identifying the source of suspicous outgoing network traffic

Discussion in 'Computer Security' started by dave, Oct 22, 2006.

  1. dave

    dave Guest

    I decided to block and log all outgoing
    network traffic from my win2k computer
    (192.168.1.13) using my Linux based firewall (iptables)
    and am getting a lot of entries which look like

    Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
    LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
    DPT=43184 LEN=122

    My question is: Can I identify the processes on my win2k box
    which are generating these attempts to communicate.

    Thanks,

    Dave
     
    dave, Oct 22, 2006
    #1
    1. Advertising

  2. dave wrote:

    > My question is: Can I identify the processes on my win2k box
    > which are generating these attempts to communicate.


    netstat -ano
     
    Sebastian Gottschalk, Oct 22, 2006
    #2
    1. Advertising

  3. dave

    dave Guest

    Sebastian Gottschalk wrote:
    > dave wrote:
    >
    >> My question is: Can I identify the processes on my win2k box
    >> which are generating these attempts to communicate.

    >
    > netstat -ano


    >


    Thanks for the reply. I had already looked at netstat on my win2k box
    but it does not identify the process which is associated with the port
    being open. This netstat does not seem to accept the "o" option.
    netstat -ano just displays the help screen and netsat -an
    only displays

    TCP 0.0.0.0:49038 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:49038 *:*

    for example which was associated with my iptables log for that port.


    Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
    LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
    DPT=43184 LEN=122

    Dave
     
    dave, Oct 22, 2006
    #3
  4. dave

    Jim Watt Guest

    On Sun, 22 Oct 2006 22:42:53 GMT, dave <> wrote:

    >Sebastian Gottschalk wrote:
    >> dave wrote:
    >>
    >>> My question is: Can I identify the processes on my win2k box
    >>> which are generating these attempts to communicate.

    >>
    >> netstat -ano

    >
    >>

    >
    >Thanks for the reply. I had already looked at netstat on my win2k box
    >but it does not identify the process which is associated with the port
    >being open. This netstat does not seem to accept the "o" option.
    >netstat -ano just displays the help screen and netsat -an
    >only displays
    >
    > TCP 0.0.0.0:49038 0.0.0.0:0 LISTENING
    > UDP 0.0.0.0:49038 *:*
    >
    >for example which was associated with my iptables log for that port.
    >
    >
    >Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
    >LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
    >DPT=43184 LEN=122



    Get process monitor from sysinternals (freeware)

    www.sysinternals.com/Utilities/ProcessExplorer.html

    It will tell.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Oct 23, 2006
    #4
  5. dave

    dave Guest

    Jim Watt wrote:
    > On Sun, 22 Oct 2006 22:42:53 GMT, dave <> wrote:
    >
    >> Sebastian Gottschalk wrote:
    >>> dave wrote:
    >>>
    >>>> My question is: Can I identify the processes on my win2k box
    >>>> which are generating these attempts to communicate.
    >>> netstat -ano

    >> Thanks for the reply. I had already looked at netstat on my win2k box
    >> but it does not identify the process which is associated with the port
    >> being open. This netstat does not seem to accept the "o" option.
    >> netstat -ano just displays the help screen and netsat -an
    >> only displays
    >>
    >> TCP 0.0.0.0:49038 0.0.0.0:0 LISTENING
    >> UDP 0.0.0.0:49038 *:*
    >>
    >> for example which was associated with my iptables log for that port.
    >>
    >>
    >> Oct 22 13:09:34 IN=eth1 OUT=eth0 SRC=192.168.1.13 DST=81.105.6.18
    >> LEN=142 TOS=0x00 PREC=0x00 TTL=127 ID=38884 PROTO=UDP SPT=49038
    >> DPT=43184 LEN=122

    >
    >
    > Get process monitor from sysinternals (freeware)
    >
    > www.sysinternals.com/Utilities/ProcessExplorer.html
    >
    > It will tell.
    >
    > --
    > Jim Watt
    > http://www.gibnet.com

    Thanks,

    I installed it and it is a good beginning.

    Dave
     
    dave, Oct 23, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Todd
    Replies:
    1
    Views:
    1,288
    Phillip Remaker
    Jul 31, 2005
  2. Michael

    Help required with suspicous internet activity

    Michael, Sep 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    640
    Michael
    Sep 28, 2004
  3. Replies:
    7
    Views:
    7,140
    Mysticmoose06
    Mar 30, 2007
  4. Replies:
    14
    Views:
    1,261
    survivor
    Dec 24, 2007
  5. Alan
    Replies:
    18
    Views:
    6,055
Loading...

Share This Page