WAN Link flattened

Home | NewsGroups | Search | About

microsoft.public.windows.server.security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

Subject

Author

Date

WAN Link flattened

Damon Birrell

08-18-2005

Re: WAN Link flattened

Roger Abell

08-18-2005

Re: WAN Link flattened

Steven L Umbach

08-18-2005

Re: WAN Link flattened

Steve Duff [MVP...

08-21-2005

Posted by Damon Birrell on August 18, 2005, 8:03 pm

Please log in for more thread options

Howdy

I have an ex-client running W2K3 SBS which is sitting in a small network
behind a NAT router on an ADSL link. The router is very basic and for a
range of reasons they haven't upgraded to a decent firewall solution. There
are only a few ports open, 5800, 5900, 1723 and 443. It is not fully patched
and not on SBS 2K3 SP1 as yet.

They have asked me to help out because their Internet link is choked.
Something on their LAN is generating a lot of traffic. I isolated it to
their (only) server as they are a tiny office and we could shut down all
workstations and the strange traffic continued. I performed a netstat -ano
to see the connnections on the server and there was nothing overly untoward
that I could see. Has anyone got any suggestions as to what to do? I have a
guy going on site tomorrow to do an Ethereal packet capture and some virus
scanning etc but I wouldnt mind some advice on what else to check (beyond
the obvious advice of upgrading the router)... Something similar happened to
them about a year ago and the ISP told them it appeared to be peer sharing
traffic but there was nothing to be found. I was worried about root kits but
my knowledge on them is very limited and the scanners are few and far
between. I have used the F-Secure beta ages ago and the SysInternals scanner
but the Sysinternals one confuses me....

Any suggestions?

