Solved

Win7: netstat -o results: can you explain? odd connections

Posted on 2015-01-28
8
266 Views
Last Modified: 2015-02-03
Hello Experts,

Most mornings, after boot up, I open cmd and run netstat -o.
I have no processes running at boot (expect Kaspersky).
My host name is donna.

Below netstat -o results
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736 (AppleMobileDeviceService.exe)
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104 (iTunesHelper.exe)
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964 (mDNSResponder.exe - Bonjour Service)
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1036     a23-66-136-154:http    ESTABLISHED     1172 (NETWORK SERVICE - Host process for win services
  TCP    192.168.1.116:1037     COX-66-210-41-10-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1039     COX-66-210-41-16-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1072     38.117.98.212:http     ESTABLISHED     1572 (Kaspersky)

  Then, I wait a few min, run the command again and get: 
  
C:\>netstat -o
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1072     38.117.98.212:http     CLOSE_WAIT      1572
  TCP    192.168.1.116:1134     38.117.98.199:http     ESTABLISHED     2712 (no PID with this number - displaying processes from all usrs)

Open in new window


Then, I go my linux machine and search for the IP address with no PID and get:

[user1@test ~]$ whois 38.117.98.199

PSINet, Inc. COGENT-A (NET-38-0-0-0-1) 38.0.0.0 - 38.255.255.255
PSINet, Inc. COGENT-NB-0002 (NET-38-112-0-0-1) 38.112.0.0 - 38.119.255.255

Open in new window


I search the web and find PSINet is owned by Cogent Communications.

Questions:
1. What are these, any ideas why they have Established connection to my host:
a23-66-136-154:http
COX-66-210-41-10-static:http
COX-66-210-41-16-static:http

(Cox communications is my ISP; but why do they have an active communications to my host?)

2. what is this process, any ideas why does it have Established connection to my host?
38.117.98.199:http

I have no apps, browsers or anything active on this host.

Thanks for your help.
0
Comment
Question by:epifanio67
8 Comments
 
LVL 12

Accepted Solution

by:
FarWest earned 125 total points
Comment Utility
is your isp /or router lan address set as a gateway for your host NIC,
if yes remove it and use browser proxy setting instead
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 125 total points
Comment Utility
With run as an administrator issue the following
Netstat  -a -n -o -b
This command will tell you about all ports and process... Etc
Then Google it with malware word
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 125 total points
Comment Utility
from the linux machine, do a wget of each (one at a time) and inspect the downloaded file.
0
 
LVL 11

Expert Comment

by:naderz
Comment Utility
do you have anti-virus running? Kaspersky?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:epifanio67
Comment Utility
Thank you Experts,

"is your isp /or router lan address set as a gateway for your host NIC?"
the router default address is set as gateway, yes...

Ethernet adapter Local Area Connection:

   IPv4 Address. . . . . . . . . . . : 192.168.1.116(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, January 28, 2015 5:24:19 AM
   Lease Expires . . . . . . . . . . : Thursday, January 29, 2015 5:24:19 AM
   Default Gateway . . . . . . . . . : 192.168.1.1

This is the only way I know how to add default access to the internet to a host...  

----

I ran the suggested command, but get an odd msg:

C:\>netstat -a -n -o -b
The requested operation requires elevation.

I am logged in as administrator...

never seen this msg before

------

I do have an anti-virus running.. Kaspersky... its PID and established address is ok is clear and verifiable..

------

Thank you for your help, any other suggestions?

Regards
0
 
LVL 8

Expert Comment

by:nader alkahtani
Comment Utility
You had better use x-netstat to monitor all Network  traffic that establishes with your machine and all process and program related https://www.freshsoftware.com/xns/pro/
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 125 total points
Comment Utility
Even though you are logged on as Administrator, when you go to run cmd.exe, you still need to select "Run as Administrator."
0
 

Author Closing Comment

by:epifanio67
Comment Utility
thank you for your help..
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Read about achieving the basic levels of HRIS security in the workplace.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now