More Netstat Tricks.

I said it before and I’ll say it again, I don’t know how I missed the netstat tool.

My son-in-law works for one of those Fortune 500 Internet Companies and he just doesn’t accept my Vulcan Mind Probe idea. He acknowledges that his company uses cookies but claims they are not engaged in data mining by either the cookie approach or the direct connection. He is a true Boy Scout!

To prove his point he agreed that netstat was the tool to use to find out who was connected to any machine and why. He first refreshed his memory with the following DOS command:

C:\>netstat /?

Linux uses use the “man” command to get a manual on any topic and Windows users avoid all knowledge so not only did I miss netstat, I forgot to query the power of the command.

(c:\>netstat q) gives the same result.

Now the most important new knowledge is the “netstat -bv” command which names the executable calling for the connection, and the process identification (PID)for the process that is connected to a specific port. With this information it is possible to see who is engaged in probing for what – More or Less.

Well it’s not perfect but it does give a sharper image of where executables might be hiding that are probing your machine to add files or copy your own files.

After a 10 day vacation, I came back and reconnected the machines to the net. Netstat an looked clean as I surfed between msn.com and AOL.com until I spied a few connections from my good friends at Level 3. The other connections were obvious, content and advertising cookies – ie the same old crap. Now the great aspect of “netstat -bv” is the details of whats happening.

In the midst of a long string of output, we find:

TCP port:4357 204.160.105.124:http CONNECTION ESTABLISHED 1192 PID
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\MSVCR70.dll
C:\WINDOWS\system32\kernel32.dll
[ccProxy.exe]

TCP port:4359 199.93.43.124:http CONNECTION ESTABLISHED 1192 PID
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\MSVCR70.dll
C:\WINDOWS\system32\kernel32.dll
[ccProxy.exe]

This tells us both IP’s are operating under the command of ccProxy.exe which is part of my Norton product group. Since, I have been slammed while “protected” by Norton, I don’t put much faith in the integrity of this connection particularly when Norton updates through a different executable.

Oh well just one more thing to ponder.

Advertisements

4 Responses to “More Netstat Tricks.”

  1. Killing ccProxy.exe « Tickling the Tiger’s Tail Says:

    […] already posted about Level 3 penetrating my machine in a Vulcan mind Probe by use of ccproxy.exe process and also commented about running netstat as […]

  2. Chuck Says:

    @REM @Endif(C:\swsetup027) Nice tools the FBI uses

  3. Chuck Says:

    @Endif(C:\SWsetup0027) keys stuck on the other post

  4. Chuck Says:

    @REM Purpose :End of the Install HP Pv/Pr User Guides

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: