NETSTAT STUFF

ancee1 · Trooper Joined: Apr 18, 2004 Posts: 18 Location: USA

If I were to post my a copy of what I get when I use the netstat command, is there anyone out there who can tell me what it means? I am not used to seeing so many ports listed as active on there. I'm wondering if I need to change something. Please reply!

qwiyet1 · Private Joined: Mar 12, 2004 Posts: 41 Location: USA

Can I suggest you go to www.sysinternals.com and get a copy of tcpview (a better tool than netstat) to view your open ports.
Run tcpview before and then after you connect online. After you run each tcpview save it as a file (beforelan, afterlan) you can open it and search websites for the use of the ports you are running. I use Symantec site to search tcp / udp ports for possible virus/worm/hacker use.

ancee1 · Trooper Joined: Apr 18, 2004 Posts: 18 Location: USA

thanks, qwiyet1. I did get tcpview but there are still things showing up on there that I don't understand. I appreciate your help though.

qwiyet1 · Private Joined: Mar 12, 2004 Posts: 41 Location: USA

If you would like, cut and paste your tcpview (or attach file) - I'll see if I can explain some of it.

ancee1 · Trooper Joined: Apr 18, 2004 Posts: 18 Location: USA

You are very kind to do that for me! Thanks!
Here's what it looked like when I was not connected to the internet. I blocked traffic with my Norton Internet Security.

ALG.EXE:1416 TCP Home:3001 Home:0 LISTENING
ccApp.exe:500 TCP Home:3006 Home:0 LISTENING
CCPXYSVC.EXE:1428 TCP Home:1027 Home:0 LISTENING
LSASS.EXE:708 UDP Home:isakmp *:*
MSMSGS.EXE:3720 TCP home:14325 Home:0 LISTENING
MSMSGS.EXE:3720 UDP Home:3018 *:*
MSMSGS.EXE:3720 UDP home:7925 *:*
MSMSGS.EXE:3720 UDP home:25608 *:*
SVCHOST.EXE:1040 UDP Home:3022 *:*
SVCHOST.EXE:1056 TCP Home:5000 Home:0 LISTENING
SVCHOST.EXE:1056 UDP Home:1900 *:*
SVCHOST.EXE:1056 UDP home:1900 *:*
SVCHOST.EXE:880 TCP Home:epmap Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:1025 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3152 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3157 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3002 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3003 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3152 localhost:1027 CLOSE_WAIT
SVCHOST.EXE:904 UDP Home:ntp *:*
SVCHOST.EXE:904 UDP home:ntp *:*
System:4 TCP Home:microsoft-ds Home:0 LISTENING
System:4 TCP Home:1028 Home:0 LISTENING
System:4 TCP home:netbios-ssn Home:0 LISTENING
System:4 UDP Home:microsoft-ds *:*
System:4 UDP home:netbios-ns *:*
System:4 UDP home:netbios-dgm *:*

Here's what it looked like after I connected and pulled up this page.

