[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Reading TCPView

Posted on 2013-01-29
18
Medium Priority
?
943 Views
Last Modified: 2013-01-31
Hi

I have just insatlled and ran Microsofts TCPView, how do i tell if i have anything malicious and which remote adresses i should worry about?
0
Comment
Question by:George-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
  • +1
18 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38831835
There's no way to tell.  What you need to know is what applications/services are running on your computer and what you expect them to connect to.  If you see an application or connection that you don't expect, you need to investigate further.
0
 
LVL 1

Author Comment

by:George-
ID: 38831862
so what is the process to investigate it?
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38831896
Depends.  If you see a connection to a service/application/port you don't recognize, you try to pin down what that service/application/port is and whether or not it's legit.  You can always kill a process or connection from within TCPView and see what that affects.

NETSTAT will give you information on applications and ports as well.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 1

Author Comment

by:George-
ID: 38832012
An example is:

System      4      TCP      computer.domain.local      pptp scanner19.sp11.qualys.com 44500      CLOSE_WAIT

The questions is how to track down if it is legit?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832064
If you see computers connecting to strange IPs then you can do a whois on that IP and see if it comes up with anything.

I can tell you that qualys.com is more than likely legit as they are a security scanning company.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832068
I find sorting by the remote address field helps with finding strange connections.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38832073
"The questions is how to track down if it is legit?"

Presumably you'd know if a product or service on your computer was allowed to connect to qualys.com.  However...

...In your example, since qualys.com is a security services company, and since the URL has the word "scanner" in it, I'm guessing the connection was established by a Qualys product on your machine that scans for security vulnerabilities.  The company itself is well-known and reputable.  I'd wager that connection was nothing to worry about.  

Also, the first item in the row ("System") tells you what process launched the connection.  If you see a program running you think is malware, kill it (right-click and End Process).
0
 
LVL 1

Author Comment

by:George-
ID: 38832078
Two others i'm not sure on are;
System      4      TCP      computer.domain.local       pptp      ns.km31515.keymachine.de      58116      CLOSE_WAIT                                                            

System      4      TCP      computer.domain.local       pptp      host-92-21-175-183.as13285.net      26874      ESTABLISHED      4      76      3      52
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832089
In tcp view if you right click the conneection you think is strange you should have the option of a whois lookup. This should tell you more about what company it is.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38832101
A quick Google search shows keymachine.de to be shady.  Since there's a PPTP connection, either you're connected to them or they're connected to you.  Either way sounds bad to me.

as13285.net looks like it's owned by an ISP in Great Britain.  Again, it looks like a PPTP connection which worrys me.  I'd kill that one too, unless you're sure it's legit.

...and get a good malware scanner/remover.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38832122
Seems like bad connections

Keymachine.de is a major automated spam bot network based out of Germany, these hackers and professional web spammers are into just ...
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 498 total points
ID: 38832273
Does your system have PPTP services enabled as paulmacd pointed out?
The first thing you have to define what does this system do? If it is a desktop/workstation and there are no open applications the following connections could be seen and are normal:
connections from Adobe, Symantec, Oracle Java, etc. that run as services and check for updates.
If you have a process that is not one from a known vendor on your system and is establishing an outgoing connection, these types of process you should investigate. sysinternals.com has process explorer and process monitor that can help in determine the issue.
0
 
LVL 1

Author Comment

by:George-
ID: 38832330
Yes, its a SBS2011 server with RRAS which uses PPTP.
I have just run Malwarebytes short scan and that only found one false positive.
0
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 1002 total points
ID: 38832348
Try SpyBot Search and Destory, and maybe HijackThis.

Can you see people connected from keymachine.de or as13285.net in RRAS?  Could these be legitimate connections?  If not, boot them, block them, and see what credentials they were using to connect with.  Bear in mind those connections may have been attempts, not actual connections.
0
 
LVL 1

Author Comment

by:George-
ID: 38832381
I am the only Remote Access Client showing in RRAS.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 1002 total points
ID: 38832388
Okay.  It may be they were just sniffing around for a way in.  Check again periodically to see if they've quit.
0
 
LVL 1

Author Comment

by:George-
ID: 38832402
OK, so maybe Windows updates, reboot and re-scan?
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38839208
Yes.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question