[Dshield] Netstat output from XP machine

Portz, Jon jportz at kforce.com
Wed Feb 4 19:21:45 GMT 2004


Try a "netstat -ano" and cross-reference the PIDs with those listed in
the Task Manager process list. Also, if the PID is not listed in taskman
try fport from foundstone
(http://www.foundstone.com/resources/freetools/fport.zip), it will map
port usage to applications. If the PID doesn't show up in the process
list, I would consider that as a definitive heads-up. Processes that try
to hide in that manner are, IMHO, dangerously written. Is it possible he
is running P2P software of some kind? TCP 9420 does not sound too
familiar....

Heh, if it were me I'd throw a snort box on it...

Jon Portz

KTS Network Services
Kforce Professional Staffing

Look Smarter. http://www.kforce.com

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Dustin Plank
Sent: Wednesday, February 04, 2004 12:28 PM
To: <"General DShield Discussion List"
Subject: [Dshield] Netstat output from XP machine

I have a question that hopefully the people of the list can help me
with.

The following was pulled from a friends computer. His computer is
running updated Norton AV, he scans regularly with Ad-Aware, he is
behind a Linksys router and runs Seagate Personal Firewall. He is
running on cable modem for his internet connection as well. 

The network connection was going bonkers and this is what I found.
Can anyone decipher what this maybe? His machine is seems to be clear
of viruses, no spyware found, updated to the fullest from Windows
Update.

Thanks for the help in advance. It is much appreciated.

Thanks,

Dustin


Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    inet-wkst1:1754       
thereserve-sc-142-106.dmisinetworks.com:9420  CLOSE_WAIT
  TCP    inet-wkst1:1755       
cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420  CLOSE_WAIT
  TCP    inet-wkst1:1756        prtc-dsl-480229.mis.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1757       
12-222-201-216.client.insightBB.com:9420  CLOSE_WAIT
  TCP    inet-wkst1:1758        ip68-8-212-101.sd.sd.cox.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1759        ool-182fa533.dyn.optonline.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1760       
modemcable005.210-203-24.mc.videotron.ca:9420  CLOSE_WAIT
  TCP    inet-wkst1:1761       
ma-northadams2a-36.bur.adelphia.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1762        cp209-202-78-173.cp.telus.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1763        68-233-86-83.pittpa.adelphia.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1764       
Toronto-HSE-ppp3884730.sympatico.ca:9420  CLOSE_WAIT
  TCP    inet-wkst1:1765        ool-43563a71.dyn.optonline.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1766       
tow29dhcp10.towson01.md.comcast.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1767       
pcp01184645pcs.strl301.mi.comcast.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1768       
pcp07845441pcs.wilmsc01.tn.comcast.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1769        199.172.211.12:9420    CLOSE_WAIT
  TCP    inet-wkst1:1770        cpe-024-211-195-201.ec.rr.com:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1771       
ca-fontana3a-138.snbrca.adelphia.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1772       
cdm-66-233-104-15.bssr.cox-internet.com:9420  CLOSE_WAIT
  TCP    inet-wkst1:1773        ip68-2-201-228.ph.ph.cox.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1780       
thereserve-sc-142-106.dmisinetworks.com:9420  CLOSE_WAIT
  TCP    inet-wkst1:1782       
cpc1-hem11-3-0-cust139.lutn.cable.ntl.com:9420  CLOSE_WAIT
  TCP    inet-wkst1:1784        prtc-dsl-480229.mis.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1785        ool-182fa533.dyn.optonline.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1787        24-119-33-15.cpe.cableone.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1788       
ma-northadams2a-36.bur.adelphia.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1789       
modemcable005.210-203-24.mc.videotron.ca:9420  CLOSE_WAIT
  TCP    inet-wkst1:1791        ip68-8-212-101.sd.sd.cox.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1792        cp209-202-78-173.cp.telus.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1793        68-233-86-83.pittpa.adelphia.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1795       
Toronto-HSE-ppp3884730.sympatico.ca:9420  CLOSE_WAIT
  TCP    inet-wkst1:1797        ool-43563a71.dyn.optonline.net:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1799       
tow29dhcp10.towson01.md.comcast.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1800       
pcp07845441pcs.wilmsc01.tn.comcast.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1801       
pcp01184645pcs.strl301.mi.comcast.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1802        cpe-024-211-195-201.ec.rr.com:9420 
CLOSE_WAIT
  TCP    inet-wkst1:1803       
ca-fontana3a-138.snbrca.adelphia.net:9420  CLOSE_WAIT
  TCP    inet-wkst1:1804        199.172.211.12:9420    CLOSE_WAIT
  TCP    inet-wkst1:1805       
modemcable035.75-130-66.mc.videotron.ca:9420  CLOSE_WAIT
  TCP    inet-wkst1:1806       
cdm-66-233-104-15.bssr.cox-internet.com:9420  CLOSE_WAIT
  TCP    inet-wkst1:2807        69.28.154.21:http      ESTABLISHED
  TCP    inet-wkst1:2808        69.28.154.21:http      ESTABLISHED
  TCP    inet-wkst1:4131        unknown.Level3.net:http  CLOSE_WAIT
  TCP    inet-wkst1:4446        216.52.240.10:14298    ESTABLISHED




More information about the list mailing list