Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > identifying the source of suspicous outgoing network traffic

Reply
Thread Tools

identifying the source of suspicous outgoing network traffic

 
 
dave
Guest
Posts: n/a
 
      10-22-2006
I decided to block and log all outgoing
network traffic from my win2k computer
(192.168.1.13) using my Linux based firewall (iptables)
and am getting a lot of entries which look like

Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
DPT=43184 LEN=122

My question is: Can I identify the processes on my win2k box
which are generating these attempts to communicate.

Thanks,

Dave
 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      10-22-2006
dave wrote:

> My question is: Can I identify the processes on my win2k box
> which are generating these attempts to communicate.


netstat -ano
 
Reply With Quote
 
 
 
 
dave
Guest
Posts: n/a
 
      10-22-2006
Sebastian Gottschalk wrote:
> dave wrote:
>
>> My question is: Can I identify the processes on my win2k box
>> which are generating these attempts to communicate.

>
> netstat -ano


>


Thanks for the reply. I had already looked at netstat on my win2k box
but it does not identify the process which is associated with the port
being open. This netstat does not seem to accept the "o" option.
netstat -ano just displays the help screen and netsat -an
only displays

TCP 0.0.0.0:49038 0.0.0.0:0 LISTENING
UDP 0.0.0.0:49038 *:*

for example which was associated with my iptables log for that port.


Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
DPT=43184 LEN=122

Dave





 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      10-23-2006
On Sun, 22 Oct 2006 22:42:53 GMT, dave <(E-Mail Removed)> wrote:

>Sebastian Gottschalk wrote:
>> dave wrote:
>>
>>> My question is: Can I identify the processes on my win2k box
>>> which are generating these attempts to communicate.

>>
>> netstat -ano

>
>>

>
>Thanks for the reply. I had already looked at netstat on my win2k box
>but it does not identify the process which is associated with the port
>being open. This netstat does not seem to accept the "o" option.
>netstat -ano just displays the help screen and netsat -an
>only displays
>
> TCP 0.0.0.0:49038 0.0.0.0:0 LISTENING
> UDP 0.0.0.0:49038 *:*
>
>for example which was associated with my iptables log for that port.
>
>
>Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
>LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
>DPT=43184 LEN=122



Get process monitor from sysinternals (freeware)

http://www.sysinternals.com/Utilitie...sExplorer.html

It will tell.

--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
dave
Guest
Posts: n/a
 
      10-23-2006
Jim Watt wrote:
> On Sun, 22 Oct 2006 22:42:53 GMT, dave <(E-Mail Removed)> wrote:
>
>> Sebastian Gottschalk wrote:
>>> dave wrote:
>>>
>>>> My question is: Can I identify the processes on my win2k box
>>>> which are generating these attempts to communicate.
>>> netstat -ano

>> Thanks for the reply. I had already looked at netstat on my win2k box
>> but it does not identify the process which is associated with the port
>> being open. This netstat does not seem to accept the "o" option.
>> netstat -ano just displays the help screen and netsat -an
>> only displays
>>
>> TCP 0.0.0.0:49038 0.0.0.0:0 LISTENING
>> UDP 0.0.0.0:49038 *:*
>>
>> for example which was associated with my iptables log for that port.
>>
>>
>> Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
>> LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
>> DPT=43184 LEN=122

>
>
> Get process monitor from sysinternals (freeware)
>
> http://www.sysinternals.com/Utilitie...sExplorer.html
>
> It will tell.
>
> --
> Jim Watt
> http://www.gibnet.com

Thanks,

I installed it and it is a good beginning.

Dave
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unknown outgoing tcp traffic - should I be worried? abc@abc.com Computer Security 14 12-24-2007 12:08 AM
Redirecting all Outgoing http traffic to an internal Web server r_elder@yahoo.com Cisco 7 03-30-2007 02:16 PM
Unknown IP addresses in my firewall logs (outgoing initiated web traffic) Alan NZ Computing 18 04-11-2006 05:25 AM
Outgoing PPTP traffic on a Cisco 1750 Todd Cisco 1 07-31-2005 03:53 PM
Help required with suspicous internet activity Michael Computer Security 9 09-28-2004 08:17 PM



Advertisments