Regards,
Damo

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:42 0.0.0.0:0 LISTENING 3332
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING 1688
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2096
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2096
TCP 0.0.0.0:444 0.0.0.0:0 LISTENING 2096
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 712
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:691 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:995 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2301 0.0.0.0:0 LISTENING 1584
TCP 0.0.0.0:2381 0.0.0.0:0 LISTENING 1584
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 764
TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING 4244
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 316
TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:6082 0.0.0.0:0 LISTENING 2096
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 2096
TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING 2096
TCP 0.0.0.0:12174 0.0.0.0:0 LISTENING 3924
TCP 0.0.0.0:28784 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:28785 0.0.0.0:0 LISTENING 844
TCP 0.0.0.0:28787 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:28828 0.0.0.0:0 LISTENING 1688
TCP 0.0.0.0:28842 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:28843 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:28858 0.0.0.0:0 LISTENING 264
TCP 0.0.0.0:28880 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:28881 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:28887 0.0.0.0:0 LISTENING 1812
TCP 0.0.0.0:28922 0.0.0.0:0 LISTENING 3332
TCP 0.0.0.0:28923 0.0.0.0:0 LISTENING 316
TCP 0.0.0.0:28986 0.0.0.0:0 LISTENING 4396
TCP 0.0.0.0:28991 0.0.0.0:0 LISTENING 4244
TCP 0.0.0.0:36895 0.0.0.0:0 LISTENING 1100
TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING 2060
TCP 0.0.0.0:49400 0.0.0.0:0 LISTENING 2836
TCP 0.0.0.0:49401 0.0.0.0:0 LISTENING 4460
TCP 127.0.0.1:389 127.0.0.1:1757 ESTABLISHED 564
TCP 127.0.0.1:445 127.0.0.1:10275 ESTABLISHED 4
TCP 127.0.0.1:1757 127.0.0.1:389 ESTABLISHED 1688
TCP 127.0.0.1:10275 127.0.0.1:445 ESTABLISHED 4
TCP 127.0.0.1:28918 0.0.0.0:0 LISTENING 3924
TCP 192.168.0.3:135 192.168.0.2:1343 ESTABLISHED 712
TCP 192.168.0.3:135 192.168.0.3:10326 ESTABLISHED 712
TCP 192.168.0.3:135 192.168.0.3:10328 ESTABLISHED 712
TCP 192.168.0.3:135 192.168.0.50:1606 ESTABLISHED 712
TCP 192.168.0.3:135 192.168.0.51:1570 ESTABLISHED 712
TCP 192.168.0.3:135 192.168.0.53:1674 ESTABLISHED 712
TCP 192.168.0.3:135 192.168.0.57:1592 ESTABLISHED 712
TCP 192.168.0.3:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.3:389 192.168.0.3:1628 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1629 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1630 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1631 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1632 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1633 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1634 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1635 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1636 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1637 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1638 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1642 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1690 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1691 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1692 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1730 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1752 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1799 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1808 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:1855 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:4979 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:6760 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:9787 ESTABLISHED 564
TCP 192.168.0.3:389 192.168.0.3:10054 FIN_WAIT_2 564
TCP 192.168.0.3:389 192.168.0.3:10330 ESTABLISHED 564
TCP 192.168.0.3:691 192.168.0.3:10547 ESTABLISHED 1812
TCP 192.168.0.3:691 192.168.0.3:28890 ESTABLISHED 1812
TCP 192.168.0.3:691 192.168.0.3:28985 ESTABLISHED 1812
TCP 192.168.0.3:691 192.168.0.3:28989 ESTABLISHED 1812
TCP 192.168.0.3:1628 192.168.0.3:389 ESTABLISHED 1812
TCP 192.168.0.3:1629 192.168.0.3:389 ESTABLISHED 1812
TCP 192.168.0.3:1630 192.168.0.3:389 ESTABLISHED 1812
TCP 192.168.0.3:1631 192.168.0.3:389 ESTABLISHED 1812
TCP 192.168.0.3:1632 192.168.0.3:389 ESTABLISHED 1812
TCP 192.168.0.3:1633 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1634 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1635 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1636 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1637 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1638 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1639 192.168.0.3:3268 ESTABLISHED 316
TCP 192.168.0.3:1640 192.168.0.3:3268 ESTABLISHED 1812
TCP 192.168.0.3:1641 192.168.0.3:3268 ESTABLISHED 4396
TCP 192.168.0.3:1642 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1644 192.168.0.3:3268 ESTABLISHED 4244
TCP 192.168.0.3:1645 192.168.0.3:3268 ESTABLISHED 3932
TCP 192.168.0.3:1690 192.168.0.3:389 ESTABLISHED 4244
TCP 192.168.0.3:1691 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1692 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1694 192.168.0.3:389 CLOSE_WAIT 316
TCP 192.168.0.3:1730 192.168.0.3:389 ESTABLISHED 4396
TCP 192.168.0.3:1752 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1799 192.168.0.3:389 ESTABLISHED 264
TCP 192.168.0.3:1808 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:1855 192.168.0.3:389 ESTABLISHED 3932
TCP 192.168.0.3:2104 192.168.0.3:389 CLOSE_WAIT 316
TCP 192.168.0.3:2105 192.168.0.3:3268 CLOSE_WAIT 316
TCP 192.168.0.3:2335 192.168.0.3:389 CLOSE_WAIT 316
TCP 192.168.0.3:3268 192.168.0.3:1639 ESTABLISHED 564
TCP 192.168.0.3:3268 192.168.0.3:1640 ESTABLISHED 564
TCP 192.168.0.3:3268 192.168.0.3:1641 ESTABLISHED 564
TCP 192.168.0.3:3268 192.168.0.3:1644 ESTABLISHED 564
TCP 192.168.0.3:3268 192.168.0.3:1645 ESTABLISHED 564
TCP 192.168.0.3:3268 192.168.0.3:10187 ESTABLISHED 564
TCP 192.168.0.3:3920 192.168.0.3:389 CLOSE_WAIT 4244
TCP 192.168.0.3:4182 192.168.0.3:389 CLOSE_WAIT 4600
TCP 192.168.0.3:4979 192.168.0.3:389 ESTABLISHED 4244
TCP 192.168.0.3:6760 192.168.0.3:389 ESTABLISHED 1812
TCP 192.168.0.3:9787 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:10054 192.168.0.3:389 CLOSE_WAIT 4600
TCP 192.168.0.3:10112 192.168.0.3:28784 ESTABLISHED 316
TCP 192.168.0.3:10187 192.168.0.3:3268 ESTABLISHED 1812
TCP 192.168.0.3:10298 192.168.0.3:135 TIME_WAIT 0
TCP 192.168.0.3:10299 192.168.0.3:28784 TIME_WAIT 0
TCP 192.168.0.3:10326 192.168.0.3:135 ESTABLISHED 316
TCP 192.168.0.3:10328 192.168.0.3:135 ESTABLISHED 316
TCP 192.168.0.3:10329 192.168.0.3:28784 ESTABLISHED 316
TCP 192.168.0.3:10330 192.168.0.3:389 ESTABLISHED 316
TCP 192.168.0.3:10383 68.142.202.12:25 SYN_SENT 1812
TCP 192.168.0.3:10547 192.168.0.3:691 ESTABLISHED 3932
TCP 192.168.0.3:11602 192.168.0.3:389 CLOSE_WAIT 316
TCP 192.168.0.3:20291 206.204.212.229:2848 ESTABLISHED 3664
TCP 192.168.0.3:28784 192.168.0.2:1344 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.3:10112 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.3:10329 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.3:28871 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.3:28872 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.3:29030 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.3:29423 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.50:1607 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.51:1571 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.53:1675 ESTABLISHED 564
TCP 192.168.0.3:28784 192.168.0.57:1593 ESTABLISHED 564
TCP 192.168.0.3:28871 192.168.0.3:28784 ESTABLISHED 264
TCP 192.168.0.3:28872 192.168.0.3:28784 ESTABLISHED 264
TCP 192.168.0.3:28890 192.168.0.3:691 ESTABLISHED 1812
TCP 192.168.0.3:28958 192.168.0.3:389 CLOSE_WAIT 316
TCP 192.168.0.3:28963 192.168.0.3:389 CLOSE_WAIT 316
TCP 192.168.0.3:28965 192.168.0.3:3268 CLOSE_WAIT 316
TCP 192.168.0.3:28985 192.168.0.3:691 ESTABLISHED 4396
TCP 192.168.0.3:28989 192.168.0.3:691 ESTABLISHED 4244
TCP 192.168.0.3:29030 192.168.0.3:28784 ESTABLISHED 316
TCP 192.168.0.3:29254 192.168.0.3:389 CLOSE_WAIT 844
TCP 192.168.0.3:29423 192.168.0.3:28784 ESTABLISHED 564
TCP 192.168.0.3:33294 192.168.0.3:3268 CLOSE_WAIT 316
TCP 192.168.0.3:38998 192.168.0.3:389 CLOSE_WAIT 844
TCP 192.168.0.3:54107 192.168.0.3:389 CLOSE_WAIT 4600
UDP 0.0.0.0:42 *:* 3332
UDP 0.0.0.0:135 *:* 712
UDP 0.0.0.0:161 *:* 2596
UDP 0.0.0.0:162 *:* 2616
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 564
UDP 0.0.0.0:1701 *:* 4
UDP 0.0.0.0:2967 *:* 3124
UDP 0.0.0.0:3002 *:* 1140
UDP 0.0.0.0:3456 *:* 1812
UDP 0.0.0.0:3457 *:* 1812
UDP 0.0.0.0:4500 *:* 564
UDP 0.0.0.0:11698 *:* 2248
UDP 0.0.0.0:28795 *:* 960
UDP 0.0.0.0:28823 *:* 1688
UDP 0.0.0.0:28824 *:* 1688
UDP 0.0.0.0:28826 *:* 2020
UDP 0.0.0.0:28827 *:* 2020
UDP 0.0.0.0:28844 *:* 1812
UDP 0.0.0.0:28862 *:* 1424
UDP 0.0.0.0:28868 *:* 264
UDP 0.0.0.0:28888 *:* 1812
UDP 0.0.0.0:28892 *:* 1636
UDP 0.0.0.0:28897 *:* 3064
UDP 0.0.0.0:28899 *:* 3176
UDP 0.0.0.0:28908 *:* 3144
UDP 0.0.0.0:28910 *:* 2252
UDP 0.0.0.0:28924 *:* 316
UDP 0.0.0.0:28925 *:* 316
UDP 0.0.0.0:28935 *:* 3664
UDP 0.0.0.0:28971 *:* 4244
UDP 0.0.0.0:28976 *:* 3932
UDP 0.0.0.0:28982 *:* 4396
UDP 0.0.0.0:28987 *:* 4396
UDP 0.0.0.0:28992 *:* 4244
UDP 0.0.0.0:29011 *:* 508
UDP 0.0.0.0:29018 *:* 4352
UDP 0.0.0.0:29031 *:* 316
UDP 0.0.0.0:29035 *:* 1624
UDP 0.0.0.0:29192 *:* 2832
UDP 0.0.0.0:29253 *:* 844
UDP 0.0.0.0:29469 *:* 1868
UDP 0.0.0.0:34129 *:* 960
UDP 0.0.0.0:34130 *:* 960
UDP 0.0.0.0:34131 *:* 960
UDP 0.0.0.0:34136 *:* 960
UDP 0.0.0.0:34377 *:* 960
UDP 0.0.0.0:36954 *:* 1864
UDP 0.0.0.0:38037 *:* 2060
UDP 0.0.0.0:38293 *:* 1828
UDP 0.0.0.0:54089 *:* 4600
UDP 0.0.0.0:55284 *:* 960
UDP 0.0.0.0:55286 *:* 960
UDP 0.0.0.0:55288 *:* 960
UDP 0.0.0.0:55402 *:* 7004
UDP 127.0.0.1:53 *:* 1688
UDP 127.0.0.1:123 *:* 844
UDP 127.0.0.1:3456 *:* 1812
UDP 127.0.0.1:3457 *:* 1812
UDP 127.0.0.1:28822 *:* 1688
UDP 127.0.0.1:28921 *:* 3332
UDP 127.0.0.1:29022 *:* 844
UDP 127.0.0.1:29023 *:* 844
UDP 192.168.0.3:53 *:* 1688
UDP 192.168.0.3:88 *:* 564
UDP 192.168.0.3:123 *:* 844
UDP 192.168.0.3:137 *:* 4
UDP 192.168.0.3:138 *:* 4
UDP 192.168.0.3:389 *:* 564
UDP 192.168.0.3:464 *:* 564

Posted by Roger Abell on August 18, 2005, 6:36 am

Please log in for more thread options

Other than using such as Sysinternal's TcpView, or a similar tool,
to try to tie all those port bindings back to the binaries, it sounds
like you have things covered to me. If "nothing" appears as cause
then you are right that root kits are a prime suspect as part of the
mix, and the two tools you mentioned are the main (currently) free
ones that will detect some of the root kits in use.
Aside from adding the Sysinternal's TcpView and PsTools suite
to your bag, you might also want to check out Port Reporter
http://www.microsoft.com/downloads/details.aspx?FamilyID=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&DisplayLang=en

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA

> Howdy

> I have an ex-client running W2K3 SBS which is sitting in a small network

> behind a NAT router on an ADSL link. The router is very basic and for a

> range of reasons they haven't upgraded to a decent firewall solution.

There

> are only a few ports open, 5800, 5900, 1723 and 443. It is not fully

patched

> and not on SBS 2K3 SP1 as yet.

> They have asked me to help out because their Internet link is choked.

> Something on their LAN is generating a lot of traffic. I isolated it to

> their (only) server as they are a tiny office and we could shut down all

> workstations and the strange traffic continued. I performed a netstat -ano

> to see the connnections on the server and there was nothing overly

untoward

> that I could see. Has anyone got any suggestions as to what to do? I have

> guy going on site tomorrow to do an Ethereal packet capture and some virus

> scanning etc but I wouldnt mind some advice on what else to check (beyond

> the obvious advice of upgrading the router)... Something similar happened

> them about a year ago and the ISP told them it appeared to be peer sharing

> traffic but there was nothing to be found. I was worried about root kits

but

> my knowledge on them is very limited and the scanners are few and far

> between. I have used the F-Secure beta ages ago and the SysInternals

scanner

> but the Sysinternals one confuses me....

> Any suggestions?

> Regards,

> Damo

> Active Connections

> Proto Local Address Foreign Address State PID

> TCP 0.0.0.0:25 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING

3332

> TCP 0.0.0.0:53 0.0.0.0:0 LISTENING

1688

> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING

2096

> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:110 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712

> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:443 0.0.0.0:0 LISTENING

2096

> TCP 0.0.0.0:444 0.0.0.0:0 LISTENING

2096

> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 712

> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:691 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:995 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING 4

> TCP 0.0.0.0:2301 0.0.0.0:0 LISTENING

1584

> TCP 0.0.0.0:2381 0.0.0.0:0 LISTENING

1584

> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 764

> TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING

4244

> TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 316

> TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:6082 0.0.0.0:0 LISTENING

2096

> TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING

2096

> TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING

2096

> TCP 0.0.0.0:12174 0.0.0.0:0 LISTENING

3924

> TCP 0.0.0.0:28784 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:28785 0.0.0.0:0 LISTENING 844

> TCP 0.0.0.0:28787 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:28828 0.0.0.0:0 LISTENING

1688

> TCP 0.0.0.0:28842 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:28843 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:28858 0.0.0.0:0 LISTENING 264

> TCP 0.0.0.0:28880 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:28881 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:28887 0.0.0.0:0 LISTENING

1812

> TCP 0.0.0.0:28922 0.0.0.0:0 LISTENING

3332

> TCP 0.0.0.0:28923 0.0.0.0:0 LISTENING 316

> TCP 0.0.0.0:28986 0.0.0.0:0 LISTENING

4396

> TCP 0.0.0.0:28991 0.0.0.0:0 LISTENING

4244

> TCP 0.0.0.0:36895 0.0.0.0:0 LISTENING

1100

> TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING

2060

> TCP 0.0.0.0:49400 0.0.0.0:0 LISTENING

2836

> TCP 0.0.0.0:49401 0.0.0.0:0 LISTENING

4460

> TCP 127.0.0.1:389 127.0.0.1:1757 ESTABLISHED 564

> TCP 127.0.0.1:445 127.0.0.1:10275 ESTABLISHED 4

> TCP 127.0.0.1:1757 127.0.0.1:389 ESTABLISHED

1688

> TCP 127.0.0.1:10275 127.0.0.1:445 ESTABLISHED 4

> TCP 127.0.0.1:28918 0.0.0.0:0 LISTENING

3924

> TCP 192.168.0.3:135 192.168.0.2:1343 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.3:10326 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.3:10328 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.50:1606 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.51:1570 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.53:1674 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.57:1592 ESTABLISHED 712

> TCP 192.168.0.3:139 0.0.0.0:0 LISTENING 4

> TCP 192.168.0.3:389 192.168.0.3:1628 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1629 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1630 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1631 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1632 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1633 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1634 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1635 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1636 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1637 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1638 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1642 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1690 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1691 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1692 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1730 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1752 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1799 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1808 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1855 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:4979 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:6760 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:9787 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:10054 FIN_WAIT_2 564

> TCP 192.168.0.3:389 192.168.0.3:10330 ESTABLISHED 564

> TCP 192.168.0.3:691 192.168.0.3:10547 ESTABLISHED

1812

> TCP 192.168.0.3:691 192.168.0.3:28890 ESTABLISHED

1812

> TCP 192.168.0.3:691 192.168.0.3:28985 ESTABLISHED

1812

> TCP 192.168.0.3:691 192.168.0.3:28989 ESTABLISHED

1812

> TCP 192.168.0.3:1628 192.168.0.3:389 ESTABLISHED

1812

> TCP 192.168.0.3:1629 192.168.0.3:389 ESTABLISHED

1812

> TCP 192.168.0.3:1630 192.168.0.3:389 ESTABLISHED

1812

> TCP 192.168.0.3:1631 192.168.0.3:389 ESTABLISHED

1812

> TCP 192.168.0.3:1632 192.168.0.3:389 ESTABLISHED

1812

> TCP 192.168.0.3:1633 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1634 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1635 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1636 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1637 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1638 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1639 192.168.0.3:3268 ESTABLISHED 316

