• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 972
  • Last Modified:

Reading TCPView

Hi

I have just insatlled and ran Microsofts TCPView, how do i tell if i have anything malicious and which remote adresses i should worry about?
0
George-
Asked:
George-
  • 7
  • 6
  • 4
  • +1
3 Solutions
 
Paul MacDonaldDirector, Information SystemsCommented:
There's no way to tell.  What you need to know is what applications/services are running on your computer and what you expect them to connect to.  If you see an application or connection that you don't expect, you need to investigate further.
0
 
George-Author Commented:
so what is the process to investigate it?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Depends.  If you see a connection to a service/application/port you don't recognize, you try to pin down what that service/application/port is and whether or not it's legit.  You can always kill a process or connection from within TCPView and see what that affects.

NETSTAT will give you information on applications and ports as well.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
George-Author Commented:
An example is:

System      4      TCP      computer.domain.local      pptp scanner19.sp11.qualys.com 44500      CLOSE_WAIT

The questions is how to track down if it is legit?
0
 
Joseph DalyCommented:
If you see computers connecting to strange IPs then you can do a whois on that IP and see if it comes up with anything.

I can tell you that qualys.com is more than likely legit as they are a security scanning company.
0
 
Joseph DalyCommented:
I find sorting by the remote address field helps with finding strange connections.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
"The questions is how to track down if it is legit?"

Presumably you'd know if a product or service on your computer was allowed to connect to qualys.com.  However...

...In your example, since qualys.com is a security services company, and since the URL has the word "scanner" in it, I'm guessing the connection was established by a Qualys product on your machine that scans for security vulnerabilities.  The company itself is well-known and reputable.  I'd wager that connection was nothing to worry about.  

Also, the first item in the row ("System") tells you what process launched the connection.  If you see a program running you think is malware, kill it (right-click and End Process).
0
 
George-Author Commented:
Two others i'm not sure on are;
System      4      TCP      computer.domain.local       pptp      ns.km31515.keymachine.de      58116      CLOSE_WAIT                                                            

System      4      TCP      computer.domain.local       pptp      host-92-21-175-183.as13285.net      26874      ESTABLISHED      4      76      3      52
0
 
Joseph DalyCommented:
In tcp view if you right click the conneection you think is strange you should have the option of a whois lookup. This should tell you more about what company it is.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
A quick Google search shows keymachine.de to be shady.  Since there's a PPTP connection, either you're connected to them or they're connected to you.  Either way sounds bad to me.

as13285.net looks like it's owned by an ISP in Great Britain.  Again, it looks like a PPTP connection which worrys me.  I'd kill that one too, unless you're sure it's legit.

...and get a good malware scanner/remover.
0
 
Joseph DalyCommented:
Seems like bad connections

Keymachine.de is a major automated spam bot network based out of Germany, these hackers and professional web spammers are into just ...
0
 
arnoldCommented:
Does your system have PPTP services enabled as paulmacd pointed out?
The first thing you have to define what does this system do? If it is a desktop/workstation and there are no open applications the following connections could be seen and are normal:
connections from Adobe, Symantec, Oracle Java, etc. that run as services and check for updates.
If you have a process that is not one from a known vendor on your system and is establishing an outgoing connection, these types of process you should investigate. sysinternals.com has process explorer and process monitor that can help in determine the issue.
0
 
George-Author Commented:
Yes, its a SBS2011 server with RRAS which uses PPTP.
I have just run Malwarebytes short scan and that only found one false positive.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Try SpyBot Search and Destory, and maybe HijackThis.

Can you see people connected from keymachine.de or as13285.net in RRAS?  Could these be legitimate connections?  If not, boot them, block them, and see what credentials they were using to connect with.  Bear in mind those connections may have been attempts, not actual connections.
0
 
George-Author Commented:
I am the only Remote Access Client showing in RRAS.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Okay.  It may be they were just sniffing around for a way in.  Check again periodically to see if they've quit.
0
 
George-Author Commented:
OK, so maybe Windows updates, reboot and re-scan?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Yes.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 7
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now