Archived from groups: microsoft.public.win2000.networking,microsoft.public.win2000.security (
More info?)
Try using TcpView from www.sysinternals.com
--
Roger
"J.H" <jpthsd@hotmail.com> wrote in message
news:eQ8zxcpnFHA.3120@TK2MSFTNGP09.phx.gbl...
> Roger,
>
> here is what returned from Netstat -a
>
> SOURCE DEST ACT
> TCP XXXX:2802 0.0.0.0:0 LISTENING
> TCP XXXX:2802 XXXX:139 ESTABLISHED
> TCP XXXX:2805 XXXX:445 SYN_SENT
> TCP XXXX:2806 0.0.0.0:0 LISTENING
> TCP XXXX:2806 64.224.17.219:139 SYN_SENT
> TCP XXXX:2805 64.224.17.219:445 SYN_SENT
>
>
> It looks like doing every once per 30 seconds for connect to
> 64.224.17.219.139
> per port 139, 445. On the firewall we saw the attempt, but we block
outgoing
> port 139,445.
>
>
> J.H
>
> "J.H" <jpthsd@hotmail.com> wrote in message
> news:OGZHb$onFHA.1468@TK2MSFTNGP12.phx.gbl...
> > Hi Roger,
> >
> > Thanks for your response. We blocked the outgoing to Internet port 445
and
> > 139.
> > We detected this problem since we've been noticed the traffic from our
> > firewall network
> > monitoring tool.
> >
> > Thanks,
> > Jake
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:eP2COLonFHA.1416@TK2MSFTNGP09.phx.gbl...
> > > So you say "tries" and that netstat is not helping you, but you say it
> is
> > > trying to connect using FQDN.
> > > So apparently the connection is never happening, hence you do not
> > > get info in netstat or with sysinternals TcpView, etc. to let you have
> > > a clue what is driving the behavior.
> > > But, you could define an IP of your choice in HOSTS file for the FQDN
> > > and then intercept the attempt, possibly defining what is needed on
your
> > > receiving machine to make the connection happen, at least long enough
> > > to get some info from TcpView.
> > >
> > > Too bad your server is W2k (and out of date on service) else my first
> > > suggestion would be to use the free tool named PortRptr from Microsoft
> > >
> > >
> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&DisplayLang=en
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "J.H" <jpthsd@hotmail.com> wrote in message
> > > news:%236sH9venFHA.2156@TK2MSFTNGP14.phx.gbl...
> > > > Hi,
> > > >
> > > > we currently detected one server (W2K, SP3 with MSSQL SP3, IIS
> > installed)
> > > > keeps
> > > > trying to connect to an Internet Host at port 139, 445. I checked on
> the
> > > > server by netstat -an,
> > > > netstat -a...etc that it tries to connect to that Internet host by
the
> > > FQDN
> > > > in port 139, 445.
> > > >
> > > > I ran several tool from sysinternal but could not find any abnormal,
I
> > > > checked all registry,
> > > > program folders, c: drive, winnt, system32,, task manager,,,,there
is
> > > > nothing revealing the clue.
> > > >
> > > >
> > > > Any one knowing please shed the light!!!
> > > >
> > > > Thanks,
> > > > J.H
> > > >
> > > >
> > >
> > >
> >
> >
>
>