Netstat question

  • Thread starter Thread starter David Sherman
  • Start date Start date
D

David Sherman

Just from running netstat -n in a DOS box, I get the following:


TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED


Other then rebooting my machine, is there a free program that will
remove these connections?

thanks



WhoIs Lookup performed by Karen's WhoIs
http://www.karenware.com/


OrgName: Internap Network Services
OrgID: PNAP
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

NetRange: 64.94.0.0 - 64.95.255.255
CIDR: 64.94.0.0/15
NetName: PNAP-05-2000
NetHandle: NET-64-94-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PNAP.NET
NameServer: NS2.PNAP.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-06-05
Updated: 2002-06-17

TechHandle: INO3-ARIN
TechName: InterNap Network Operations Center
TechPhone: +1-877-843-4662
TechEmail: (e-mail address removed)

OrgAbuseHandle: IAC3-ARIN
OrgAbuseName: Internap Abuse Contact
OrgAbusePhone: +1-206-256-9500
OrgAbuseEmail: (e-mail address removed)

OrgTechHandle: INO3-ARIN
OrgTechName: InterNap Network Operations Center
OrgTechPhone: +1-877-843-4662
OrgTechEmail: (e-mail address removed)

OrgName: Radianz
OrgID: RADIAN-22
Address: 492 River Rd.
City: Nutley
StateProv: NJ
PostalCode: 07110
Country: US

NetRange: 64.94.180.0 - 64.94.181.255
CIDR: 64.94.180.0/23
NetName: PNAP-NYM-RADIAN-RM-01
NetHandle: NET-64-94-180-0-1
Parent: NET-64-94-0-0-1
NetType: Reassigned
Comment:
RegDate: 2001-10-01
Updated: 2001-10-01

TechHandle: MN457-ARIN
TechName: Najarian, Michael
TechPhone: +1-973-662-2959
TechEmail: (e-mail address removed)

# ARIN WHOIS database, last updated 2005-06-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
 
Use a program like "Active Ports" to determine which process is creating
these connections, and then close it.

Matt Gibson - GSEC
 
From: "David Sherman" <[email protected]>

| Just from running netstat -n in a DOS box, I get the following:
|
| TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
|
| Other then rebooting my machine, is there a free program that will
| remove these connections?
|
| thanks

Download the free dynamic GUI utility TCPVIEW from Sysinternals
http://www.sysinternals.com/Utilities/TcpView.html

It will hopefully identify the utility making the connection.


In case it is malware, perform the following...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *
 
Active Ports doesn't work.

Just curious what you mean by doesn't work...Doesn't work for this
situation, or doesn't work period.

Matt Gibson - GSEC
 
From: "David Sherman" <[email protected]>

| Just from running netstat -n in a DOS box, I get the following:
|
| TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
|
| Other then rebooting my machine, is there a free program that will
| remove these connections?
|
| thanks

Download the free dynamic GUI utility TCPVIEW from Sysinternals
http://www.sysinternals.com/Utilities/TcpView.html

It will hopefully identify the utility making the connection.
Click to expand...
TcpView doesn't work.
In case it is malware, perform the following...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files
Click to expand...

In some cases, this does work.

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
Click to expand...

I will try this.
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
Click to expand...

I will try this.

thanks
 
From: "David Sherman" <[email protected]>

| Active ports doesn't show the same info as netstat -n does.
|
| On Thu, 30 Jun 2005 12:15:52 -0700, "Matt Gibson"

TCPVIEW certainly does. The '-n' command line switch just means display numerical
information without performing a lookup in the 'services' table 'host' and DNS and translate
the numbers into assigned aliases.
 
When I connect to Microsoft new server, I get a "connection" that I
can see by netstat -n and do a tracert to that IP address like this:

192.168.1.3:2852 207.46.248.16:119 ESTABLISHED

That connection is goes away when the connection is lost.

TCPView doesn't list nor show the connection of 192.169.1.3:2852 since
TCPView only shows "programs" that running. If the connection is
maintained by other means, TCPVIew doesn't show that connection.

If a connection remains open after that program that calls it is
closed, this type of long connection is what I am concerned about.

Why should I see all this connections like:

TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
 
From: "David Sherman" <[email protected]>

| When I connect to Microsoft new server, I get a "connection" that I
| can see by netstat -n and do a tracert to that IP address like this:
|
| 192.168.1.3:2852 207.46.248.16:119 ESTABLISHED
|
| That connection is goes away when the connection is lost.
|
| TCPView doesn't list nor show the connection of 192.169.1.3:2852 since
| TCPView only shows "programs" that running. If the connection is
| maintained by other means, TCPVIew doesn't show that connection.
|
| If a connection remains open after that program that calls it is
| closed, this type of long connection is what I am concerned about.
|
| Why should I see all this connections like:
|
| TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
|
| On Thu, 30 Jun 2005 16:43:29 -0400, "David H. Lipman"
| said:
|> TcpView doesn't work.
|>
Click to expand...

TCPVIEW shows *all* connections and its view changes as a function of time rather than being
a static snapshot.
 
Back
Top