> TCP 192.168.0.3:1640 192.168.0.3:3268 ESTABLISHED

1812

> TCP 192.168.0.3:1641 192.168.0.3:3268 ESTABLISHED

4396

> TCP 192.168.0.3:1642 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1644 192.168.0.3:3268 ESTABLISHED

4244

> TCP 192.168.0.3:1645 192.168.0.3:3268 ESTABLISHED

3932

> TCP 192.168.0.3:1690 192.168.0.3:389 ESTABLISHED

4244

> TCP 192.168.0.3:1691 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1692 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1694 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:1730 192.168.0.3:389 ESTABLISHED

4396

> TCP 192.168.0.3:1752 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1799 192.168.0.3:389 ESTABLISHED 264

> TCP 192.168.0.3:1808 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1855 192.168.0.3:389 ESTABLISHED

3932

> TCP 192.168.0.3:2104 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:2105 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:2335 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:3268 192.168.0.3:1639 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1640 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1641 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1644 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1645 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:10187 ESTABLISHED 564

> TCP 192.168.0.3:3920 192.168.0.3:389 CLOSE_WAIT

4244

> TCP 192.168.0.3:4182 192.168.0.3:389 CLOSE_WAIT

4600

> TCP 192.168.0.3:4979 192.168.0.3:389 ESTABLISHED

4244

> TCP 192.168.0.3:6760 192.168.0.3:389 ESTABLISHED

1812

> TCP 192.168.0.3:9787 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:10054 192.168.0.3:389 CLOSE_WAIT

4600

> TCP 192.168.0.3:10112 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:10187 192.168.0.3:3268 ESTABLISHED

1812

> TCP 192.168.0.3:10298 192.168.0.3:135 TIME_WAIT 0

> TCP 192.168.0.3:10299 192.168.0.3:28784 TIME_WAIT 0

> TCP 192.168.0.3:10326 192.168.0.3:135 ESTABLISHED 316

> TCP 192.168.0.3:10328 192.168.0.3:135 ESTABLISHED 316

> TCP 192.168.0.3:10329 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:10330 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:10383 68.142.202.12:25 SYN_SENT

1812

> TCP 192.168.0.3:10547 192.168.0.3:691 ESTABLISHED

3932

> TCP 192.168.0.3:11602 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:20291 206.204.212.229:2848 ESTABLISHED

3664

> TCP 192.168.0.3:28784 192.168.0.2:1344 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:10112 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:10329 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:28871 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:28872 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:29030 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:29423 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.50:1607 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.51:1571 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.53:1675 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.57:1593 ESTABLISHED 564

> TCP 192.168.0.3:28871 192.168.0.3:28784 ESTABLISHED 264

> TCP 192.168.0.3:28872 192.168.0.3:28784 ESTABLISHED 264

> TCP 192.168.0.3:28890 192.168.0.3:691 ESTABLISHED

1812

> TCP 192.168.0.3:28958 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:28963 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:28965 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:28985 192.168.0.3:691 ESTABLISHED

4396

> TCP 192.168.0.3:28989 192.168.0.3:691 ESTABLISHED

4244

> TCP 192.168.0.3:29030 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:29254 192.168.0.3:389 CLOSE_WAIT 844

> TCP 192.168.0.3:29423 192.168.0.3:28784 ESTABLISHED 564

> TCP 192.168.0.3:33294 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:38998 192.168.0.3:389 CLOSE_WAIT 844

> TCP 192.168.0.3:54107 192.168.0.3:389 CLOSE_WAIT

4600

> UDP 0.0.0.0:42 *:*

3332

> UDP 0.0.0.0:135 *:* 712

> UDP 0.0.0.0:161 *:*

2596

> UDP 0.0.0.0:162 *:*

2616

> UDP 0.0.0.0:445 *:* 4

> UDP 0.0.0.0:500 *:* 564

> UDP 0.0.0.0:1701 *:* 4

> UDP 0.0.0.0:2967 *:*

3124

> UDP 0.0.0.0:3002 *:*

1140

> UDP 0.0.0.0:3456 *:*

1812

> UDP 0.0.0.0:3457 *:*

1812

> UDP 0.0.0.0:4500 *:* 564

> UDP 0.0.0.0:11698 *:*

2248

> UDP 0.0.0.0:28795 *:* 960

> UDP 0.0.0.0:28823 *:*

1688

> UDP 0.0.0.0:28824 *:*

1688

> UDP 0.0.0.0:28826 *:*

2020

> UDP 0.0.0.0:28827 *:*

2020

> UDP 0.0.0.0:28844 *:*

1812

> UDP 0.0.0.0:28862 *:*

1424

> UDP 0.0.0.0:28868 *:* 264

> UDP 0.0.0.0:28888 *:*

1812

> UDP 0.0.0.0:28892 *:*

1636

> UDP 0.0.0.0:28897 *:*

3064

> UDP 0.0.0.0:28899 *:*

3176

> UDP 0.0.0.0:28908 *:*

3144

> UDP 0.0.0.0:28910 *:*

2252

> UDP 0.0.0.0:28924 *:* 316

> UDP 0.0.0.0:28925 *:* 316

> UDP 0.0.0.0:28935 *:*

3664

> UDP 0.0.0.0:28971 *:*

4244

> UDP 0.0.0.0:28976 *:*

3932

> UDP 0.0.0.0:28982 *:*

4396

> UDP 0.0.0.0:28987 *:*

4396

> UDP 0.0.0.0:28992 *:*

4244

> UDP 0.0.0.0:29011 *:* 508

> UDP 0.0.0.0:29018 *:*

4352

> UDP 0.0.0.0:29031 *:* 316

> UDP 0.0.0.0:29035 *:*

1624

> UDP 0.0.0.0:29192 *:*

2832

> UDP 0.0.0.0:29253 *:* 844

> UDP 0.0.0.0:29469 *:*

1868

> UDP 0.0.0.0:34129 *:* 960

> UDP 0.0.0.0:34130 *:* 960

> UDP 0.0.0.0:34131 *:* 960

> UDP 0.0.0.0:34136 *:* 960

> UDP 0.0.0.0:34377 *:* 960

> UDP 0.0.0.0:36954 *:*

1864

> UDP 0.0.0.0:38037 *:*

2060

> UDP 0.0.0.0:38293 *:*

1828

> UDP 0.0.0.0:54089 *:*

4600

> UDP 0.0.0.0:55284 *:* 960

> UDP 0.0.0.0:55286 *:* 960

> UDP 0.0.0.0:55288 *:* 960

> UDP 0.0.0.0:55402 *:*

7004

> UDP 127.0.0.1:53 *:*

1688

> UDP 127.0.0.1:123 *:* 844

> UDP 127.0.0.1:3456 *:*

1812

> UDP 127.0.0.1:3457 *:*

1812

> UDP 127.0.0.1:28822 *:*

1688

> UDP 127.0.0.1:28921 *:*

3332

> UDP 127.0.0.1:29022 *:* 844

> UDP 127.0.0.1:29023 *:* 844

> UDP 192.168.0.3:53 *:*

1688

> UDP 192.168.0.3:88 *:* 564

> UDP 192.168.0.3:123 *:* 844

> UDP 192.168.0.3:137 *:* 4

> UDP 192.168.0.3:138 *:* 4

> UDP 192.168.0.3:389 *:* 564

> UDP 192.168.0.3:464 *:* 564

Posted by Steven L Umbach on August 18, 2005, 11:54 am

Please log in for more thread options

To add to what Roger said you could have them boot the servers into Safe
Mode with networking to see if that makes a difference and if it does then
almost certainly there is an application/service starting up on the server
that is causing that traffic. Netstat -s may also give you an idea on the
amount of traffic the server is processing. Process Explorer, Autoruns, and
Tdimon from SysInternals can also help. Tdimon lets you watch network
traffic in real time and will show local and remote ports along with owning
process and you would want to use it when other computer are shut down to
minimize traffic. With Process Explorer you should be suspicious of any
unexplained process particularly one that maps to an executable that does
not have a publisher name associated with it. However that will not always
mean a process is malicious but usually they are.

http://www.sysinternals.com/Utilities/TdiMon.html --- TDIMon and link to
SysInternals

Having said all that the firewall may not be the real problem. A better
firewall could certainly improve things by reusing to let malware access the
internet if the firewall has a default "block all" outbound rule with
authorized exceptions only allowed but the real problem is probably lack of
security best practices such as using quality antivirus program that is kept
up to date and scans all emails/downloads, keeping current with critical
updates at Windows Updates, enforcing the use of strong passwords for all
users, and judicious use of any administrator accounts including not being
logged on as an administrator while browsing the internet and checking
email. I am also surprised at the number of users that browse the internet
and check email on their servers!! See the link below that can help them in
securing their network to help minimize future problems otherwise they may
have the same situation in a short time again. Also explain to them that
malware does not only slow down their internet connection but it can lead to
theft and modification or destruction of data. --- Steve

http://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
Small business security guidance from Microsoft.

> Howdy

> I have an ex-client running W2K3 SBS which is sitting in a small network

> behind a NAT router on an ADSL link. The router is very basic and for a

> range of reasons they haven't upgraded to a decent firewall solution.

> There are only a few ports open, 5800, 5900, 1723 and 443. It is not fully

> patched and not on SBS 2K3 SP1 as yet.

> They have asked me to help out because their Internet link is choked.

> Something on their LAN is generating a lot of traffic. I isolated it to

> their (only) server as they are a tiny office and we could shut down all

> workstations and the strange traffic continued. I performed a netstat -ano

> to see the connnections on the server and there was nothing overly

> untoward that I could see. Has anyone got any suggestions as to what to

> do? I have a guy going on site tomorrow to do an Ethereal packet capture

> and some virus scanning etc but I wouldnt mind some advice on what else to

> check (beyond the obvious advice of upgrading the router)... Something

> similar happened to them about a year ago and the ISP told them it

> appeared to be peer sharing traffic but there was nothing to be found. I

> was worried about root kits but my knowledge on them is very limited and

> the scanners are few and far between. I have used the F-Secure beta ages

> ago and the SysInternals scanner but the Sysinternals one confuses me....

> Any suggestions?

> Regards,

> Damo

> Active Connections

> Proto Local Address Foreign Address State PID

> TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING 3332

> TCP 0.0.0.0:53 0.0.0.0:0 LISTENING 1688

> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:110 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712

> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:444 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 712

> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:691 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:995 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING 4

> TCP 0.0.0.0:2301 0.0.0.0:0 LISTENING 1584

> TCP 0.0.0.0:2381 0.0.0.0:0 LISTENING 1584

> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 764

> TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING 4244

> TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 316

> TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:6082 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:12174 0.0.0.0:0 LISTENING 3924

> TCP 0.0.0.0:28784 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:28785 0.0.0.0:0 LISTENING 844

> TCP 0.0.0.0:28787 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:28828 0.0.0.0:0 LISTENING 1688

> TCP 0.0.0.0:28842 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28843 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28858 0.0.0.0:0 LISTENING 264

> TCP 0.0.0.0:28880 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28881 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28887 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28922 0.0.0.0:0 LISTENING 3332

> TCP 0.0.0.0:28923 0.0.0.0:0 LISTENING 316

> TCP 0.0.0.0:28986 0.0.0.0:0 LISTENING 4396

> TCP 0.0.0.0:28991 0.0.0.0:0 LISTENING 4244

> TCP 0.0.0.0:36895 0.0.0.0:0 LISTENING 1100

> TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING 2060

> TCP 0.0.0.0:49400 0.0.0.0:0 LISTENING 2836

> TCP 0.0.0.0:49401 0.0.0.0:0 LISTENING 4460

> TCP 127.0.0.1:389 127.0.0.1:1757 ESTABLISHED 564

> TCP 127.0.0.1:445 127.0.0.1:10275 ESTABLISHED 4

> TCP 127.0.0.1:1757 127.0.0.1:389 ESTABLISHED 1688

> TCP 127.0.0.1:10275 127.0.0.1:445 ESTABLISHED 4

> TCP 127.0.0.1:28918 0.0.0.0:0 LISTENING 3924

> TCP 192.168.0.3:135 192.168.0.2:1343 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.3:10326 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.3:10328 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.50:1606 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.51:1570 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.53:1674 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.57:1592 ESTABLISHED 712

> TCP 192.168.0.3:139 0.0.0.0:0 LISTENING 4

> TCP 192.168.0.3:389 192.168.0.3:1628 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1629 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1630 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1631 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1632 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1633 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1634 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1635 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1636 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1637 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1638 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1642 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1690 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1691 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1692 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1730 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1752 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1799 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1808 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1855 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:4979 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:6760 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:9787 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:10054 FIN_WAIT_2 564

