Strange established connection to a high port
Results 1 to 9 of 9

Thread: Strange established connection to a high port

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    518

    Strange established connection to a high port

    Ive looked on the tutorials and into google and dont see anything for this port.
    Ive had a connection to my machine that looks like this in netstat:
    TCP (machinename):http 166.114.248.250:46982 ESTABLISHED

    Its been there for three days and I can NOT find anything that would establish this connection.
    Ive closed everything and checked for spyware ... its still there.
    I dont know why.


    Also done scans with the cleaner and Norton.

    Any ideas???
    Avenger
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    do you run a web server?
    what are the other entries in netstat?

    Ammo

    (if on nt/w2k, run fport from foundstone)

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Banned
    Join Date
    Apr 2002
    Posts
    149
    go to www.foundstone.com and download fport. it will tell you the program which is responsible for the open port.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Fport is the best way to go on this, I would suspect that you either are running a personal web server or that you have configured an instant messenger to use port 80 instead of the normal ports to bypass firewalls ?

    One interesting thing though :

    whois 166.114.248.250
    Red Bolivina de Comunicacion de Datos (NET-BOLNET)
    Ayacucho esquina Mercado, Edificio de
    la Vicepresidencia de la Republica
    La Paz, 13097 BO

    Doesn't necessarily mean anything, but I would definitely recommend finding out what has left eh socket open on your end...

    neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    looks like that is an official gov't addy...

    could be a dns server for bolivia??...either that or someone in the Building of the Vice-presidency of the Republic of Bolivia is interested in you...hehe

    could be a misconfiguration issue....i once had a weird connection showing up in the logs...to oman...turned out i had misplaced a "." in dns setup of one of the machines and instead of xxxxx.com i had xxxxxc.om which was the cause...freaked me out for a while...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    yes I am running a webserver, have been for a long time, never saw that before... Im running win2000 server....
    I did the whois and saw that, interesting enough... dont know what it means...
    fport dont work on server?

    Avenger
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  7. #7
    Junior Member
    Join Date
    Jul 2002
    Location
    Jacksonville, Florida
    Posts
    15
    try active ports, and also sam spade, both run on w2k server

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Well since you're running IIS (I presume), check out the webserver's logs and search for that IP; it should give you a clue what that user is trying to do...
    (the high number port is a random port on the remote host. It doesn't mean anything in terms of "what service" it is since its on the client side... you have to check the server side's port which in this case clearly indicates that it's a http connection...)

    Ammo
    Credit travels up, blame travels down -- The Boss

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    hmmm thanks for the input guys. Im going thru the logs as we speak - I killed the IIS server and that killed the port. Now I have to find him in the logs to see if I can find out why he was connected to the server for a few days!
    My brothers site is fun but not THAT fun.

    Thanks again, all - you've pointed me in the right direction

    Avenger
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •