Sign in with
Sign up | Sign in
Your question

Netstat question

Last response: in Windows XP
Share
Anonymous
June 30, 2005 3:03:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Just from running netstat -n in a DOS box, I get the following:


TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED


Other then rebooting my machine, is there a free program that will
remove these connections?

thanks



WhoIs Lookup performed by Karen's WhoIs
http://www.karenware.com/


OrgName: Internap Network Services
OrgID: PNAP
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

NetRange: 64.94.0.0 - 64.95.255.255
CIDR: 64.94.0.0/15
NetName: PNAP-05-2000
NetHandle: NET-64-94-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PNAP.NET
NameServer: NS2.PNAP.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-06-05
Updated: 2002-06-17

TechHandle: INO3-ARIN
TechName: InterNap Network Operations Center
TechPhone: +1-877-843-4662
TechEmail: noc@internap.com

OrgAbuseHandle: IAC3-ARIN
OrgAbuseName: Internap Abuse Contact
OrgAbusePhone: +1-206-256-9500
OrgAbuseEmail: abuse@internap.com

OrgTechHandle: INO3-ARIN
OrgTechName: InterNap Network Operations Center
OrgTechPhone: +1-877-843-4662
OrgTechEmail: noc@internap.com

OrgName: Radianz
OrgID: RADIAN-22
Address: 492 River Rd.
City: Nutley
StateProv: NJ
PostalCode: 07110
Country: US

NetRange: 64.94.180.0 - 64.94.181.255
CIDR: 64.94.180.0/23
NetName: PNAP-NYM-RADIAN-RM-01
NetHandle: NET-64-94-180-0-1
Parent: NET-64-94-0-0-1
NetType: Reassigned
Comment:
RegDate: 2001-10-01
Updated: 2001-10-01

TechHandle: MN457-ARIN
TechName: Najarian, Michael
TechPhone: +1-973-662-2959
TechEmail: Michael.Najarian@radianz.com

# ARIN WHOIS database, last updated 2005-06-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

More about : netstat question

Anonymous
June 30, 2005 3:03:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Use a program like "Active Ports" to determine which process is creating
these connections, and then close it.

Matt Gibson - GSEC

"David Sherman" <dshermin@ameritech.net> wrote in message
news:aa28c1tm4ujt5ie3njljcgn1jitp58jp8t@4ax.com...
> Just from running netstat -n in a DOS box, I get the following:
>
>
> TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
> TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
> TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
> TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
> TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
>
>
> Other then rebooting my machine, is there a free program that will
> remove these connections?
>
> thanks
>
>
>
> WhoIs Lookup performed by Karen's WhoIs
> http://www.karenware.com/
>
>
> OrgName: Internap Network Services
> OrgID: PNAP
> Address: 250 Williams Street
> Address: Suite E100
> City: Atlanta
> StateProv: GA
> PostalCode: 30303
> Country: US
>
> NetRange: 64.94.0.0 - 64.95.255.255
> CIDR: 64.94.0.0/15
> NetName: PNAP-05-2000
> NetHandle: NET-64-94-0-0-1
> Parent: NET-64-0-0-0-0
> NetType: Direct Allocation
> NameServer: NS1.PNAP.NET
> NameServer: NS2.PNAP.NET
> Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
> RegDate: 2000-06-05
> Updated: 2002-06-17
>
> TechHandle: INO3-ARIN
> TechName: InterNap Network Operations Center
> TechPhone: +1-877-843-4662
> TechEmail: noc@internap.com
>
> OrgAbuseHandle: IAC3-ARIN
> OrgAbuseName: Internap Abuse Contact
> OrgAbusePhone: +1-206-256-9500
> OrgAbuseEmail: abuse@internap.com
>
> OrgTechHandle: INO3-ARIN
> OrgTechName: InterNap Network Operations Center
> OrgTechPhone: +1-877-843-4662
> OrgTechEmail: noc@internap.com
>
> OrgName: Radianz
> OrgID: RADIAN-22
> Address: 492 River Rd.
> City: Nutley
> StateProv: NJ
> PostalCode: 07110
> Country: US
>
> NetRange: 64.94.180.0 - 64.94.181.255
> CIDR: 64.94.180.0/23
> NetName: PNAP-NYM-RADIAN-RM-01
> NetHandle: NET-64-94-180-0-1
> Parent: NET-64-94-0-0-1
> NetType: Reassigned
> Comment:
> RegDate: 2001-10-01
> Updated: 2001-10-01
>
> TechHandle: MN457-ARIN
> TechName: Najarian, Michael
> TechPhone: +1-973-662-2959
> TechEmail: Michael.Najarian@radianz.com
>
> # ARIN WHOIS database, last updated 2005-06-29 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
>
Anonymous
June 30, 2005 5:37:15 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "David Sherman" <dshermin@ameritech.net>

| Just from running netstat -n in a DOS box, I get the following:
|
| TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
|
| Other then rebooting my machine, is there a free program that will
| remove these connections?
|
| thanks

Download the free dynamic GUI utility TCPVIEW from Sysinternals
http://www.sysinternals.com/Utilities/TcpView.html

It will hopefully identify the utility making the connection.


