Re: Unknown service sending UDP traffic to a Microsoft IP address

From: Marc Reynolds [MSFT] (marcrey_at_online.microsoft.com)
Date: 02/22/04


Date: Sun, 22 Feb 2004 09:05:02 -0600

Use "netstat - ano" to map the port usage to a PID and then find the PID in
task manager to map to a process.

-- 
Thanks,
Marc Reynolds
Microsoft Technical Support
This posting is provided "AS IS" with no warranties, and confers no rights.
"Chris Welch" <macspert@webnautica.net> wrote in message
news:675406f5.0402212043.5fd0550f@posting.google.com...
> I was packet sniffing on my network and I found some unusual traffic
> going to a Microsoft IP address. Here's the netstat.
>
> > 64.4.25.80
> Name:    baym-td1.msgr.hotmail.com
> Address:  64.4.25.80
>
> The wierd thing is that I don't have messenger running. It's being
> sent to UDP Port 3544, and the service that is calling it is hosted by
> the process:
>
> svchost.exe -k netsvcs
>
> Because there were a lot of services on the list that were hosted I
> didn't want to start turning on and off each one, until the traffic
> stopped. Here's the tasklist output:
>
> svchost.exe                  xxx 6to4, AudioSrv, BITS, Browser,
> CryptSvc,
>                                  Dhcp, dmserver, ERSvc, EventSystem,
>                                  FastUserSwitchingCompatibility,
> helpsvc,
>                                  HidServ, Ip6FwHlp, lanmanserver,
>                                  lanmanworkstation, Messenger, Netman,
> Nla,
>                                  Schedule, seclogon, SENS,
> ShellHWDetection,
>                                  srservice, TermService, Themes,
> TrkWks,
>                                  uploadmgr, W32Time, winmgmt,
> wuauserv, WZCSVC
>
> If anyone knows what this traffic is, I'd sure appreciate the help.
> I've only seen one other post (written by Monty) about this traffic on
> the net and it was on this board, but wasn't answered. I"m not
> screaming conspiracy, but I sure am curious.
>
> Thanks in advance,
> Chris


Relevant Pages

  • Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt
    ... >> (e.g. that would show "listening" PID so then you would match up the PID ... >> XP's netstat can give you even more detail about the process involved ... >> another diagnostic I would use is RegMon with an input filter of Proxy ... >> Robert Aldwinckle ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Help! Ad-aware found: Registry--> Possible Browser Hijack attempt
    ... Robert, both current versions of Ad-aware and Spybot are identifying this ... > (e.g. that would show "listening" PID so then you would match up the PID ... > XP's netstat can give you even more detail about the process involved ... > another diagnostic I would use is RegMon with an input filter of Proxy ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: Why alerts on ports 1025-1029, 1036
    ... In XP you can type NETSTAT -o and this will show the PID of each connection. ... Why alerts on ports 1025-1029, ... Powerful Anti-Spam Management and More... ...
    (Incidents)
  • Re: /proc/sys/kernel/pid_max issues
    ... > of the 1...300 PID range anyway, so if it has an exploitable PID race ... I presumed it was merely cosmetic, so daemons around system startup ... Spaghetti may mean it's time to rewrite things. ... * Here we search for the next map that has free bits left. ...
    (Linux-Kernel)
  • Re: [PATCH] tracing: use hash table to simulate the sparse array
    ... When you map a new pid, ... Then if there was a pid that had the same hash, ... So map_headmay have 2 or more entries(with different idx). ...
    (Linux-Kernel)