-
July 9th, 2002, 06:05 PM
#1
Strange established connection to a high port
Ive looked on the tutorials and into google and dont see anything for this port.
Ive had a connection to my machine that looks like this in netstat:
TCP (machinename):http 166.114.248.250:46982 ESTABLISHED
Its been there for three days and I can NOT find anything that would establish this connection.
Ive closed everything and checked for spyware ... its still there.
I dont know why.
Also done scans with the cleaner and Norton.
Any ideas???
Avenger
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
July 9th, 2002, 06:12 PM
#2
do you run a web server?
what are the other entries in netstat?
Ammo
(if on nt/w2k, run fport from foundstone)
Ammo
Credit travels up, blame travels down -- The Boss
-
July 9th, 2002, 07:08 PM
#3
go to www.foundstone.com and download fport. it will tell you the program which is responsible for the open port.
-
July 9th, 2002, 07:44 PM
#4
Fport is the best way to go on this, I would suspect that you either are running a personal web server or that you have configured an instant messenger to use port 80 instead of the normal ports to bypass firewalls ?
One interesting thing though :
whois 166.114.248.250
Red Bolivina de Comunicacion de Datos (NET-BOLNET)
Ayacucho esquina Mercado, Edificio de
la Vicepresidencia de la Republica
La Paz, 13097 BO
Doesn't necessarily mean anything, but I would definitely recommend finding out what has left eh socket open on your end...
neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
July 9th, 2002, 08:47 PM
#5
looks like that is an official gov't addy...
could be a dns server for bolivia??...either that or someone in the Building of the Vice-presidency of the Republic of Bolivia is interested in you...hehe
could be a misconfiguration issue....i once had a weird connection showing up in the logs...to oman...turned out i had misplaced a "." in dns setup of one of the machines and instead of xxxxx.com i had xxxxxc.om which was the cause...freaked me out for a while...
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
July 9th, 2002, 09:03 PM
#6
yes I am running a webserver, have been for a long time, never saw that before... Im running win2000 server....
I did the whois and saw that, interesting enough... dont know what it means...
fport dont work on server?
Avenger
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
July 9th, 2002, 10:02 PM
#7
Junior Member
try active ports, and also sam spade, both run on w2k server
-
July 9th, 2002, 10:20 PM
#8
Well since you're running IIS (I presume), check out the webserver's logs and search for that IP; it should give you a clue what that user is trying to do...
(the high number port is a random port on the remote host. It doesn't mean anything in terms of "what service" it is since its on the client side... you have to check the server side's port which in this case clearly indicates that it's a http connection...)
Ammo
Credit travels up, blame travels down -- The Boss
-
July 9th, 2002, 11:29 PM
#9
hmmm thanks for the input guys. Im going thru the logs as we speak - I killed the IIS server and that killed the port. Now I have to find him in the logs to see if I can find out why he was connected to the server for a few days!
My brothers site is fun but not THAT fun.
Thanks again, all - you've pointed me in the right direction
Avenger
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|