Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Win7: netstat -o results: can you explain? odd connections

Posted on 2015-01-28
8
Medium Priority
?
319 Views
Last Modified: 2015-02-03
Hello Experts,

Most mornings, after boot up, I open cmd and run netstat -o.
I have no processes running at boot (expect Kaspersky).
My host name is donna.

Below netstat -o results
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736 (AppleMobileDeviceService.exe)
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104 (iTunesHelper.exe)
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964 (mDNSResponder.exe - Bonjour Service)
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1036     a23-66-136-154:http    ESTABLISHED     1172 (NETWORK SERVICE - Host process for win services
  TCP    192.168.1.116:1037     COX-66-210-41-10-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1039     COX-66-210-41-16-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1072     38.117.98.212:http     ESTABLISHED     1572 (Kaspersky)

  Then, I wait a few min, run the command again and get: 
  
C:\>netstat -o
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1072     38.117.98.212:http     CLOSE_WAIT      1572
  TCP    192.168.1.116:1134     38.117.98.199:http     ESTABLISHED     2712 (no PID with this number - displaying processes from all usrs)

Open in new window


Then, I go my linux machine and search for the IP address with no PID and get:

[user1@test ~]$ whois 38.117.98.199

PSINet, Inc. COGENT-A (NET-38-0-0-0-1) 38.0.0.0 - 38.255.255.255
PSINet, Inc. COGENT-NB-0002 (NET-38-112-0-0-1) 38.112.0.0 - 38.119.255.255

Open in new window


I search the web and find PSINet is owned by Cogent Communications.

Questions:
1. What are these, any ideas why they have Established connection to my host:
a23-66-136-154:http
COX-66-210-41-10-static:http
COX-66-210-41-16-static:http

(Cox communications is my ISP; but why do they have an active communications to my host?)

2. what is this process, any ideas why does it have Established connection to my host?
38.117.98.199:http

I have no apps, browsers or anything active on this host.

Thanks for your help.
0
Comment
Question by:epifanio67
8 Comments
 
LVL 12

Accepted Solution

by:
FarWest earned 375 total points
ID: 40575454
is your isp /or router lan address set as a gateway for your host NIC,
if yes remove it and use browser proxy setting instead
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 375 total points
ID: 40575502
With run as an administrator issue the following
Netstat  -a -n -o -b
This command will tell you about all ports and process... Etc
Then Google it with malware word
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 375 total points
ID: 40575690
from the linux machine, do a wget of each (one at a time) and inspect the downloaded file.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
LVL 11

Expert Comment

by:naderz
ID: 40576364
do you have anti-virus running? Kaspersky?
0
 

Author Comment

by:epifanio67
ID: 40576410
Thank you Experts,

"is your isp /or router lan address set as a gateway for your host NIC?"
the router default address is set as gateway, yes...

Ethernet adapter Local Area Connection:

   IPv4 Address. . . . . . . . . . . : 192.168.1.116(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, January 28, 2015 5:24:19 AM
   Lease Expires . . . . . . . . . . : Thursday, January 29, 2015 5:24:19 AM
   Default Gateway . . . . . . . . . : 192.168.1.1

This is the only way I know how to add default access to the internet to a host...  

----

I ran the suggested command, but get an odd msg:

C:\>netstat -a -n -o -b
The requested operation requires elevation.

I am logged in as administrator...

never seen this msg before

------

I do have an anti-virus running.. Kaspersky... its PID and established address is ok is clear and verifiable..

------

Thank you for your help, any other suggestions?

Regards
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40576430
You had better use x-netstat to monitor all Network  traffic that establishes with your machine and all process and program related https://www.freshsoftware.com/xns/pro/
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 375 total points
ID: 40576680
Even though you are logged on as Administrator, when you go to run cmd.exe, you still need to select "Run as Administrator."
0
 

Author Closing Comment

by:epifanio67
ID: 40587609
thank you for your help..
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question