> TCP 192.168.0.3:389 192.168.0.3:10330 ESTABLISHED 564

> TCP 192.168.0.3:691 192.168.0.3:10547 ESTABLISHED 1812

> TCP 192.168.0.3:691 192.168.0.3:28890 ESTABLISHED 1812

> TCP 192.168.0.3:691 192.168.0.3:28985 ESTABLISHED 1812

> TCP 192.168.0.3:691 192.168.0.3:28989 ESTABLISHED 1812

> TCP 192.168.0.3:1628 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1629 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1630 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1631 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1632 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1633 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1634 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1635 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1636 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1637 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1638 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1639 192.168.0.3:3268 ESTABLISHED 316

> TCP 192.168.0.3:1640 192.168.0.3:3268 ESTABLISHED 1812

> TCP 192.168.0.3:1641 192.168.0.3:3268 ESTABLISHED 4396

> TCP 192.168.0.3:1642 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1644 192.168.0.3:3268 ESTABLISHED 4244

> TCP 192.168.0.3:1645 192.168.0.3:3268 ESTABLISHED 3932

> TCP 192.168.0.3:1690 192.168.0.3:389 ESTABLISHED 4244

> TCP 192.168.0.3:1691 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1692 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1694 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:1730 192.168.0.3:389 ESTABLISHED 4396

> TCP 192.168.0.3:1752 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1799 192.168.0.3:389 ESTABLISHED 264

> TCP 192.168.0.3:1808 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1855 192.168.0.3:389 ESTABLISHED 3932

> TCP 192.168.0.3:2104 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:2105 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:2335 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:3268 192.168.0.3:1639 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1640 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1641 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1644 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1645 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:10187 ESTABLISHED 564

> TCP 192.168.0.3:3920 192.168.0.3:389 CLOSE_WAIT 4244

> TCP 192.168.0.3:4182 192.168.0.3:389 CLOSE_WAIT 4600

> TCP 192.168.0.3:4979 192.168.0.3:389 ESTABLISHED 4244

> TCP 192.168.0.3:6760 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:9787 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:10054 192.168.0.3:389 CLOSE_WAIT 4600

> TCP 192.168.0.3:10112 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:10187 192.168.0.3:3268 ESTABLISHED 1812

> TCP 192.168.0.3:10298 192.168.0.3:135 TIME_WAIT 0

> TCP 192.168.0.3:10299 192.168.0.3:28784 TIME_WAIT 0

> TCP 192.168.0.3:10326 192.168.0.3:135 ESTABLISHED 316

> TCP 192.168.0.3:10328 192.168.0.3:135 ESTABLISHED 316

> TCP 192.168.0.3:10329 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:10330 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:10383 68.142.202.12:25 SYN_SENT 1812

> TCP 192.168.0.3:10547 192.168.0.3:691 ESTABLISHED 3932

> TCP 192.168.0.3:11602 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:20291 206.204.212.229:2848 ESTABLISHED 3664

> TCP 192.168.0.3:28784 192.168.0.2:1344 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:10112 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:10329 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:28871 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:28872 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:29030 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:29423 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.50:1607 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.51:1571 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.53:1675 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.57:1593 ESTABLISHED 564

> TCP 192.168.0.3:28871 192.168.0.3:28784 ESTABLISHED 264

> TCP 192.168.0.3:28872 192.168.0.3:28784 ESTABLISHED 264

> TCP 192.168.0.3:28890 192.168.0.3:691 ESTABLISHED 1812

> TCP 192.168.0.3:28958 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:28963 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:28965 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:28985 192.168.0.3:691 ESTABLISHED 4396

> TCP 192.168.0.3:28989 192.168.0.3:691 ESTABLISHED 4244

> TCP 192.168.0.3:29030 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:29254 192.168.0.3:389 CLOSE_WAIT 844

> TCP 192.168.0.3:29423 192.168.0.3:28784 ESTABLISHED 564

> TCP 192.168.0.3:33294 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:38998 192.168.0.3:389 CLOSE_WAIT 844

