Re: Netstat results - problem?

From: pat shuff (shuff@tamu.edu)
Date: 03/17/03

• Next message: Dimitri P.: "Spyware eConnect for Computer Fraud passed the Firewall"
• Previous message: Luca Vix Visconti: "Re: Netstat results - problem?"
• In reply to: Luca Vix Visconti: "Re: Netstat results - problem?"
• Next in thread: Luca Vix Visconti: "Re: Netstat results - problem?"
• Reply: Luca Vix Visconti: "Re: Netstat results - problem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: pat shuff <shuff@tamu.edu>
Date: Mon, 17 Mar 2003 11:27:57 -0600

netstat -ap should give you the process name and the pid of the process
listening corresponding to a port.

pat

Luca Vix Visconti wrote:
> Try netstat -a -o so you can see the PID of the process that are
> listening. Next use ps ( or Spy++ ) to have the name of the servers.
>
> If you use Mozilla there are many servers that this browser bring-up.
> Vix
>
> David Marsh wrote:
>
>> I was reading a guide which said that if you reboot and then use the
>> netstat -an command, it shouldn't show anything (other that the titles
>> like 'proto').
>>
>> Mine showed:
>>
>> Proto Local Address Foreign Address State
>> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
>>
>> Is this something I need to concern myself with. This was immediately
>> after rebooting and using The Cleaner, McAfee and Pest Patrol. I also
>> use Zone Alarm Pro.
>>
>> When surfing, I get stuff like:
>>
>> roto Local Address Foreign Address State
>> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1056 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1058 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1062 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1064 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1067 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1068 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1072 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1073 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1074 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1081 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1082 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1083 0.0.0.0:0 LISTENING
>> TCP 62.25.143.10:1056 64.33.6.241:80 ESTABLISHED
>> TCP 62.25.143.10:1058 64.33.6.241:80 ESTABLISHED
>> TCP 62.25.143.10:1061 64.49.222.164:80 ESTABLISHED
>> TCP 62.25.143.10:1062 64.33.6.241:80 ESTABLISHED
>> TCP 62.25.143.10:1064 64.49.222.164:80 ESTABLISHED
>> TCP 62.25.143.10:1067 66.207.130.76:80 ESTABLISHED
>> TCP 62.25.143.10:1068 66.207.130.76:80 ESTABLISHED
>> TCP 62.25.143.10:1072 65.206.229.16:443 ESTABLISHED
>> TCP 62.25.143.10:1073 66.207.130.77:80 SYN_SENT
>> TCP 62.25.143.10:1074 63.209.29.151:80 ESTABLISHED
>> TCP 62.25.143.10:1078 208.63.39.40:80 ESTABLISHED
>> TCP 62.25.143.10:1080 195.92.228.44:80 SYN_SENT
>> TCP 62.25.143.10:1081 209.34.72.200:80 SYN_SENT
>> TCP 62.25.143.10:1082 216.52.210.21:80 SYN_SENT
>> TCP 62.25.143.10:1083 204.42.41.150:80 SYN_SENT
>> TCP 62.25.143.10:139 0.0.0.0:0 LISTENING
>> TCP 127.0.0.1:1025 127.0.0.1:1049 TIME_WAIT
>> TCP 127.0.0.1:1025 127.0.0.1:1054 TIME_WAIT
>> TCP 127.0.0.1:1025 127.0.0.1:1057 TIME_WAIT
>> UDP 62.25.143.10:137 *:* UDP
>> 62.25.143.10:138 *:* UDP
>> 127.0.0.1:1026 *:* UDP
>> 127.0.0.1:1051 *:*
>> I understand that some of these are connections to websites but what
>> about stuff like:
>>
>> TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1062 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1064 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1067 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1068 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1072 0.0.0.0:0 LISTENING
>> TCP 0.0.0.0:1073 0.0.0.0:0 LISTENING
>>
>> Why would ports 1068,1072,1073, etc be trying to connect to 0.0.0.0:0?
>>
>> Have I a trojan or does this look like normal netstat logs? My
>> original concern was the LISTENING immediately after rebooting on port
>> 1025 but these logs have only fueled my concerns.
>>
>> Thanks in advance - appreciated greatly.
>
>

---

• Next message: Dimitri P.: "Spyware eConnect for Computer Fraud passed the Firewall"
• Previous message: Luca Vix Visconti: "Re: Netstat results - problem?"
• In reply to: Luca Vix Visconti: "Re: Netstat results - problem?"
• Next in thread: Luca Vix Visconti: "Re: Netstat results - problem?"
• Reply: Luca Vix Visconti: "Re: Netstat results - problem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cant connect to Terminal Services following upgrade of Win 2003 to service pack 1 ... Is the server listening on port 3389? ... - an" at a command prompt. ... I've done a netstat -an and it says that port 3389 is ... (microsoft.public.windows.terminal_services) Re: Tomcat Doesnt Seem To Start In Fedora 8 ... The result of netstat is ... If I understand the above correctly, something is indeed listening on port 8080...but what? ... I also grepped on '80' to list processes running on any 80xx port. ... (Fedora) Re: sshd blocking ftp data port 20? ... something listening that looks like sshd. ... If you want to see which process is using the port try ... > The sshd configuration file points to port 22 as is normal. ... > strange is the netstat output where there is no indication of ports 20 ... (comp.security.ssh) RE: Terminal Server session creation failed ... I did a netstat -an but there is no port 3389 listed. ... > If you bring up the tsadmin utility, is the RDP-tcp listener in the ... > listening state, rather than being 'down' or similar state? ... (microsoft.public.windows.terminal_services) Re: Best Plan of action for 2 forest....... ... PortQry reports the status of a port in one of the following ways: ... ..LISTENING This response indicates that a process is listening on the target ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)