Hi, Martynas.
Sorry, but I probably was not clear in my explanation. Problem is that
Windows 2003 server is acting as client in my case. Windows Server is
initiating session to port 139 to different workstations on the net. It
actually tries to login to many workstations on different local subnets
as user Administrator (logon is denied). I want understand which process
behind "System 4" initiates this scan to many computers with attempt to
logon as Admin user.
I can bet that there must be people who already were trying to find
process behind "System 4" and I will appreciate if somebody will share
his/her experience.
I already set up an open system and wait till it hit it's IP to
understand what will follow upon successful logon. But I expect that
there must be a way how to find under Windows what is behind connection.
So easy with lsof under Unix, looks like impossible under Windows?...
Thanks.
With best regards
Martynas
It is a little bit offtopic, but also you can try "netstat -bv", it
will give you executable behind process, like this:
TCP IBM-******:epmap localhost:1040 ESTABLISHED 1580
C:\WINDOWS\system32\imon.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
--
Regards,
Roman
securitybox@softhome.net
http://securitybox.org.ru
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
