Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to find process behing TCP connection ?

From: Danux <danuxx () gmail com>
Date: Wed, 27 Sep 2006 21:55:50 -0600
The closer lsoft implementation on Windows is called F-Port from
FoundStone but it doesnt work well on Windows 2003.

You should wait for a new F-port  version.

Cheers!!!

On 9/27/06, Buozis, Martynas <martynas () ti com> wrote:

Thanks for reply.

Maybe I was not clear. Windows Server 2003 is acting as client and
initiates connection to service on port 139 too many workstations.
Actually it tries to logon as Administrator to many computers. And
process, that initiates connection, is "System 4". There are no reasons
why this server should connect to any of these workstations. Per
configuration attempt to logon as Admin is denied.

I set up open system and expect server will try to connect to it, so
maybe I will understand better what is behind activity, but I am also
sure, that more people got same problem for different reasons and they
are willing to share their experience.

So easy under Unix with LSOF and not possible under Windows ?... Can't
believe!


With best regards
Martynas


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Colin Copley
Sent: Wednesday, September 27, 2006 8:55 PM
To: Buozis, Martynas
Cc: security-basics () securityfocus com
Subject: Re: How to find process behing TCP connection ?

Maybe this is some help?

http://forum.sysinternals.com/forum_posts.asp?TID=3432

If not, perhaps you could attempt to telnet or putty into the port, and
see
if it returns an error message which might give some more info.
Another idea - try ethereal to capture the packet data and see what it
contains.
Also I believe nmap can attempt to establish what's listening on a
certain
port.  It might give you more info than just system 4.
Regards
Colin


----- Original Message -----
From: "Buozis, Martynas" <martynas () ti com>
Hello

I need an advice. I have Windows 2003 server. It occasionally show
strange and suspicious network behavior. I used command "netstat -abov"
and Process explorer tool from Sysinternals to find process behind
connections. I found that it is "System 4" and got stuck. How I can
identify what is behind this "System 4"?

I thought it may be hidden process, but RootkitReveal from Systinternals
did not show anything.

I will be grateful for any ideas how to identify what is behind these
TCP connections from server to many computers!

Thank you in advance.

With best regards
Martynas



------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------





--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: