Netstat and listening ports

Ken Levy · Feb 6, 2004

I ran the netstat -a on one of my Win2000 Pro machines and found the
following "listening" ports . . .

Proto Local Address Foreign Address State
TCP SATHOST1:daytime SATHOST1:0 LISTENING
TCP SATHOST1:ftp SATHOST1:0 LISTENING
TCP SATHOST1:time SATHOST1:0 LISTENING
TCP SATHOST1:epmap SATHOST1:0 LISTENING
TCP SATHOST1:microsoft-ds SATHOST1:0 LISTENING
TCP SATHOST1:1027 SATHOST1:0 LISTENING
TCP SATHOST1:1028 SATHOST1:0 LISTENING
TCP SATHOST1:1032 SATHOST1:0 LISTENING
TCP SATHOST1:1036 SATHOST1:0 LISTENING
TCP SATHOST1:1038 SATHOST1:0 LISTENING
TCP SATHOST1:1089 SATHOST1:0 LISTENING
TCP SATHOST1:1124 SATHOST1:0 LISTENING
TCP SATHOST1:1801 SATHOST1:0 LISTENING
TCP SATHOST1:2103 SATHOST1:0 LISTENING
TCP SATHOST1:2105 SATHOST1:0 LISTENING
TCP SATHOST1:2107 SATHOST1:0 LISTENING
TCP SATHOST1:3372 SATHOST1:0 LISTENING
TCP SATHOST1:5800 SATHOST1:0 LISTENING
TCP SATHOST1:5900 SATHOST1:0 LISTENING
TCP SATHOST1:1371 SATHOST1:0 LISTENING
TCP SATHOST1:8162 SATHOST1:0 LISTENING
TCP SATHOST1:1115 SATHOST1:0 LISTENING
TCP SATHOST1:1196 SATHOST1:0 LISTENING

If this were a WinXP system, I could use the -o option to get the processid
of the listeners, but this is Win2000.

Can anyone tell me if there is a way to track back to the apps? I am
concerned as to whether this machine is infected with a virus or trojan
horse (although Norton A/V claims the machine is "clean").

TIA.

Please post any replies to the Newsgroup.

Danny Slye - [MSFT} · Feb 6, 2004

Best bet is to use tcpview from www.sysinternals.com to see the process
listening on the port. What you will most likely find are normal Windows
services are opening the ports, lsass, winlogon,dfs, etc. This netstat
output looks pretty normal, actually.

--------------------

I ran the netstat -a on one of my Win2000 Pro machines and found the
following "listening" ports . . .

Proto Local Address Foreign Address State
TCP SATHOST1:daytime SATHOST1:0 LISTENING
TCP SATHOST1:ftp SATHOST1:0 LISTENING
TCP SATHOST1:time SATHOST1:0 LISTENING
TCP SATHOST1:epmap SATHOST1:0 LISTENING
TCP SATHOST1:microsoft-ds SATHOST1:0 LISTENING
TCP SATHOST1:1027 SATHOST1:0 LISTENING
TCP SATHOST1:1028 SATHOST1:0 LISTENING
TCP SATHOST1:1032 SATHOST1:0 LISTENING
TCP SATHOST1:1036 SATHOST1:0 LISTENING
TCP SATHOST1:1038 SATHOST1:0 LISTENING
TCP SATHOST1:1089 SATHOST1:0 LISTENING
TCP SATHOST1:1124 SATHOST1:0 LISTENING
TCP SATHOST1:1801 SATHOST1:0 LISTENING
TCP SATHOST1:2103 SATHOST1:0 LISTENING
TCP SATHOST1:2105 SATHOST1:0 LISTENING
TCP SATHOST1:2107 SATHOST1:0 LISTENING
TCP SATHOST1:3372 SATHOST1:0 LISTENING
TCP SATHOST1:5800 SATHOST1:0 LISTENING
TCP SATHOST1:5900 SATHOST1:0 LISTENING
TCP SATHOST1:1371 SATHOST1:0 LISTENING
TCP SATHOST1:8162 SATHOST1:0 LISTENING
TCP SATHOST1:1115 SATHOST1:0 LISTENING
TCP SATHOST1:1196 SATHOST1:0 LISTENING

If this were a WinXP system, I could use the -o option to get the processid
of the listeners, but this is Win2000.

Can anyone tell me if there is a way to track back to the apps? I am
concerned as to whether this machine is infected with a virus or trojan
horse (although Norton A/V claims the machine is "clean").

TIA.

Please post any replies to the Newsgroup.

__
Danny Slye
Microsoft Support Professional
MCSE

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

Netstat and listening ports

Ken Levy

Danny Slye - [MSFT}