Solved

Reading TCPView

Posted on 2013-01-29
18
844 Views
Last Modified: 2013-01-31
Hi

I have just insatlled and ran Microsofts TCPView, how do i tell if i have anything malicious and which remote adresses i should worry about?
0
Comment
Question by:George-
  • 7
  • 6
  • 4
  • +1
18 Comments
 
LVL 33

Expert Comment

by:paulmacd
ID: 38831835
There's no way to tell.  What you need to know is what applications/services are running on your computer and what you expect them to connect to.  If you see an application or connection that you don't expect, you need to investigate further.
0
 
LVL 1

Author Comment

by:George-
ID: 38831862
so what is the process to investigate it?
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 38831896
Depends.  If you see a connection to a service/application/port you don't recognize, you try to pin down what that service/application/port is and whether or not it's legit.  You can always kill a process or connection from within TCPView and see what that affects.

NETSTAT will give you information on applications and ports as well.
0
 
LVL 1

Author Comment

by:George-
ID: 38832012
An example is:

System      4      TCP      computer.domain.local      pptp scanner19.sp11.qualys.com 44500      CLOSE_WAIT

The questions is how to track down if it is legit?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832064
If you see computers connecting to strange IPs then you can do a whois on that IP and see if it comes up with anything.

I can tell you that qualys.com is more than likely legit as they are a security scanning company.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832068
I find sorting by the remote address field helps with finding strange connections.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 38832073
"The questions is how to track down if it is legit?"

Presumably you'd know if a product or service on your computer was allowed to connect to qualys.com.  However...

...In your example, since qualys.com is a security services company, and since the URL has the word "scanner" in it, I'm guessing the connection was established by a Qualys product on your machine that scans for security vulnerabilities.  The company itself is well-known and reputable.  I'd wager that connection was nothing to worry about.  

Also, the first item in the row ("System") tells you what process launched the connection.  If you see a program running you think is malware, kill it (right-click and End Process).
0
 
LVL 1

Author Comment

by:George-
ID: 38832078
Two others i'm not sure on are;
System      4      TCP      computer.domain.local       pptp      ns.km31515.keymachine.de      58116      CLOSE_WAIT                                                            

System      4      TCP      computer.domain.local       pptp      host-92-21-175-183.as13285.net      26874      ESTABLISHED      4      76      3      52
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832089
In tcp view if you right click the conneection you think is strange you should have the option of a whois lookup. This should tell you more about what company it is.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 33

Expert Comment

by:paulmacd
ID: 38832101
A quick Google search shows keymachine.de to be shady.  Since there's a PPTP connection, either you're connected to them or they're connected to you.  Either way sounds bad to me.

as13285.net looks like it's owned by an ISP in Great Britain.  Again, it looks like a PPTP connection which worrys me.  I'd kill that one too, unless you're sure it's legit.

...and get a good malware scanner/remover.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832122
Seems like bad connections

Keymachine.de is a major automated spam bot network based out of Germany, these hackers and professional web spammers are into just ...
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 166 total points
ID: 38832273
Does your system have PPTP services enabled as paulmacd pointed out?
The first thing you have to define what does this system do? If it is a desktop/workstation and there are no open applications the following connections could be seen and are normal:
connections from Adobe, Symantec, Oracle Java, etc. that run as services and check for updates.
If you have a process that is not one from a known vendor on your system and is establishing an outgoing connection, these types of process you should investigate. sysinternals.com has process explorer and process monitor that can help in determine the issue.
0
 
LVL 1

Author Comment

by:George-
ID: 38832330
Yes, its a SBS2011 server with RRAS which uses PPTP.
I have just run Malwarebytes short scan and that only found one false positive.
0
 
LVL 33

Accepted Solution

by:
paulmacd earned 334 total points
ID: 38832348
Try SpyBot Search and Destory, and maybe HijackThis.

Can you see people connected from keymachine.de or as13285.net in RRAS?  Could these be legitimate connections?  If not, boot them, block them, and see what credentials they were using to connect with.  Bear in mind those connections may have been attempts, not actual connections.
0
 
LVL 1

Author Comment

by:George-
ID: 38832381
I am the only Remote Access Client showing in RRAS.
0
 
LVL 33

Assisted Solution

by:paulmacd
paulmacd earned 334 total points
ID: 38832388
Okay.  It may be they were just sniffing around for a way in.  Check again periodically to see if they've quit.
0
 
LVL 1

Author Comment

by:George-
ID: 38832402
OK, so maybe Windows updates, reboot and re-scan?
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 38839208
Yes.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now