Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?

On Thu, 23 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in article
<0olLf.24221$_S7.793@xxxxxxxxxxxxxxxxxxxxxxxxxx>, Pam wrote:

Can you help me understand what this SYN_SENT means from a security
standpoint on a home PC?

Your system initiated a connection. See any decent textbook on TCP such
as 'TCP/IP Network Administration' 3rd Edition (O'Reilly & Assoc, ISBN
0-596-00297-1, April 2004, 746 pgs, US$45) by Craig Hunt, or W. Richard
Stevens classic books 'TCP/IP Illustrated Volume 1' (Addison-Wesley, ISBN
0-201-93346-9). Briefly, your computer sends a TCP packet with the SYN
flag set and a randomly generated sequence number. The peer should
respond with a packet with the SYN and ACK flags set, agreeing to your
random number, and proposing one of it's own. Your system would then
respond with a third packet with the ACK flag, agreeing to the peers
random number. This is the "three-way-handshake" that starts a TCP
connection. The random numbers are used to keep track of bits sent.
Now, the peer may not wish to talk to you, and instead of responding with
a SYN ACK packet, may respond with a ACK RST packet, which basically says
"go away kid, you're bothering me" and that is the end of that.

WINDOWSXP_SP2> netstat -a -n -b

Sorry, I don't do windoze.

Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912

Process 912 on your system (192.168.0.101) sent a packet from port 1058
which is an ephemeral port allocated to users sent a SYN packet to
63.236.111.222 hoping to connect to the web server running on port 80
of that system. Apparently, it did not respond (which could be a firewall
issue as that host seems to be alive).

Upon bootup, with no web browsers running, I ran netstat -a -n -b and saw
this SYN_SENT issue hanging at the SYN_SENT line. After a minute or two
the netstat completed as shown above.

You may not have a browser running, but something wants to talk to a web
server. As mentioned, I don't do windoze.

.... I first looked up 63.236.111.222 on http://www.dnsstuff.com/ but it
didn't know who that was.

Yes, the idiots running the datacenter did not configure a DNS PTR record.

.... I then looked it up on http://ws.arin.net/whois/ which gave me THREE
owners for the same IP address, none of which I recognize and certainly
none I purposefully communicated with.

[compton ~]$ whois 63.236.111.222
[whois.arin.net]
Qwest Communications Corporation QWEST-INET-9 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Savvis Communications Corporation QWEST-IAD-SAVVIS (NET-63-236-111-192-1)
63.236.111.192 - 63.236.111.223

# ARIN WHOIS database, last updated 2006-02-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[compton ~]$

QWorst is one of the 'Baby Bells' - a regional telephone company with
delusions of grandeur. The 'Cybercenters' is a data center (think of
a large building with a major sized data cable, and rooms or cages leased
out to providers). Savvis is a "well known" provider who seems to have no
concern who they rent space, addresses, and bandwidth to. So, QWorst owns
the address, this block seems to be located in a data center they own in
the Washington DC metro area, and Savvis has leased a small block of
addresses there. Savvis _probably_ has sub-leased bandwidth to one of
their customers.

.... I looked up tcp/ip port 1058 and found it was registered to "nim" but
there is not much information about this port anywhere I could find.
.... Wikipedia has almost nothing on this special nim port 1058
http://en.wikipedia.org/wiki/Talk:TCP_and_UDP_port_numbers#nim_.281058.29_
and_nimreg_.281059.29

Meaningless. Your system wants to communicate, and grabs a semi-random
number over 1024 (ports below 1025 "should" be reserved for server
applications) and uses that to source the connection. On a general basis,
port numbers are only registered/reserved on the _destination_ end of a
conversation. By this - you want to connect to "some" service. There are
65536 ports on the server, and which should you connect to in order to get
the service you are looking for. The answer is the registered/reserved or
'well known' port for that service.

.... The Microsoft Windows XP netstat doesn't even -list- a command called
SYN_SENT (it lists SYN_SEND)

SYN_SENT is a state - a condition. It's not a command.

.... I am running the latest Windows XP Service Pack 2

.... I ran the Microsoft Malicious Software Removal Tool but it didn't
find anything suspicious

.... My avast antivirus doesn't list anything suspicious like Blaster or
anything like that.

None the less, _something_ on your system decided it wanted to connect to
a web server.

Can you give me the straight scoop on how to stop this problem?

No, I got rid of windoze before microsoft belatedly invented networking some
13 years after everyone else.

Old guy
.