RE: How to find process behind TCP connection ?

["Buozis, Martynas" <martynas () ti com>]

I am not sure, that server behavior is normal when server is connecting
to many clients (NOT clients TO server) as Admin user. I suppose normal
is when many clients are connecting to server, not other way round.

I will try tools other suggested.

Thanks everyone for ideas! If there will be more - please let me know. I
will also inform if I will succeed to find right tool or method for my
task.

With best regards
Martynas 


-----Original Message-----
From: Robert D. Holtz - Lists [mailto:robert.d.holtz () gmail com] 
Sent: Thursday, September 28, 2006 6:11 PM
To: Buozis, Martynas; security-basics () securityfocus com
Subject: RE: How to find process behind TCP connection ?

The behavior that you're seeing could be completely normal.  Windows
does
all kinds of things via port TCP/UDP 139.  You would need to attach a
sniffer to dig deeper into the packet payloads in order to determine
what's
up.

Here's a list of some of the services that use port 139:

Function                    Static ports
--------                    ------------
Directory Replication       UDP:138 TCP:139
Event Viewer                TCP:139
File Sharing                TCP:139
Logon Sequence              UDP:137,138 TCP:139
Pass Through Validation     UDP:137,138 TCP:139
Performance Monitor         TCP:139
Printing                    UDP:137,138 TCP:139
Registry Editor             TCP:139
Server Manager              TCP:139
Trusts                      UDP:137,138 TCP:139
User Manager                TCP:139
WinNT Diagnostics           TCP:139
WinNT Secure Channel        UDP:137,138 TCP:139


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of Buozis, Martynas
Sent: Tuesday, September 26, 2006 3:35 PM
To: security-basics () securityfocus com
Subject: How to find process behing TCP connection ?

Hello

I need an advice. I have Windows 2003 server. It occasionally show
strange and suspicious network behavior. I used command "netstat -abov"
and Process explorer tool from Sysinternals to find process behind
connections. I found that it is "System 4" and got stuck. How I can
identify what is behind this "System 4"?

I thought it may be hidden process, but RootkitReveal from Systinternals
did not show anything.

I will be grateful for any ideas how to identify what is behind these
TCP connections from server to many computers!

Thank you in advance.

With best regards
Martynas

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------