Solved

netstat enquiry

Posted on 2006-10-25
13
1,307 Views
Last Modified: 2008-01-09
Hi,

When i run netstat, i have a lots of this in my -server (2000 server)

TCP My-Server:2944     202.160.215.123: nebios-ssn     SYN_SENT
TCP My-Server:2945     202.160.215.123: epmap     SYN_SENT
TCP My-Server:2846     202.160.215.123: mirosoft_ds     SYN_SENT
and lots more identical foreign address with running port number on local address

Q1. What does all this foreign address neams? netbios -ssn,epmao,microsoft_ds

please help me

0
Comment
Question by:mysticaljoey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
13 Comments
 

Author Comment

by:mysticaljoey
ID: 17810251
how can i block port, 127,138,139 and 445 in windows 2000 server it self?

0
 
LVL 6

Expert Comment

by:Booda2us
ID: 17815887
Hello mysticaljoey, To block ports manually, right klik on 'My Network Places', and select 'Properties' to open the 'Network Connections' folder. Right klik on the connection you want  and choose 'Properties'. Highlight the 'Internet Protocol' (TCP/IP) listing and choose 'Properties'. In the 'General' tab, click the 'Advanced' button. In the 'Advanced TCP/IP Settings dialogue box that appears, choose 'Options', highlight 'TCP/IP filtering', and choose 'Properties'. The 'TCP/IP filtering' dialogue box appears. To block TCP,UDP, and IP ports, choose the 'Permit Only' option for each. Since you don't want to block all your ports, you need to add the ports you want to allow access. For a complete list of ports, go to:  http://www.iana.org/assignments/port-numbers  
remember there are hundreds of ports used for internet, email, etc. Have you  tried running 'netstat' with the "-r" switch?  Might give you more info...I hope this helps.....Booda2us
0
 

Author Comment

by:mysticaljoey
ID: 17817218

i have try that which you have mention but it did not work but find another way to solved it using menthods that experts in here has mention it before.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:mysticaljoey
ID: 17817224
but i still dont understand what are this, doing in my computer ?
TCP My-Server:2944     202.160.215.123: nebios-ssn     SYN_SENT
TCP My-Server:2945     202.160.215.123: epmap     SYN_SENT
TCP My-Server:2846     202.160.215.123: mirosoft_ds     SYN_SENT

please advice
0
 
LVL 6

Expert Comment

by:Booda2us
ID: 17827142
ping them..do a tracert and identify the source. Do a google search on the entries individually and see what results you get.
0
 
LVL 2

Expert Comment

by:Jeffesmi
ID: 17827787
If 202.160.215.123 is the real IP address your netstat is listing, here is the http://www.arin.net/whois/ information:

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   202.0.0.0 - 203.255.255.255
CIDR:       202.0.0.0/7
NetName:    APNIC-CIDR-BLK
NetHandle:  NET-202-0-0-0-1
Parent:    
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: DNS1.TELSTRA.NET
Comment:    This IP address range is not registered in the ARIN database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
Comment:    
RegDate:    1994-04-05
Updated:    2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact
OrgTechPhone:  +61 7 3858 3100
OrgTechEmail:  search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2006-10-28 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Going to Singapore?!?!  Looks like problems.  Initially, I'd think that if they are email servers, that it's some type of DNS lookup, but:

I'm assuming that nebios-ssn is netbios-ssn and mirosoft_ds is microsoft_ds.

netbios-ssn (139): http://www.experts-exchange.com/Operating_Systems/Q_21003902.html
epmap (593): http://www.dslreports.com/forum/remark,8092073
microsoft_ds (445): http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/4900916855

Most of the ports you've mentioned have some type of security issue.  The origination address is suspicious... unless you deal with Singapore. I'd be worried, and start taking a hard look at my servers.  If nothing else, make sure that the ports you've listed are blocked at your Internet router... unless you have multiple office connections via the Internet and run full virus and spyware scans on your servers.

Best Wishes,

Jeffery Smith
0
 
LVL 1

Expert Comment

by:BJHarris
ID: 17897293
Put a firewall before the network/computers in question and set up strict rules.
0
 

Author Comment

by:mysticaljoey
ID: 18091243
hi,

how do i block null session from my w2k server
0
 

Author Comment

by:mysticaljoey
ID: 18099622
Hi,

yup i have menage to blokc them using notes from rpcfg and ipsecpol plus changing restrictanonymous port to 2

regards
0
 
LVL 2

Expert Comment

by:Jeffesmi
ID: 18117856
Sorry,
 
For some reason, I never got an email ping on your question about blocking a null session.  Glad you got it fixed.

Best Wishes,

Jeffery Smith
0
 
LVL 6

Expert Comment

by:Booda2us
ID: 18343624
I'm glad i could help...Booda
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19518855
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question