Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: How to find process behing TCP connection ?

from [Steve Armstrong] Network Security [Permanent Link]
Subject: RE: How to find process behing TCP connection ?
Date: Fri, 29 Sep 2006 19:10:46 +0100 
The two best tools are tcpview and process explorer.  Both are by sysinternals. 
 Tcpview will show connections  and what process is behind it, and the remote 
address.

Process  explorer is an excellent  tool that will show all processes.  Hover 
your mouse over a listing and it will list what it provides eg svchost! Very 
cool.  You can also look at what port, remote connection, memory and resources 
are being used.  You can even look at the strings in the file.

Get these two and burn them to a cdrom - they make a great incident 
identification tool kit.

Also given the @stake tool posting yesterday, get these now, as microsoft  has 
bought sysinternals so the day will come where these are either not free nor 
not available.

I have downloaded all the sysinternals  tools and will post a link to the 
complete zip in the next few days.

Hope this is of use to you.

Steve A

-----------------------------

-----Original Message-----
From: "Buozis, Martynas" <martynas@ti.com>
To: "Colin Copley" <colin.75@btinternet.com>
Cc: "security-basics@securityfocus.com" <security-basics@securityfocus.com>
Sent: 27/09/06 22:39
Subject: RE: How to find process behing TCP connection ?

Thanks for reply.

Maybe I was not clear. Windows Server 2003 is acting as client and
initiates connection to service on port 139 too many workstations.
Actually it tries to logon as Administrator to many computers. And
process, that initiates connection, is "System 4". There are no reasons
why this server should connect to any of these workstations. Per
configuration attempt to logon as Admin is denied.

I set up open system and expect server will try to connect to it, so
maybe I will understand better what is behind activity, but I am also
sure, that more people got same problem for different reasons and they
are willing to share their experience.

So easy under Unix with LSOF and not possible under Windows ?... Can't
believe!


With best regards
Martynas

 
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Colin Copley
Sent: Wednesday, September 27, 2006 8:55 PM
To: Buozis, Martynas
Cc: security-basics@securityfocus.com
Subject: Re: How to find process behing TCP connection ?

Maybe this is some help?

http://forum.sysinternals.com/forum_posts.asp?TID=3432

If not, perhaps you could attempt to telnet or putty into the port, and
see
if it returns an error message which might give some more info.
Another idea - try ethereal to capture the packet data and see what it
contains.
Also I believe nmap can attempt to establish what's listening on a
certain
port.  It might give you more info than just system 4.
Regards
Colin


----- Original Message ----- 
From: "Buozis, Martynas" <martynas@ti.com>
Hello

I need an advice. I have Windows 2003 server. It occasionally show
strange and suspicious network behavior. I used command "netstat -abov"
and Process explorer tool from Sysinternals to find process behind
connections. I found that it is "System 4" and got stuck. How I can
identify what is behind this "System 4"?

I thought it may be hidden process, but RootkitReveal from Systinternals
did not show anything.

I will be grateful for any ideas how to identify what is behind these
TCP connections from server to many computers!

Thank you in advance.

With best regards
Martynas



------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  open source antivirus, gmx
Next by Date:  Re: open source antivirus, Kurt Buff
Previous by Thread:  Re: How to find process behing TCP connection ?, eromero
Next by Thread:  Re: How to find process behing TCP connection ?, Michael Painter
Indexes:  [Date] [Thread] [Top] [All Lists]