Netstat

Im trying to learn about all this but need some help. So I hope this question is a good place to start.
What does the following mean?
I opened cmd and typed netstat.
If there are things wrong what am I supposed to do?
Active Connections

Proto Local Address Foreign Address State

TCP :1025 localhost:1137 ESTABLISHED

TCP :1137 localhost:1025 ESTABLISHED

TCP :3189 comcast.dca.giganews.com:nntp ESTABLISHED

TCP :3192 po-in-f104.google.com:http ESTABLISHED

TCP :3198 wwwbaytest2.microsoft.com:http ESTABLISHED

TCP :3199 wwwbaytest2.microsoft.com:http ESTABLISHED

TCP :3200 wwwbaytest2.microsoft.com:http ESTABLISHED

TCP :3202 63.236.1.139:http ESTABLISHED

TCP :3203 wwwbaytest2.microsoft.com:http ESTABLISHED

TCP :3204 wwwbaytest2.microsoft.com:http ESTABLISHED

TCP :3205 wwwbaytest2.microsoft.com:http ESTABLISHED

TCP :3206 wwwbaytest2.microsoft.com:http ESTABLISHED

TCP :3207 wwwbaytest2.microsoft.com:http ESTABLISHED



Thanks


--
Lew/+Silat

Re: Netstat

On Sun, 14 Jan 2007 23:32:13 -0800, Lew/+Silat wrote:
> Im trying to learn about all this but need some help. So I hope this question is a good place to start.
> What does the following mean?

it shows what ports are connected to what ip addresses.

Want to know what a port connection MIGHT mean. You can use these two sites:

http://isc.sans.org/port.html?port= <== put port # of intrest here
http://www.dshield.org/port_report.html?port=



> I opened cmd and typed netstat.
> If there are things wrong what am I supposed to do?

Get rid of the offending software opening the port. :(

> Active Connections
>
>
> TCP :1025 localhost:1137 ESTABLISHED
> TCP :1137 localhost:1025 ESTABLISHED

http://isc.sans.org/port.html?port=1025
Check the write up and see if you have any of the indicated services running.

>
> TCP :3189 comcast.dca.giganews.com:nntp ESTABLISHED

That is your Usenet connection where you posted this message.


> TCP :3198 wwwbaytest2.microsoft.com:http ESTABLISHED

Guessing you have a browser open and connected to Micro$oft or it's
Micro$oft code calling home :(

> TCP :3192 po-in-f104.google.com:http ESTABLISHED

Looks like a google search page connection. Maybe something in the
task bar.

> TCP :3202 63.236.1.139:http ESTABLISHED

On my Linux OS, that ip addy lookup shows
$ whois 63.236.1.139
Qwest Communications Corporation QWEST-INET-9 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Akamai Technologies, Inc. QWEST-BUC-AKAMAI (NET-63-236-1-128-1)
63.236.1.128 - 63.236.1.255

So I'll guess one of the Micro$oft connections has a connection into
Akamai Tech. Why you ask, because I know Micro$not uses them to host
some of their servers. Linux server boxes as I misunderstand it. :-)


You can look up ip addresses or net block owner lookup somewhere like
http://samspade.org/
http://www.webyield.net/domainquery.html
http://www.geektools.com/whois.php

Re: Netstat

Bit Twister wrote:
> On Sun, 14 Jan 2007 23:32:13 -0800, Lew/+Silat wrote:
>> Im trying to learn about all this but need some help. So I hope this
>> question is a good place to start.
>> What does the following mean?
>
> it shows what ports are connected to what ip addresses.
>
> Want to know what a port connection MIGHT mean. You can use these two
> sites:
>
> http://isc.sans.org/port.html?port= <== put port # of intrest here
> http://www.dshield.org/port_report.html?port=

As an addendum: ports are just an administrative numbers. There's no
guarantee that a specific service is listening on a specific port on any
given host. However, there are several services that *usually* are
configured to listen on specific ports (e.g. SSH on port 22, SMTP on
port 25, HTTP on port 80, ...).

>> I opened cmd and typed netstat.

"netstat" alone will give you only the established connections. You may
want to try "netstat -a" (or "netstat -aob" if you have XP) to get all
connections. Also I suggest to add the option "-n" to prevent name
resolution.

>> If there are things wrong what am I supposed to do?
>
> Get rid of the offending software opening the port. :(

Most definitely. However, to do that you need to identify the offending
software first. "netstat -anob" will help with that on Windows XP. On
versions prior to that I'd suggest using TCPView [1] instead (run as
admin user to get information about the processes).