[System Process]:0 TCP Home:1027 localhost:4443 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4445 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4447 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4449 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4451 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4453 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4455 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4457 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4477 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4464 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4489 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4491 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4493 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4495 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4499 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4501 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4503 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4505 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4507 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4508 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4511 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4515 TIME_WAIT
[System Process]:0 TCP Home:1027 localhost:4517 TIME_WAIT
ALG.EXE:1416 TCP Home:3001 Home:0 LISTENING
ccApp.exe:500 TCP Home:3006 Home:0 LISTENING
CCPXYSVC.EXE:1428 TCP Home:1027 Home:0 LISTENING
IEXPLORE.EXE:4088 UDP Home:4442 *:*
LSASS.EXE:708 UDP Home:isakmp *:*
MSMSGS.EXE:3720 TCP home:14325 Home:0 LISTENING
MSMSGS.EXE:3720 UDP Home:3018 *:*
MSMSGS.EXE:3720 UDP home:7925 *:*
MSMSGS.EXE:3720 UDP home:40904 *:*
SVCHOST.EXE:1040 UDP Home:3022 *:*
SVCHOST.EXE:1056 TCP Home:5000 Home:0 LISTENING
SVCHOST.EXE:1056 UDP Home:1900 *:*
SVCHOST.EXE:1056 UDP home:1900 *:*
SVCHOST.EXE:880 TCP Home:epmap Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:1025 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3152 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3157 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3002 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3003 Home:0 LISTENING
SVCHOST.EXE:904 TCP Home:3152 localhost:1027 CLOSE_WAIT
SVCHOST.EXE:904 UDP Home:ntp *:*
SVCHOST.EXE:904 UDP home:ntp *:*
System:4 TCP Home:microsoft-ds Home:0 LISTENING
System:4 TCP Home:1028 Home:0 LISTENING
System:4 TCP home:netbios-ssn Home:0 LISTENING
System:4 UDP Home:microsoft-ds *:*
System:4 UDP home:netbios-ns *:*
System:4 UDP home:netbios-dgm *:*
YPager.exe:2948 TCP Home:4164 Home:0 LISTENING
YPager.exe:2948 TCP home:4164 cs5.msg.dcn.yahoo.com:5050 ESTABLISHED
YPager.exe:2948 TCP Home:5101 Home:0 LISTENING

Thanks so much for your time!

guyvermatt · Cadet Joined: Jun 02, 2004 Posts: 7 Location: USA

http:\\www.computerhope.com/msdos.htm

has alot of command.com /network commands

guyvermatt · Cadet Joined: Jun 02, 2004 Posts: 7 Location: USA

http:\\www.computerhope.com/msdos.htm

has alot of command.com /network commands

qwiyet1 · Private Joined: Mar 12, 2004 Posts: 41 Location: USA

trouble accessing site - give a moment to review. The only thing that jumps out is the established connection to Yahoo (I take it yahoo messenger?).
Try going to www.iana.org/assignments/port-numbers for a list of the know tcp/udp ports in use. AV provider websites at times provide a similar list but they list the ports most likely used for viruses, backdoors and trojans.

virus_guy · Trooper Joined: Apr 16, 2004 Posts: 31 Location: Pakistan

I think you should just read an article or two on ports and networking...it was just like a week ago when all this ports stuff looked like gibberish to me...but now i pretty much understand most of this;).Anyways..you can put the output of the netstat command in a file using the following command:
netstat>C:\filename.txt
Here,instead of C:\filename.txt you could write another path name and file name.I hope that helps:)

Mosaic1 · Posted: Sun Jun 06, 2004 9:26 pm Post subject:

Merijn wrote a nice page explaining how to interpret results. Its a start .

http://www.geocities.com/merijn_belleko...tatan.html

Once you have interpreted your report, then you can check out the information which may be problematic.

One thing which will hold ports open is services. Many are needed, but many are not and should be stopped because of the security risks they can pose.
Check out your services first and close some of those ports by not loading anything you don't need Looks like you run XP?

Remember to be careful here. Services are essential to the operating system. Stop or disable the wrong one and you may not be able to boot into Windows.
http://blackviper.com/WinXP/servicecfg.htm

ancee1 · Trooper Joined: Apr 18, 2004 Posts: 18 Location: USA

Thanks Mosaic 1! That article was very helpful!

Yes, I run XP. I noticed in that article that you should only worry about the UDP connections if they don't have a TCP twin. Only one of mine has a TCP twin. The others have *:* beside it. I may have overlooked it, but I didn't see what you do in that case. He has "who cares" by such ports when he interpreted the netstat results on the example though.

I know I'm not supposed to, but I'd like to PM you with another security-related question. You can PM me and let me know if it's okay. Thanks!


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1065 pages served in previous 5 minutes. Page Rendered: 1.070 seconds.