netstat connections

Printable View

October 26th, 2002, 10:48 PM
frobinrobin

netstat connections

I have a 4port-ADLS router and dont use a firewall at the moment.. when I do a netstat -a in my prompt window, there are a number of connections that seem unusual.. one that stood out like a sorre thumb is:

adsl-20-81-145.sdf.bellsouth.net

now .. that HAS to be some dude connected to my comp?? right ??

Another which has come up a lot is

24-240-224-15.charter.com

Although I DO use a P2P (kazaa) ... I thought that would open up the different namespace connections under the same port number??

Any how, some answers would be nice and informative :)

:confused:
thanks
October 26th, 2002, 11:02 PM
THEJRC

The p2p client is most likely the problem, also check for chat clients.

I've noticed that even though most p2p's stick to one port, to get around firewalls and proxies they've since adapted to the capability of using "whatever port it wants".

Or at least thats how it seems to those of us admins that need to block theyre use he he.... try killing your p2p and running for a while, then check that'll give you a baseline.
October 26th, 2002, 11:14 PM
nebulus200

One thing that would be very helpful (and if you do it, please obscure your address), is to see the entire table. Just from those entries there, it is absolutely impossible to tell whether those are incoming or outgoing connections and on what ports (essential to tell what service is being utilized). If you can supply that information, more people would be able to offer better advice.

Two things to keep in mind: 1 ) Any time you run a P2P service, you will have people connecting to you computer, it is the nature of the beast (unless through a firewall or some other means you are able to filter it out) 2) The columns output by netstart, first column is generally the ports/addresses listening on your pc, the second column are the destination/origination ips.
If you are concerned about what people are connecting to your PC for, take that port that you see them connecting to (usuallly in the form of IP:port) and go somewhere like :

http://www.snort.org/ports.html

And put that port in there and you will see what service they are utilizing (and whether or not you should be worried about it based on the results).

/nebulus
October 27th, 2002, 12:33 AM
hackerdan

Yea i think its the p2p it may be that someone is downloading a file from your shared folder do what THEJRC said and kill it and see what happens
October 27th, 2002, 01:32 AM
t2k2

Also, you can try going to the foundstone site here to download fport to see if it helps you to determine what it is. It will show the application name of the connection possibly. Also, you can look at connections in somewhat realtime using tcpview on the sysinternals site here . The approach previously mentioned in the other posts should help narrow down the possibilities definitely. Take care.
October 27th, 2002, 08:45 AM
RiOtEr

if your on win xp
type netstat -o and it will give you what pid its running on then hit cntl alt delete and find what app is using that pid :)
rioter
October 27th, 2002, 07:34 PM
hollow_man

The best thing is to contact your ISP/admin and tell em the situation. Its always best to keep a firewall and a virus/trojan scanner. There must be a direct connection of the clients with your router. It could be a normal thing as well.