> TCP 192.168.0.3:54107 192.168.0.3:389 CLOSE_WAIT 4600

> UDP 0.0.0.0:42 *:* 3332

> UDP 0.0.0.0:135 *:* 712

> UDP 0.0.0.0:161 *:* 2596

> UDP 0.0.0.0:162 *:* 2616

> UDP 0.0.0.0:445 *:* 4

> UDP 0.0.0.0:500 *:* 564

> UDP 0.0.0.0:1701 *:* 4

> UDP 0.0.0.0:2967 *:* 3124

> UDP 0.0.0.0:3002 *:* 1140

> UDP 0.0.0.0:3456 *:* 1812

> UDP 0.0.0.0:3457 *:* 1812

> UDP 0.0.0.0:4500 *:* 564

> UDP 0.0.0.0:11698 *:* 2248

> UDP 0.0.0.0:28795 *:* 960

> UDP 0.0.0.0:28823 *:* 1688

> UDP 0.0.0.0:28824 *:* 1688

> UDP 0.0.0.0:28826 *:* 2020

> UDP 0.0.0.0:28827 *:* 2020

> UDP 0.0.0.0:28844 *:* 1812

> UDP 0.0.0.0:28862 *:* 1424

> UDP 0.0.0.0:28868 *:* 264

> UDP 0.0.0.0:28888 *:* 1812

> UDP 0.0.0.0:28892 *:* 1636

> UDP 0.0.0.0:28897 *:* 3064

> UDP 0.0.0.0:28899 *:* 3176

> UDP 0.0.0.0:28908 *:* 3144

> UDP 0.0.0.0:28910 *:* 2252

> UDP 0.0.0.0:28924 *:* 316

> UDP 0.0.0.0:28925 *:* 316

> UDP 0.0.0.0:28935 *:* 3664

> UDP 0.0.0.0:28971 *:* 4244

> UDP 0.0.0.0:28976 *:* 3932

> UDP 0.0.0.0:28982 *:* 4396

> UDP 0.0.0.0:28987 *:* 4396

> UDP 0.0.0.0:28992 *:* 4244

> UDP 0.0.0.0:29011 *:* 508

> UDP 0.0.0.0:29018 *:* 4352

> UDP 0.0.0.0:29031 *:* 316

> UDP 0.0.0.0:29035 *:* 1624

> UDP 0.0.0.0:29192 *:* 2832

> UDP 0.0.0.0:29253 *:* 844

> UDP 0.0.0.0:29469 *:* 1868

> UDP 0.0.0.0:34129 *:* 960

> UDP 0.0.0.0:34130 *:* 960

> UDP 0.0.0.0:34131 *:* 960

> UDP 0.0.0.0:34136 *:* 960

> UDP 0.0.0.0:34377 *:* 960

> UDP 0.0.0.0:36954 *:* 1864

> UDP 0.0.0.0:38037 *:* 2060

> UDP 0.0.0.0:38293 *:* 1828

> UDP 0.0.0.0:54089 *:* 4600

> UDP 0.0.0.0:55284 *:* 960

> UDP 0.0.0.0:55286 *:* 960

> UDP 0.0.0.0:55288 *:* 960

> UDP 0.0.0.0:55402 *:* 7004

> UDP 127.0.0.1:53 *:* 1688

> UDP 127.0.0.1:123 *:* 844

> UDP 127.0.0.1:3456 *:* 1812

> UDP 127.0.0.1:3457 *:* 1812

> UDP 127.0.0.1:28822 *:* 1688

> UDP 127.0.0.1:28921 *:* 3332

> UDP 127.0.0.1:29022 *:* 844

> UDP 127.0.0.1:29023 *:* 844

> UDP 192.168.0.3:53 *:* 1688

> UDP 192.168.0.3:88 *:* 564

> UDP 192.168.0.3:123 *:* 844

> UDP 192.168.0.3:137 *:* 4

> UDP 192.168.0.3:138 *:* 4

> UDP 192.168.0.3:389 *:* 564

> UDP 192.168.0.3:464 *:* 564

Posted by Steve Duff [MVP] on August 21, 2005, 4:07 pm

Please log in for more thread options

I'm not known to be big on network analyzers - only because I think people
overuse them when 30 seconds of simple reasoning will work just as
well - but yours is a case where I would start there.

If you download and install/run the freeware Ethereal on the server you
can do a short packet capture. Then click Statistics...Conversations and
look at the TCP summary by port (click on the packets column to sort). The
whole thing should take all of about 15 minutes.

This isn't really something I think you'd need a specialist for, though you might
need help in interpreting the results, depending on what they are, and at
that point one of the more advanced analysis utilities might well be called for.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

> Howdy

> I have an ex-client running W2K3 SBS which is sitting in a small network

behind a NAT router on an ADSL link. The router is very

> basic and for a range of reasons they haven't upgraded to a decent firewall

solution. There are only a few ports open, 5800, 5900,

> 1723 and 443. It is not fully patched and not on SBS 2K3 SP1 as yet.

> They have asked me to help out because their Internet link is choked.

Something on their LAN is generating a lot of traffic. I

> isolated it to their (only) server as they are a tiny office and we could shut

down all workstations and the strange traffic

> continued. I performed a netstat -ano to see the connnections on the server

and there was nothing overly untoward that I could

> see. Has anyone got any suggestions as to what to do? I have a guy going on

site tomorrow to do an Ethereal packet capture and

> some virus scanning etc but I wouldnt mind some advice on what else to check

(beyond the obvious advice of upgrading the

> router)... Something similar happened to them about a year ago and the ISP

told them it appeared to be peer sharing traffic but

> there was nothing to be found. I was worried about root kits but my knowledge

on them is very limited and the scanners are few and

> far between. I have used the F-Secure beta ages ago and the SysInternals

scanner but the Sysinternals one confuses me....

> Any suggestions?

> Regards,

> Damo

> Active Connections

> Proto Local Address Foreign Address State PID

> TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING 3332

> TCP 0.0.0.0:53 0.0.0.0:0 LISTENING 1688

> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:110 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712

> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:444 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 712

> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:691 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:995 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING 4

> TCP 0.0.0.0:2301 0.0.0.0:0 LISTENING 1584

> TCP 0.0.0.0:2381 0.0.0.0:0 LISTENING 1584

> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 764

> TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING 4244

> TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 316

> TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:6082 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING 2096

> TCP 0.0.0.0:12174 0.0.0.0:0 LISTENING 3924

> TCP 0.0.0.0:28784 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:28785 0.0.0.0:0 LISTENING 844

> TCP 0.0.0.0:28787 0.0.0.0:0 LISTENING 564

> TCP 0.0.0.0:28828 0.0.0.0:0 LISTENING 1688

> TCP 0.0.0.0:28842 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28843 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28858 0.0.0.0:0 LISTENING 264

> TCP 0.0.0.0:28880 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28881 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28887 0.0.0.0:0 LISTENING 1812

> TCP 0.0.0.0:28922 0.0.0.0:0 LISTENING 3332

> TCP 0.0.0.0:28923 0.0.0.0:0 LISTENING 316

> TCP 0.0.0.0:28986 0.0.0.0:0 LISTENING 4396

> TCP 0.0.0.0:28991 0.0.0.0:0 LISTENING 4244

> TCP 0.0.0.0:36895 0.0.0.0:0 LISTENING 1100

> TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING 2060

> TCP 0.0.0.0:49400 0.0.0.0:0 LISTENING 2836

> TCP 0.0.0.0:49401 0.0.0.0:0 LISTENING 4460

> TCP 127.0.0.1:389 127.0.0.1:1757 ESTABLISHED 564

> TCP 127.0.0.1:445 127.0.0.1:10275 ESTABLISHED 4

> TCP 127.0.0.1:1757 127.0.0.1:389 ESTABLISHED 1688

> TCP 127.0.0.1:10275 127.0.0.1:445 ESTABLISHED 4

> TCP 127.0.0.1:28918 0.0.0.0:0 LISTENING 3924

> TCP 192.168.0.3:135 192.168.0.2:1343 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.3:10326 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.3:10328 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.50:1606 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.51:1570 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.53:1674 ESTABLISHED 712

> TCP 192.168.0.3:135 192.168.0.57:1592 ESTABLISHED 712

> TCP 192.168.0.3:139 0.0.0.0:0 LISTENING 4

> TCP 192.168.0.3:389 192.168.0.3:1628 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1629 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1630 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1631 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1632 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1633 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1634 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1635 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1636 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1637 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1638 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1642 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1690 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1691 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1692 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1730 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1752 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1799 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1808 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:1855 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:4979 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:6760 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:9787 ESTABLISHED 564

> TCP 192.168.0.3:389 192.168.0.3:10054 FIN_WAIT_2 564

> TCP 192.168.0.3:389 192.168.0.3:10330 ESTABLISHED 564

> TCP 192.168.0.3:691 192.168.0.3:10547 ESTABLISHED 1812

> TCP 192.168.0.3:691 192.168.0.3:28890 ESTABLISHED 1812

> TCP 192.168.0.3:691 192.168.0.3:28985 ESTABLISHED 1812

> TCP 192.168.0.3:691 192.168.0.3:28989 ESTABLISHED 1812

> TCP 192.168.0.3:1628 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1629 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1630 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1631 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1632 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:1633 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1634 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1635 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1636 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1637 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1638 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1639 192.168.0.3:3268 ESTABLISHED 316

> TCP 192.168.0.3:1640 192.168.0.3:3268 ESTABLISHED 1812

> TCP 192.168.0.3:1641 192.168.0.3:3268 ESTABLISHED 4396

> TCP 192.168.0.3:1642 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1644 192.168.0.3:3268 ESTABLISHED 4244

