Win7: netstat -o results: can you explain? odd connections

Hello Experts,

Most mornings, after boot up, I open cmd and run netstat -o.
I have no processes running at boot (expect Kaspersky).
My host name is donna.

Below netstat -o results
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736 (AppleMobileDeviceService.exe)
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104 (iTunesHelper.exe)
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964 (mDNSResponder.exe - Bonjour Service)
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1036     a23-66-136-154:http    ESTABLISHED     1172 (NETWORK SERVICE - Host process for win services
  TCP    192.168.1.116:1037     COX-66-210-41-10-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1039     COX-66-210-41-16-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1072     38.117.98.212:http     ESTABLISHED     1572 (Kaspersky)

  Then, I wait a few min, run the command again and get: 
  
C:\>netstat -o
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1072     38.117.98.212:http     CLOSE_WAIT      1572
  TCP    192.168.1.116:1134     38.117.98.199:http     ESTABLISHED     2712 (no PID with this number - displaying processes from all usrs)

Open in new window


Then, I go my linux machine and search for the IP address with no PID and get:

[user1@test ~]$ whois 38.117.98.199

PSINet, Inc. COGENT-A (NET-38-0-0-0-1) 38.0.0.0 - 38.255.255.255
PSINet, Inc. COGENT-NB-0002 (NET-38-112-0-0-1) 38.112.0.0 - 38.119.255.255

Open in new window


I search the web and find PSINet is owned by Cogent Communications.

Questions:
1. What are these, any ideas why they have Established connection to my host:
a23-66-136-154:http
COX-66-210-41-10-static:http
COX-66-210-41-16-static:http

(Cox communications is my ISP; but why do they have an active communications to my host?)

2. what is this process, any ideas why does it have Established connection to my host?
38.117.98.199:http

I have no apps, browsers or anything active on this host.

Thanks for your help.
epifanio67Asked:
Who is Participating?
 
FarWestCommented:
is your isp /or router lan address set as a gateway for your host NIC,
if yes remove it and use browser proxy setting instead
0
 
nader alkahtaniNetwork EngineerCommented:
With run as an administrator issue the following
Netstat  -a -n -o -b
This command will tell you about all ports and process... Etc
Then Google it with malware word
0
 
Jan SpringerCommented:
from the linux machine, do a wget of each (one at a time) and inspect the downloaded file.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
naderzCommented:
do you have anti-virus running? Kaspersky?
0
 
epifanio67Author Commented:
Thank you Experts,

"is your isp /or router lan address set as a gateway for your host NIC?"
the router default address is set as gateway, yes...

Ethernet adapter Local Area Connection:

   IPv4 Address. . . . . . . . . . . : 192.168.1.116(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, January 28, 2015 5:24:19 AM
   Lease Expires . . . . . . . . . . : Thursday, January 29, 2015 5:24:19 AM
   Default Gateway . . . . . . . . . : 192.168.1.1

This is the only way I know how to add default access to the internet to a host...  

----

I ran the suggested command, but get an odd msg:

C:\>netstat -a -n -o -b
The requested operation requires elevation.

I am logged in as administrator...

never seen this msg before

------

I do have an anti-virus running.. Kaspersky... its PID and established address is ok is clear and verifiable..

------

Thank you for your help, any other suggestions?

Regards
0
 
nader alkahtaniNetwork EngineerCommented:
You had better use x-netstat to monitor all Network  traffic that establishes with your machine and all process and program related https://www.freshsoftware.com/xns/pro/
0
 
giltjrCommented:
Even though you are logged on as Administrator, when you go to run cmd.exe, you still need to select "Run as Administrator."
0
 
epifanio67Author Commented:
thank you for your help..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.