Re: Weird session names
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/25/05
- Next message: Gordon Fecyk: "[Temp Paths] Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Previous message: Steven L Umbach: "Re: Weird session names"
- In reply to: Steven L Umbach: "Re: Weird session names"
- Next in thread: Kevin Davidson: "Re: Weird session names"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 17:14:05 -0700
AIUI the names given in the netstat display rely on reverse
resolution for the IP, with the display showing the name if
possible, else the IP.
If this is indeed so, then one should check the resolution
services in use for pollution by these "wierd" names,
including the Hosts file as was just mentioned.
-- Roger "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:SfadnVOXUJsu4mjcRVn-tg@comcast.com... > That is bizarre. Netstat -an of course shows IP addresses instead of names. > The only other thing I can think of it to check the hosts file on the > computer to see it there is an entry for > play.battle.game.idle.rpgtechnologies for whatever reason. It would be > interesting to try to ping play.battle.game.idle.rpgtechnologies to see if > it resolves to local IP or ping localhost to see if it resolves to that > name.--- Steve > > > "Kevin Davidson" <kevin@qsinc.com> wrote in message > news:%23a1KfWmAFHA.1524@TK2MSFTNGP09.phx.gbl... > > We've looked at all of the connections. They are all legitimate file > > shares or server connections. The local and the remote addresses are all > > on the internal network. The ports are the usual ones for Microsoft SQL > > Server, file sharing and http. > > > > The problem is the utterly bizarre names that appear on the netstat some > > of the time. I can create a connection from my own machine to itself and > > one end will show up as "play.battle.game.idle.rpgtechnologies.com". I > > don't even LIKE RPG games, much less accessed such a site. > > > > Kevin > > > > Steven L Umbach wrote: > >> What is the local address port and the remote address/port?? Is the > >> remote address on your internal lan? If you can, paste the netstat in a > >> ply. --- Steve > >> > >> > >> "Kevin Davidson" <kevin@qsinc.com> wrote in message > >> news:e29Zr3kAFHA.2428@TK2MSFTNGP14.phx.gbl... > >> > >>>play.battle.game.idle.rpgtechnologies.com is the local address, not the > >>>remote address. These connections are not to external machines, but > >>>internal to our network; it's just that the local machines are getting > >>>these crazy names. > >>> > >>>Thanks to the tcpview link. It's cool. I have some of the other > >>>sysinternals utilities and they are all very useful. > >>> > >>>Kevin > >>> > >>>Steven L Umbach wrote: > >>> > >>>>The ports involved for local and foreign address will give you more > >>>>info. Try examining those computer as perhaps the user is connected to > >>>>the internet initiating the connection. The first session example sounds > >>>>like a connection to a game server somewhere possibly. I like to use the > >>>>free tool from SysInternals called TCPView that will give you more > >>>>detailed info on what processes/executables are involved with those > >>>>connections. If this is seen on idle computers or servers that are not > >>>>used for general internet browsing I would be more concerned and spyware > >>>>and malware scans should be performed beyond normal schedules. A > >>>>properly configured firewall should prevent uninitiated inbound > >>>>connections to your network, though spyware and malware that is > >>>>installed on a computer could start the connection from inside your > >>>>network and be successful depending on the destination ports/protocols > >>>>and the outbound restrictions on your firewall. --- Steve > >>>> > >>>>http://www.sysinternals.com/ntw2k/source/tcpview.shtml --- TCPView and > >>>>link to SysInternals > >>>> > >>>>"Kevin Davidson" <kevin@qsinc.com> wrote in message > >>>>news:u%23MGwMjAFHA.904@TK2MSFTNGP12.phx.gbl... > >>>> > >>>> > >>>>>I did a netstat on my Windows 2000 Pro machine and saw some connections > >>>>>that are probably legit from other machines on our company internal > >>>>>network. However those machines are appearing with weird names. > >>>>> > >>>>>When we look at sessions using our Windows 2003 server, the weird names > >>>>>appear on lots of our machines. The machine name is ok, but the session > >>>>>name is strange. The session names are all in the form of an Internet > >>>>>domain. Here are a couple of examples: > >>>>> > >>>>>play.battle.game.idle.rpgtechnologies.com > >>>>>kau.tinggalkan.aku.setelah.semuanya.ku.serahkan.info > >>>>> > >>>>>(kau tinggalkan aku is a song title) > >>>>> > >>>>>Is this "normal" or do we have some kind of bug? > >>>>> > >>>>>Thanks in advance, > >>>>> > >>>>>Kevin > >>>> > >>>> > >> > >
- Next message: Gordon Fecyk: "[Temp Paths] Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Previous message: Steven L Umbach: "Re: Weird session names"
- In reply to: Steven L Umbach: "Re: Weird session names"
- Next in thread: Kevin Davidson: "Re: Weird session names"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
