Strange Client Behavior: Port 8002 Looking for Other Ports

Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

I have strange symptoms on a Windows 2000 client. For long
periods each day, this client, which is behind Microsoft Proxy
2.0, stops access to the Internet. In the sniffer trace, what
I see is repetitive behavior where the client will send out TCP
connections from source port 8002 to successive ports on our DNS
server. It appears to attempt connection to each port three
times, and then it goes on to the next one. 1937, 1938, 1939,
etc.

This sure looks like some kind of port sniffing activity, maybe a
virus, but does anyone recognize the source port number and
behavior as belonging to some legitimate Windows 2000 client
behavior?

--
Will
Internet: westes at earthbroadcast.com

Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)

I'm sorry, it has been quite a while since i used Netstat on windows
2000, my apologies.

Perhaps you will find Sysinternal's TCPView of assistance then, It is a
GUI utility that shows details about TCP and UDP endpoints including
processes's image names.

You can download it for free here.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Will wrote:
> I do not have a -o option on my netstat under Windows 2000 SP4.
>