Solved

Win7: netstat -o results: can you explain? odd connections

Posted on 2015-01-28
8
302 Views
Last Modified: 2015-02-03
Hello Experts,

Most mornings, after boot up, I open cmd and run netstat -o.
I have no processes running at boot (expect Kaspersky).
My host name is donna.

Below netstat -o results
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736 (AppleMobileDeviceService.exe)
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104 (iTunesHelper.exe)
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964 (mDNSResponder.exe - Bonjour Service)
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1036     a23-66-136-154:http    ESTABLISHED     1172 (NETWORK SERVICE - Host process for win services
  TCP    192.168.1.116:1037     COX-66-210-41-10-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1039     COX-66-210-41-16-static:http  ESTABLISHED     1172
  TCP    192.168.1.116:1072     38.117.98.212:http     ESTABLISHED     1572 (Kaspersky)

  Then, I wait a few min, run the command again and get: 
  
C:\>netstat -o
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1030         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1031         donna:5354             ESTABLISHED     1736
  TCP    127.0.0.1:1032         donna:27015            ESTABLISHED     2104
  TCP    127.0.0.1:5354         donna:1030             ESTABLISHED     1964
  TCP    127.0.0.1:5354         donna:1031             ESTABLISHED     1964
  TCP    127.0.0.1:27015        donna:1032             ESTABLISHED     1736
  TCP    192.168.1.116:1072     38.117.98.212:http     CLOSE_WAIT      1572
  TCP    192.168.1.116:1134     38.117.98.199:http     ESTABLISHED     2712 (no PID with this number - displaying processes from all usrs)

Open in new window


Then, I go my linux machine and search for the IP address with no PID and get:

[user1@test ~]$ whois 38.117.98.199

PSINet, Inc. COGENT-A (NET-38-0-0-0-1) 38.0.0.0 - 38.255.255.255
PSINet, Inc. COGENT-NB-0002 (NET-38-112-0-0-1) 38.112.0.0 - 38.119.255.255

Open in new window


I search the web and find PSINet is owned by Cogent Communications.

Questions:
1. What are these, any ideas why they have Established connection to my host:
a23-66-136-154:http
COX-66-210-41-10-static:http
COX-66-210-41-16-static:http

(Cox communications is my ISP; but why do they have an active communications to my host?)

2. what is this process, any ideas why does it have Established connection to my host?
38.117.98.199:http

I have no apps, browsers or anything active on this host.

Thanks for your help.
0
Comment
Question by:epifanio67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 12

Accepted Solution

by:
FarWest earned 125 total points
ID: 40575454
is your isp /or router lan address set as a gateway for your host NIC,
if yes remove it and use browser proxy setting instead
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 125 total points
ID: 40575502
With run as an administrator issue the following
Netstat  -a -n -o -b
This command will tell you about all ports and process... Etc
Then Google it with malware word
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 125 total points
ID: 40575690
from the linux machine, do a wget of each (one at a time) and inspect the downloaded file.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 11

Expert Comment

by:naderz
ID: 40576364
do you have anti-virus running? Kaspersky?
0
 

Author Comment

by:epifanio67
ID: 40576410
Thank you Experts,

"is your isp /or router lan address set as a gateway for your host NIC?"
the router default address is set as gateway, yes...

Ethernet adapter Local Area Connection:

   IPv4 Address. . . . . . . . . . . : 192.168.1.116(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, January 28, 2015 5:24:19 AM
   Lease Expires . . . . . . . . . . : Thursday, January 29, 2015 5:24:19 AM
   Default Gateway . . . . . . . . . : 192.168.1.1

This is the only way I know how to add default access to the internet to a host...  

----

I ran the suggested command, but get an odd msg:

C:\>netstat -a -n -o -b
The requested operation requires elevation.

I am logged in as administrator...

never seen this msg before

------

I do have an anti-virus running.. Kaspersky... its PID and established address is ok is clear and verifiable..

------

Thank you for your help, any other suggestions?

Regards
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40576430
You had better use x-netstat to monitor all Network  traffic that establishes with your machine and all process and program related https://www.freshsoftware.com/xns/pro/
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 125 total points
ID: 40576680
Even though you are logged on as Administrator, when you go to run cmd.exe, you still need to select "Run as Administrator."
0
 

Author Closing Comment

by:epifanio67
ID: 40587609
thank you for your help..
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question