Re: How to find process behing TCP connection ?



On 2006-09-26 Buozis, Martynas wrote:
I need an advice. I have Windows 2003 server. It occasionally show
strange and suspicious network behavior. I used command "netstat
-abov" and Process explorer tool from Sysinternals to find process
behind connections. I found that it is "System 4" and got stuck. How I
can identify what is behind this "System 4"?

System:4 is AFAIK not a real process, but basically the kernel. What do
you mean by "strange and suspicious network behavior"? Unusual network
traffic? Open ports? Have you tried to inspect the network traffic with
a protocol analyzer? Have you run a portscan against the host?

I thought it may be hidden process, but RootkitReveal from
Systinternals did not show anything.

You could try other rootkit detection tools (e.g. Blacklight [1] or
Anti-Rootkit [2]), or do an offline-analysis of the system.

I will be grateful for any ideas how to identify what is behind these
TCP connections from server to many computers!

I'd start with inspecting the traffic, preferably gathered through some
tap-device.

[1] http://www.f-secure.com/blacklight/
[2] http://download.bitdefender.com/windows/desktop/internet_security/beta/

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------