[1] http://www.microsoft.com/technet/sysinternals/Networking/Tcp View.mspx

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

OT: Re: Netstat

Post removed (X-No-Archive: yes)

Re: Re: Netstat

Thank you for the lesson :)
Everything looks legitimate using "a noob" but I have a lot to learn.
Using just plain netstat shows 1025 and 1026 as being used.
But the commands you recommended dont show them used at all.
Using google I came to the conclusion that 1025 and 1026 might be the clock/calendar in the taskbar.


Lew/+Silat

Re: OT: Re: Netstat

Sebastian Gottschalk wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> Most definitely. However, to do that you need to identify the
>> offending software first. "netstat -anob" will help with that on
>> Windows XP. On versions prior to that I'd suggest using TCPView [1]
>> instead (run as admin user to get information about the processes).
>
> TCPView works fine as a restricted user. Especially since it doesn't
> share netstat's LUA bug "Can not obtain ownership information".

Only that on versions PRIOR TO XP (like e.g. Windows 2000) it DOES NOT
show information about the associated processes when run by restricted
users. Go figure.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Re: Netstat

Lew/+Silat wrote:
> Thank you for the lesson :)
> Everything looks legitimate using "a noob" but I have a lot to learn.
> Using just plain netstat shows 1025 and 1026 as being used.
> But the commands you recommended dont show them used at all.
> Using google I came to the conclusion that 1025 and 1026 might be the clock/calendar in the taskbar.
>
>
> Lew/+Silat

correction: 1025/1026 are isafe. Zone Alarm


--
Lew/+Silat

Re: Netstat

Lew/+Silat wrote:
> Thank you for the lesson :)
> Everything looks legitimate using "a noob" but I have a lot to learn.
> Using just plain netstat shows 1025 and 1026 as being used.
> But the commands you recommended dont show them used at all.
> Using google I came to the conclusion that 1025 and 1026 might be the clock/calendar in the taskbar.
>
>
> Lew/+Silat

I notice in your first post 1026 isn't showing. However checking 1025
and 1026 on my system I notice they're listed as UDP. Also notice the
destination is *.* so I'm sending out traffic on 1025/1026 to anyone
who will listen (and hopefully respond).

C:\Documents and Settings\ITS0846>netstat -a|find "102"
UDP WL-5200:1025 *:*
UDP WL-5200:1026 *:*

Further if I include the -o flag in XP.

C:\Documents and Settings\ITS0846>netstat -a|find "102"
UDP WL-5200:1025 *:*
1276
UDP WL-5200:1026 *:*
1276

Note 1276 is the process id of whatever application or service is
maintaining that connection.

If you fire up task manager you'll see this is one Microsoft's
svchost.exe process. If you fire up ProcessExplorer
(www.sysinternals.com....recently bought my MS). You get more info,
this particular svchost.exe process (1276 in my case) is "DNS Client"
if you hover over the process name.

As I'm writting this I also notice a random local TCP port connected to
1026 of a remote machine which happens to be our Exchange email server.

Anyway I've babbled long enough, hopefully that gives you some insight
into how to track these things down.

Re: Netstat

kingthorin@gmail.com wrote:
> Lew/+Silat wrote:
>> Thank you for the lesson :)
>> Everything looks legitimate using "a noob" but I have a lot to learn.
>> Using just plain netstat shows 1025 and 1026 as being used.
>> But the commands you recommended dont show them used at all.
>> Using google I came to the conclusion that 1025 and 1026 might be the clock/calendar in the taskbar.
>>
>>
>> Lew/+Silat
>
> I notice in your first post 1026 isn't showing. However checking 1025
> and 1026 on my system I notice they're listed as UDP. Also notice the
> destination is *.* so I'm sending out traffic on 1025/1026 to anyone
> who will listen (and hopefully respond).
>
> C:\Documents and Settings\ITS0846>netstat -a|find "102"
> UDP WL-5200:1025 *:*
> UDP WL-5200:1026 *:*
>
> Further if I include the -o flag in XP.
>
> C:\Documents and Settings\ITS0846>netstat -a|find "102"
> UDP WL-5200:1025 *:*
> 1276
> UDP WL-5200:1026 *:*
> 1276
>
> Note 1276 is the process id of whatever application or service is
> maintaining that connection.
>
> If you fire up task manager you'll see this is one Microsoft's
> svchost.exe process. If you fire up ProcessExplorer
> (www.sysinternals.com....recently bought my MS). You get more info,
> this particular svchost.exe process (1276 in my case) is "DNS Client"
> if you hover over the process name.
>
> As I'm writting this I also notice a random local TCP port connected to
> 1026 of a remote machine which happens to be our Exchange email server.
>
> Anyway I've babbled long enough, hopefully that gives you some insight
> into how to track these things down.


Thanks for your babbling. I really appreciate it:)


--
Lew/+Silat