Security Basics mailing list archives
Re[2]: How to find process behing TCP connection ?
From: Roman Shirokov <insecure () yandex ru>
Date: Fri, 29 Sep 2006 01:21:57 +0400
Hi, Martynas.
Sorry, but I probably was not clear in my explanation. Problem is that Windows 2003 server is acting as client in my case. Windows Server is initiating session to port 139 to different workstations on the net. It actually tries to login to many workstations on different local subnets as user Administrator (logon is denied). I want understand which process behind "System 4" initiates this scan to many computers with attempt to logon as Admin user.
I can bet that there must be people who already were trying to find process behind "System 4" and I will appreciate if somebody will share his/her experience.
I already set up an open system and wait till it hit it's IP to understand what will follow upon successful logon. But I expect that there must be a way how to find under Windows what is behind connection. So easy with lsof under Unix, looks like impossible under Windows?...
Thanks.
With best regards Martynas
It is a little bit offtopic, but also you can try "netstat -bv", it will give you executable behind process, like this: TCP IBM-******:epmap localhost:1040 ESTABLISHED 1580 C:\WINDOWS\system32\imon.dll C:\WINDOWS\system32\RPCRT4.dll c:\windows\system32\rpcss.dll C:\WINDOWS\system32\svchost.exe -- Regards, Roman securitybox () softhome net http://securitybox.org.ru --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Best single source of current infosec news? evb (Sep 25)
- Re: Best single source of current infosec news? sun sadm (Sep 26)
- Re: Best single source of current infosec news? Ivan . (Sep 26)
- Re: Best single source of current infosec news? crazy frog crazy frog (Sep 27)
- <Possible follow-ups>
- Re: Best single source of current infosec news? krymson (Sep 26)
- Re: Best single source of current infosec news? Alexander Bolante (Sep 26)
- RE: Best single source of current infosec news? Bryan_McAninch (Sep 26)
- How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re: How to find process behing TCP connection ? Colin Copley (Sep 27)
- RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re[2]: How to find process behing TCP connection ? Roman Shirokov (Sep 28)
- RE: How to find process behing TCP connection ? Simon Zuckerbraun (Sep 29)
- RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re: How to find process behing TCP connection ? Danux (Sep 28)
- Re: How to find process behing TCP connection ? Colin Copley (Sep 28)
- RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 28)
- How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re: How to find process behing TCP connection ? Daniel DeLeo (Sep 28)
- Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 29)
- Re: How to find process behing TCP connection ? Daniel DeLeo (Sep 29)
- Re: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Sep 28)
- Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 28)