> TCP 192.168.0.3:1645 192.168.0.3:3268 ESTABLISHED 3932

> TCP 192.168.0.3:1690 192.168.0.3:389 ESTABLISHED 4244

> TCP 192.168.0.3:1691 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1692 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1694 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:1730 192.168.0.3:389 ESTABLISHED 4396

> TCP 192.168.0.3:1752 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1799 192.168.0.3:389 ESTABLISHED 264

> TCP 192.168.0.3:1808 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:1855 192.168.0.3:389 ESTABLISHED 3932

> TCP 192.168.0.3:2104 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:2105 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:2335 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:3268 192.168.0.3:1639 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1640 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1641 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1644 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:1645 ESTABLISHED 564

> TCP 192.168.0.3:3268 192.168.0.3:10187 ESTABLISHED 564

> TCP 192.168.0.3:3920 192.168.0.3:389 CLOSE_WAIT 4244

> TCP 192.168.0.3:4182 192.168.0.3:389 CLOSE_WAIT 4600

> TCP 192.168.0.3:4979 192.168.0.3:389 ESTABLISHED 4244

> TCP 192.168.0.3:6760 192.168.0.3:389 ESTABLISHED 1812

> TCP 192.168.0.3:9787 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:10054 192.168.0.3:389 CLOSE_WAIT 4600

> TCP 192.168.0.3:10112 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:10187 192.168.0.3:3268 ESTABLISHED 1812

> TCP 192.168.0.3:10298 192.168.0.3:135 TIME_WAIT 0

> TCP 192.168.0.3:10299 192.168.0.3:28784 TIME_WAIT 0

> TCP 192.168.0.3:10326 192.168.0.3:135 ESTABLISHED 316

> TCP 192.168.0.3:10328 192.168.0.3:135 ESTABLISHED 316

> TCP 192.168.0.3:10329 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:10330 192.168.0.3:389 ESTABLISHED 316

> TCP 192.168.0.3:10383 68.142.202.12:25 SYN_SENT 1812

> TCP 192.168.0.3:10547 192.168.0.3:691 ESTABLISHED 3932

> TCP 192.168.0.3:11602 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:20291 206.204.212.229:2848 ESTABLISHED 3664

> TCP 192.168.0.3:28784 192.168.0.2:1344 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:10112 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:10329 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:28871 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:28872 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:29030 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.3:29423 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.50:1607 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.51:1571 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.53:1675 ESTABLISHED 564

> TCP 192.168.0.3:28784 192.168.0.57:1593 ESTABLISHED 564

> TCP 192.168.0.3:28871 192.168.0.3:28784 ESTABLISHED 264

> TCP 192.168.0.3:28872 192.168.0.3:28784 ESTABLISHED 264

> TCP 192.168.0.3:28890 192.168.0.3:691 ESTABLISHED 1812

> TCP 192.168.0.3:28958 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:28963 192.168.0.3:389 CLOSE_WAIT 316

> TCP 192.168.0.3:28965 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:28985 192.168.0.3:691 ESTABLISHED 4396

> TCP 192.168.0.3:28989 192.168.0.3:691 ESTABLISHED 4244

> TCP 192.168.0.3:29030 192.168.0.3:28784 ESTABLISHED 316

> TCP 192.168.0.3:29254 192.168.0.3:389 CLOSE_WAIT 844

> TCP 192.168.0.3:29423 192.168.0.3:28784 ESTABLISHED 564

> TCP 192.168.0.3:33294 192.168.0.3:3268 CLOSE_WAIT 316

> TCP 192.168.0.3:38998 192.168.0.3:389 CLOSE_WAIT 844

> TCP 192.168.0.3:54107 192.168.0.3:389 CLOSE_WAIT 4600

> UDP 0.0.0.0:42 *:* 3332

> UDP 0.0.0.0:135 *:* 712

> UDP 0.0.0.0:161 *:* 2596

> UDP 0.0.0.0:162 *:* 2616

> UDP 0.0.0.0:445 *:* 4

> UDP 0.0.0.0:500 *:* 564

> UDP 0.0.0.0:1701 *:* 4

> UDP 0.0.0.0:2967 *:* 3124

> UDP 0.0.0.0:3002 *:* 1140

> UDP 0.0.0.0:3456 *:* 1812

> UDP 0.0.0.0:3457 *:* 1812

> UDP 0.0.0.0:4500 *:* 564

> UDP 0.0.0.0:11698 *:* 2248

> UDP 0.0.0.0:28795 *:* 960

> UDP 0.0.0.0:28823 *:* 1688

> UDP 0.0.0.0:28824 *:* 1688

> UDP 0.0.0.0:28826 *:* 2020

> UDP 0.0.0.0:28827 *:* 2020

> UDP 0.0.0.0:28844 *:* 1812

> UDP 0.0.0.0:28862 *:* 1424

> UDP 0.0.0.0:28868 *:* 264

> UDP 0.0.0.0:28888 *:* 1812

> UDP 0.0.0.0:28892 *:* 1636

> UDP 0.0.0.0:28897 *:* 3064

> UDP 0.0.0.0:28899 *:* 3176

> UDP 0.0.0.0:28908 *:* 3144

> UDP 0.0.0.0:28910 *:* 2252

> UDP 0.0.0.0:28924 *:* 316

> UDP 0.0.0.0:28925 *:* 316

> UDP 0.0.0.0:28935 *:* 3664

> UDP 0.0.0.0:28971 *:* 4244

> UDP 0.0.0.0:28976 *:* 3932

> UDP 0.0.0.0:28982 *:* 4396

> UDP 0.0.0.0:28987 *:* 4396

> UDP 0.0.0.0:28992 *:* 4244

> UDP 0.0.0.0:29011 *:* 508

> UDP 0.0.0.0:29018 *:* 4352

> UDP 0.0.0.0:29031 *:* 316

> UDP 0.0.0.0:29035 *:* 1624

> UDP 0.0.0.0:29192 *:* 2832

> UDP 0.0.0.0:29253 *:* 844

> UDP 0.0.0.0:29469 *:* 1868

> UDP 0.0.0.0:34129 *:* 960

> UDP 0.0.0.0:34130 *:* 960

> UDP 0.0.0.0:34131 *:* 960

> UDP 0.0.0.0:34136 *:* 960

> UDP 0.0.0.0:34377 *:* 960

> UDP 0.0.0.0:36954 *:* 1864

> UDP 0.0.0.0:38037 *:* 2060

> UDP 0.0.0.0:38293 *:* 1828

> UDP 0.0.0.0:54089 *:* 4600

> UDP 0.0.0.0:55284 *:* 960<