Re: Netstat results - problem?

From: Luca Vix Visconti (vix.vix@tin.it)
Date: 03/18/03


From: Luca Vix Visconti <vix.vix@tin.it>
Date: Tue, 18 Mar 2003 09:14:57 +0100

netstat -ap on unix like systems
netstat -a -o on Windows.

pat shuff wrote:
>
> netstat -ap should give you the process name and the pid of the process
> listening corresponding to a port.
>
> pat
>
> Luca Vix Visconti wrote:
>
>> Try netstat -a -o so you can see the PID of the process that are
>> listening. Next use ps ( or Spy++ ) to have the name of the servers.
>>
>> If you use Mozilla there are many servers that this browser bring-up.
>> Vix
>>
>> David Marsh wrote:
>>
>>> I was reading a guide which said that if you reboot and then use the
>>> netstat -an command, it shouldn't show anything (other that the titles
>>> like 'proto').
>>>
>>> Mine showed:
>>>
>>> Proto Local Address Foreign Address State
>>> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
>>>
>>> Is this something I need to concern myself with. This was immediately
>>> after rebooting and using The Cleaner, McAfee and Pest Patrol. I also
>>> use Zone Alarm Pro.
>>>
>>> When surfing, I get stuff like:
>>>
>>> roto Local Address Foreign Address State
>>> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1056 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1058 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1062 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1064 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1067 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1068 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1072 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1073 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1074 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1081 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1082 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1083 0.0.0.0:0 LISTENING
>>> TCP 62.25.143.10:1056 64.33.6.241:80 ESTABLISHED
>>> TCP 62.25.143.10:1058 64.33.6.241:80 ESTABLISHED
>>> TCP 62.25.143.10:1061 64.49.222.164:80 ESTABLISHED
>>> TCP 62.25.143.10:1062 64.33.6.241:80 ESTABLISHED
>>> TCP 62.25.143.10:1064 64.49.222.164:80 ESTABLISHED
>>> TCP 62.25.143.10:1067 66.207.130.76:80 ESTABLISHED
>>> TCP 62.25.143.10:1068 66.207.130.76:80 ESTABLISHED
>>> TCP 62.25.143.10:1072 65.206.229.16:443 ESTABLISHED
>>> TCP 62.25.143.10:1073 66.207.130.77:80 SYN_SENT
>>> TCP 62.25.143.10:1074 63.209.29.151:80 ESTABLISHED
>>> TCP 62.25.143.10:1078 208.63.39.40:80 ESTABLISHED
>>> TCP 62.25.143.10:1080 195.92.228.44:80 SYN_SENT
>>> TCP 62.25.143.10:1081 209.34.72.200:80 SYN_SENT
>>> TCP 62.25.143.10:1082 216.52.210.21:80 SYN_SENT
>>> TCP 62.25.143.10:1083 204.42.41.150:80 SYN_SENT
>>> TCP 62.25.143.10:139 0.0.0.0:0 LISTENING
>>> TCP 127.0.0.1:1025 127.0.0.1:1049 TIME_WAIT
>>> TCP 127.0.0.1:1025 127.0.0.1:1054 TIME_WAIT
>>> TCP 127.0.0.1:1025 127.0.0.1:1057 TIME_WAIT
>>> UDP 62.25.143.10:137 *:* UDP
>>> 62.25.143.10:138 *:* UDP
>>> 127.0.0.1:1026 *:* UDP
>>> 127.0.0.1:1051 *:* I understand that some of these are
>>> connections to websites but what
>>> about stuff like:
>>>
>>> TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1062 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1064 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1067 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1068 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1072 0.0.0.0:0 LISTENING
>>> TCP 0.0.0.0:1073 0.0.0.0:0 LISTENING
>>>
>>> Why would ports 1068,1072,1073, etc be trying to connect to 0.0.0.0:0?
>>>
>>> Have I a trojan or does this look like normal netstat logs? My
>>> original concern was the LISTENING immediately after rebooting on port
>>> 1025 but these logs have only fueled my concerns.
>>>
>>> Thanks in advance - appreciated greatly.
>>
>>
>>
>