Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

how can I find out what is using port 443?

Posted on 2007-12-05
21
Medium Priority
?
2,518 Views
Last Modified: 2013-12-05
I have a windows 2000 server that had iis and tomcat web server running on it. We don't think that either one of them is using port 443, yet when we telnet into port 443 on it, we telnet into Serv-U FTP server.
We uninstalled IIS on the server, because we didn't need it, and Serv-U still was running. I'm not sure what the process name is for Serv-U, so we can't end it or search for it.
Aside from shutting off Tomcat, how else can we verify what is launching Serv-U and whether we need it? We are worried that it might be from spyware, rootkit, virue, etc....
Does anyone have any suggestions on how we can proceed with finding out why it's there and whether we need it?
0
Comment
Question by:thecomputerdocs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
  • +1
21 Comments
 
LVL 16

Expert Comment

by:2PiFL
ID: 20416724

Run netstat -a from a command prompt and it will tell you whats using each port.
0
 
LVL 2

Expert Comment

by:deankas
ID: 20416772
Run netstat -ano and it will tell you what ports are being used.  The o option will also tell you the PID.

Then open tasks manager, select the processes tab, and from thet "view" menu, click "select columns", and add make sure the PID (Process Identifier" is checked. Now you can match the PID from netstat to the process PID in task manager to identity what process is using what ports.

Cheers.
0
 
LVL 2

Expert Comment

by:deankas
ID: 20416779
Run netstat -ano and it will tell you what ports are being used.  The o option will also tell you the PID.

Then open tasks manager, select the processes tab, and from the "view" menu, click "select columns", and check that the PID (Process Identifier" box is ticked. Now you can match the PID from netstat to the process PID in task manager to identity what process is using what ports.

Cheers.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 5

Author Comment

by:thecomputerdocs
ID: 20416954
Thanks...that's a good start. Any idea how I can find what or how that process is being launched?
0
 
LVL 5

Author Comment

by:thecomputerdocs
ID: 20416970
I tried the netstat -ano, and found out that there isn't an "o' parameter available
0
 
LVL 5

Author Comment

by:thecomputerdocs
ID: 20417036
I'm trying TCPView and Process Explorer. I'll let you know how that works out. Any other suggestions would be welcome.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20436298
It's all right here:
http://www.iana.org/assignments/port-numbers

https           443/sctp   HTTPS
https           443/tcp    http protocol over TLS/SSL
https           443/udp    http protocol over TLS/SSL

Is this the type of information you were looking for?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20436308

From Technet:
1076
 A worker process with process id of '%1' serving application pool '%2' has requested a recycle because it reached its scheduled recycle time.
 
What is the source on this event ID?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20436313
OOPS, sorry:

Wrong post on my last.
0
 
LVL 5

Author Comment

by:thecomputerdocs
ID: 20446970
Thanks for the info. I'm trying to find out how the ServU ftp server program is being launched. It's using port 443. We also have a problem with the web pages being displayed for a few minutes. Then shortly, while we stay on the page, it says that there's a winsock error - due to ServU....strange, because our page is using port 80.
Any ideas? Thanks for your continued help with this...
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20447106
Sounds like a missing DNS entry. Intermittant coms on port 80 usually means the DNS address for that machine is missing.

But the error says there's a winsock error. So, you might try a winsock fix. I don't remember the syntax. But, there is a command that will try and fix your winsock. I think it was winsock.exe /fix.

A third idea I have is the type of switch this is on. Intermittant coms and a winsock error can be caused by a dumb switch. Have you ever heard of spanning tree port fast?

A fourth idea I have is conflicting NICS. Dual NICS on the same machine can conflict if on the same subnet. It just confuses the heck out of the 'puter.

0
 
LVL 5

Author Comment

by:thecomputerdocs
ID: 20447376
They have a hub instead of a switch. we are replacing the switch tomorrow.
Do you know how we can find out how servu is being launched? We, and our software vendors, don't have any idea where it's coming from or where it launched from.
We need to trace where it's originating from (file location) as well as how it's launched (hjack, or reg entry, etc....)
Thanks again for the help.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20449922
ServeU has a site of their own. Have you tried contacting them? Customer service should be able to help.

http://www.serv-u.com/

If you ask me, Server U requires FTP services. It sounds like you could be FTP'ing your mail to a remote location for mail relay. Is your mail zipped up, and sent on/off site by using the FTP services?
0
 
LVL 5

Author Comment

by:thecomputerdocs
ID: 20462059
Thanks for teh advice, but that's not answering my question. The instance we have is with ServU, but I'd like to know, in general, if there's any way that we can trace where a process was being launched...
We've scoured all of the normal startup areas and cannot find it.
Is there a tool out there that will tell us where it was launched from?

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20464673
Did I understand you correctly? You already looked int he FTP logs and SMTP logs? Maybe try Event viewer. If there were an error when passing traffic it could show up in event viewer, maybe a source of that error or the text of the error will provide some insight.

If all the above bares not fruit, you may have to do a real time-port monitor or traffic monitor. Something that monitors the IP addrress. Some software you can snag a packet of information and see what that packet says. Or, it will show you what computer is talking with the server at that time.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20464705
0
 
LVL 5

Author Comment

by:thecomputerdocs
ID: 20638723
It's still not answering my question. Please reread. I'm trying to find where a process is being launched from.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 20641821
You may have to resort to a network monitoring software as provided on this link:

http://www.experts-exchange.com/Networking/Network_Management/Auditing_Software/Q_22814932.html

Most network monitors will tell you the origination and destination as well as give you an opportunity to grab a packet or two to view the packet contents.

*****Software*****

Sniffer Pro - Investigator (approx $5000)
http://www.snifferpro.co.uk/

EtherPeek NX ($3500)
http://www.wildpackets.com/products/etherpeek_nx

Solarwinds Engineers Toolkit (price £688.00 sterling)
http://www.solarwinds.co.uk/products/engineers.htm

Network Probe 1.0.2  ($300.00)
http://www.objectplanet.com/probe/
Freeware Version http://www.objectplanet.com/software/43fh7y_Probe_32y8/Network_Probe_0.5-install.exe

OnLineEye (TRAILWARE)($15 to buy)
http://www.pmasoft.net/download.htm

NetStatLive from AnalogX (FREEWARE)
http://www.analogx.com/contents/download/network/nsl.htm

NetworkActiv Scanner 4.0  (FREEWARE)
http://www.networkactiv.com/Scanner.html

MTRG (Multi Router Traffic Grapher) (FREEWARE)
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/users.html

IPERF (FREEWARE)
http://dast.nlanr.net/Projects/Iperf/

NetIQ (FREEWARE)
http://www.ixiacom.com/enterprise/Qcheck.php

Ethereal (FREEWARE) - Best for sniffing traffic in and out of an interface
http://www.ethereal.com/
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21628175
Do you need further information?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question