Security Basics mailing list archives

Re: How to find process behing TCP connection ?

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 27 Sep 2006 21:15:40 +0200

On 2006-09-26 Buozis, Martynas wrote:

I need an advice. I have Windows 2003 server. It occasionally show
strange and suspicious network behavior. I used command "netstat
-abov" and Process explorer tool from Sysinternals to find process
behind connections. I found that it is "System 4" and got stuck. How I
can identify what is behind this "System 4"?


System:4 is AFAIK not a real process, but basically the kernel. What do
you mean by "strange and suspicious network behavior"? Unusual network
traffic? Open ports? Have you tried to inspect the network traffic with
a protocol analyzer? Have you run a portscan against the host?

I thought it may be hidden process, but RootkitReveal from
Systinternals did not show anything.


You could try other rootkit detection tools (e.g. Blacklight [1] or
Anti-Rootkit [2]), or do an offline-analysis of the system.

I will be grateful for any ideas how to identify what is behind these
TCP connections from server to many computers!


I'd start with inspecting the traffic, preferably gathered through some
tap-device.

[1] http://www.f-secure.com/blacklight/
[2] http://download.bitdefender.com/windows/desktop/internet_security/beta/

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

RE: How to find process behing TCP connection ?, (continued)
- - - RE: How to find process behing TCP connection ? Simon Zuckerbraun (Sep 29)
    - RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
    - Re: How to find process behing TCP connection ? Danux (Sep 28)
    - Re: How to find process behing TCP connection ? Colin Copley (Sep 28)
    - RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 28)
    - Re: How to find process behing TCP connection ? Daniel DeLeo (Sep 28)
    - Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 29)
    - Re: How to find process behing TCP connection ? Daniel DeLeo (Sep 29)
    - Re: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Sep 28)
    - Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 28)
    - Re: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Sep 27)
    - Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 28)
    - Re: How to find process behing TCP connection ? Umil (Sep 28)
    - RE: How to find process behind TCP connection ? Robert D. Holtz - Lists (Sep 28)
    - RE: How to find process behind TCP connection ? Buozis, Martynas (Sep 28)
- Re: Re: Best single source of current infosec news? nickh2 (Sep 27)