 1628x port series through Google and Symantec Security Response
and didn't find anything. Neither my NT event viewer or W3SVC logs show
anything unusual. I'm patched, running URLScan, and up to date on virus
defs.

What do these mean?

Thank-you.
Jeffrey Pike
--------------------------------------------------
TCP    192.168.x.x:80         213.84.8.90:16284      TIME_WAIT
TCP    192.168.x.x:80         213.84.8.90:16285      ESTABLISHED
TCP    192.168.x.x:80         213.84.8.90:16286      ESTABLISHED

TCP    192.168.x.x:80         68.184.43.214:25256    TIME_WAIT

TCP    192.168.x.x:4112       209.225.11.243:80      TIME_WAIT

TCP    192.168.x.x:80         68.184.43.159:3442     ESTABLISHED
TCP    192.168.x.x:80         68.184.43.159:3444     TIME_WAIT
TCP    192.168.x.x:80         68.184.43.159:3445     TIME_WAIT




More information about the list mailing list