In case it is malware, perform the following...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Related resources
Anonymous
June 30, 2005 6:39:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Active Ports doesn't work.

I have been told that the process viewer in the commerical verision of
TrojanHunter, http://www.trojanhunter.com and X-Netstat
http://www.freshsw.com/ work.

thanks

On Thu, 30 Jun 2005 08:55:08 -0700, "Matt Gibson"
<mattg@blueedgetech.ca> wrote:

>Use a program like "Active Ports" to determine which process is creating
>these connections, and then close it.
>
>Matt Gibson - GSEC
>
>"David Sherman" <dshermin@ameritech.net> wrote in message
>news:aa28c1tm4ujt5ie3njljcgn1jitp58jp8t@4ax.com...
>> Just from running netstat -n in a DOS box, I get the following:
>>
>>
>> TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
>> TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
>> TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
>> TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
>> TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
>>
>>
>> Other then rebooting my machine, is there a free program that will
>> remove these connections?
>>
>> thanks
>>
>>
>>
>> WhoIs Lookup performed by Karen's WhoIs
>> http://www.karenware.com/
>>
>>
>> OrgName: Internap Network Services
>> OrgID: PNAP
>> Address: 250 Williams Street
>> Address: Suite E100
>> City: Atlanta
>> StateProv: GA
>> PostalCode: 30303
>> Country: US
>>
>> NetRange: 64.94.0.0 - 64.95.255.255
>> CIDR: 64.94.0.0/15
>> NetName: PNAP-05-2000
>> NetHandle: NET-64-94-0-0-1
>> Parent: NET-64-0-0-0-0
>> NetType: Direct Allocation
>> NameServer: NS1.PNAP.NET
>> NameServer: NS2.PNAP.NET
>> Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
>> RegDate: 2000-06-05
>> Updated: 2002-06-17
>>
>> TechHandle: INO3-ARIN
>> TechName: InterNap Network Operations Center
>> TechPhone: +1-877-843-4662
>> TechEmail: noc@internap.com
>>
>> OrgAbuseHandle: IAC3-ARIN
>> OrgAbuseName: Internap Abuse Contact
>> OrgAbusePhone: +1-206-256-9500
>> OrgAbuseEmail: abuse@internap.com
>>
>> OrgTechHandle: INO3-ARIN
>> OrgTechName: InterNap Network Operations Center
>> OrgTechPhone: +1-877-843-4662
>> OrgTechEmail: noc@internap.com
>>
>> OrgName: Radianz
>> OrgID: RADIAN-22
>> Address: 492 River Rd.
>> City: Nutley
>> StateProv: NJ
>> PostalCode: 07110
>> Country: US
>>
>> NetRange: 64.94.180.0 - 64.94.181.255
>> CIDR: 64.94.180.0/23
>> NetName: PNAP-NYM-RADIAN-RM-01
>> NetHandle: NET-64-94-180-0-1
>> Parent: NET-64-94-0-0-1
>> NetType: Reassigned
>> Comment:
>> RegDate: 2001-10-01
>> Updated: 2001-10-01
>>
>> TechHandle: MN457-ARIN
>> TechName: Najarian, Michael
>> TechPhone: +1-973-662-2959
>> TechEmail: Michael.Najarian@radianz.com
>>
>> # ARIN WHOIS database, last updated 2005-06-29 19:10
>> # Enter ? for additional hints on searching ARIN's WHOIS database.
>>
>
Anonymous
June 30, 2005 6:39:33 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> Active Ports doesn't work.

Just curious what you mean by doesn't work...Doesn't work for this
situation, or doesn't work period.

Matt Gibson - GSEC
Anonymous
June 30, 2005 7:45:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Thu, 30 Jun 2005 13:37:15 -0400, in
microsoft.public.windowsxp.security_admin you wrote:

>From: "David Sherman" <dshermin@ameritech.net>
>
>| Just from running netstat -n in a DOS box, I get the following:
>|
>| TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
>| TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
>| TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
>| TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
>| TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
>|
>| Other then rebooting my machine, is there a free program that will
>| remove these connections?
>|
>| thanks
>
>Download the free dynamic GUI utility TCPVIEW from Sysinternals
>http://www.sysinternals.com/Utilities/TcpView.html
>
>It will hopefully identify the utility making the connection.
>
TcpView doesn't work.

>
>In case it is malware, perform the following...
>
>Dump the contents of the IE Temporary Internet Folder cache (TIF)
>Start --> Settings --> Control Panel --> Internet Options --> Delete Files

In some cases, this does work.


>Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>Tools --> Options --> Privacy --> Cache --> Clear
>
>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe

I will try this.
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
>viruses and various other malware.
>
>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>This will bring up the initial menu of choices and should be executed in Normal Mode. This
>way all the components can be downloaded from each AV vendor’s web site.
>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
>You can choose to go to each menu item and just download the needed files or you can
>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>file.
>
>To use this utility, perform the following...
>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>Choose; Unzip
>Choose; Close
>
>Execute; C:\AV-CLS\StartMenu.BAT
>{ or Double-click on 'Start Menu' in C:\AV-CLS }

I will try this.

thanks
>NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
>through your FireWall to allow them to download the needed AV vendor related files.
>
>* * * Please report back your results * * *
Anonymous
July 1, 2005 12:38:38 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Active ports doesn't show the same info as netstat -n does.

On Thu, 30 Jun 2005 12:15:52 -0700, "Matt Gibson"
<mattg@blueedgetech.ca> wrote:

>> Active Ports doesn't work.
>
>Just curious what you mean by doesn't work...Doesn't work for this
>situation, or doesn't work period.
>
>Matt Gibson - GSEC
>
Anonymous
July 1, 2005 1:05:50 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "David Sherman" <dshermin@ameritech.net>

| Active ports doesn't show the same info as netstat -n does.
|
| On Thu, 30 Jun 2005 12:15:52 -0700, "Matt Gibson"
| <mattg@blueedgetech.ca> wrote:
|
>>> Active Ports doesn't work.
>>
>> Just curious what you mean by doesn't work...Doesn't work for this
>> situation, or doesn't work period.
>>
>> Matt Gibson - GSEC
>>

TCPVIEW certainly does. The '-n' command line switch just means display numerical
information without performing a lookup in the 'services' table 'host' and DNS and translate
the numbers into assigned aliases.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 5, 2005 4:27:15 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

When I connect to Microsoft new server, I get a "connection" that I
can see by netstat -n and do a tracert to that IP address like this:

192.168.1.3:2852 207.46.248.16:119 ESTABLISHED

That connection is goes away when the connection is lost.

TCPView doesn't list nor show the connection of 192.169.1.3:2852 since
TCPView only shows "programs" that running. If the connection is
maintained by other means, TCPVIew doesn't show that connection.

If a connection remains open after that program that calls it is
closed, this type of long connection is what I am concerned about.

Why should I see all this connections like:

TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED


On Thu, 30 Jun 2005 16:43:29 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "David Sherman" <dshermin@ameritech.net>
>
>
>>>
>>> Download the free dynamic GUI utility TCPVIEW from Sysinternals
>>> http://www.sysinternals.com/Utilities/TcpView.html
>>>
>>> It will hopefully identify the utility making the connection.
>>>
>| TcpView doesn't work.
>|
>
>
>In what way does TCPVIEW not work ?
>Can you be MORE specific please.
>
>Note the attached example. It shows FidolookSL.exe connected to the MS NEWS Server and if
>you click on the file FidolookSL.exe it will show you the fully qualified path to
>FidolookSL.exe and the switch parameters used to load it..
Anonymous
July 5, 2005 4:31:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "David Sherman" <dshermin@ameritech.net>

| When I connect to Microsoft new server, I get a "connection" that I
| can see by netstat -n and do a tracert to that IP address like this:
|
| 192.168.1.3:2852 207.46.248.16:119 ESTABLISHED
|
| That connection is goes away when the connection is lost.
|
| TCPView doesn't list nor show the connection of 192.169.1.3:2852 since
| TCPView only shows "programs" that running. If the connection is
| maintained by other means, TCPVIew doesn't show that connection.
|
| If a connection remains open after that program that calls it is
| closed, this type of long connection is what I am concerned about.
|
| Why should I see all this connections like:
|
| TCP 192.168.1.3:1457 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1460 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:1748 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2046 64.94.180.109:80 ESTABLISHED
| TCP 192.168.1.3:2049 64.94.180.109:80 ESTABLISHED
|
| On Thu, 30 Jun 2005 16:43:29 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
>> From: "David Sherman" <dshermin@ameritech.net>
>>
>>>> Download the free dynamic GUI utility TCPVIEW from Sysinternals
>>>> http://www.sysinternals.com/Utilities/TcpView.html
>>>>
>>>> It will hopefully identify the utility making the connection.
>>>>
>|> TcpView doesn't work.
>|>
>> In what way does TCPVIEW not work ?
>> Can you be MORE specific please.
>>
>> Note the attached example. It shows FidolookSL.exe connected to the MS NEWS Server and
>> if you click on the file FidolookSL.exe it will show you the fully qualified path
>> to FidolookSL.exe and the switch parameters used to load it..

TCPVIEW shows *all* connections and its view changes as a function of time rather than being
a static snapshot.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
!