Netstat

is a good place to start.

it shows what ports are connected to what ip addresses.

Want to know what a port connection MIGHT mean. You can use these two sites:

I opened cmd and typed netstat.

Get rid of the offending software opening the port. :(

the write up and see if you have any of the indicated services running.

That is your Usenet connection where you posted this message.

Guessing you have a browser open and connected to Micro$oft or it's Micro$oft code calling home :(

Looks like a google search page connection. Maybe something in the task bar.

On my Linux OS, that ip addy lookup shows $ whois 63.236.1.139 Qwest Communications Corporation QWEST-INET-9 (NET-63-236-0-0-1) 63.236.0.0 - 63.239.255.255 Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2) 63.236.0.0 - 63.236.127.255 Akamai Technologies, Inc. QWEST-BUC-AKAMAI (NET-63-236-1-128-1) 63.236.1.128 - 63.236.1.255

So I'll guess one of the Micro$oft connections has a connection into Akamai Tech. Why you ask, because I know Micro$not uses them to host some of their servers. Linux server boxes as I misunderstand it. :-)

You can look up ip addresses or net block owner lookup somewhere like

As an addendum: ports are just an administrative numbers. There's no guarantee that a specific service is listening on a specific port on any given host. However, there are several services that *usually* are configured to listen on specific ports (e.g. SSH on port 22, SMTP on port 25, HTTP on port 80, ...).

"netstat" alone will give you only the established connections. You may want to try "netstat -a" (or "netstat -aob" if you have XP) to get all connections. Also I suggest to add the option "-n" to prevent name resolution.

Most definitely. However, to do that you need to identify the offending software first. "netstat -anob" will help with that on Windows XP. On versions prior to that I'd suggest using TCPView [1] instead (run as admin user to get information about the processes).

[1] cu 59cobalt

Thinking about an easily remembered mnemonic, I came up with "netstat -a

-noob" or "netstat -no -ABBA". :-)

TCPView works fine as a restricted user. Especially since it doesn't share netstat's LUA bug "Can not obtain ownership information".

Thank you for the lesson :) Everything looks legitimate using "a noob" but I have a lot to learn. Using just plain netstat shows 1025 and 1026 as being used. But the commands you recommended dont show them used at all. Using google I came to the conclusion that 1025 and 1026 might be the clock/calendar in the taskbar.

Lew/+Silat

Only that on versions PRIOR TO XP (like e.g. Windows 2000) it DOES NOT show information about the associated processes when run by restricted users. Go figure.

cu

59cobalt

clock/calendar in the taskbar.

correction: 1025/1026 are isafe. Zone Alarm

clock/calendar in the taskbar.

I notice in your first post 1026 isn't showing. However checking 1025 and 1026 on my system I notice they're listed as UDP. Also notice the destination is *.* so I'm sending out traffic on 1025/1026 to anyone who will listen (and hopefully respond).

C:\\Documents and Settings\\ITS0846>netstat -a|find "102" UDP WL-5200:1025 *:* UDP WL-5200:1026 *:*

Further if I include the -o flag in XP.

C:\\Documents and Settings\\ITS0846>netstat -a|find "102" UDP WL-5200:1025 *:*

1276 UDP WL-5200:1026 *:* 1276

Note 1276 is the process id of whatever application or service is maintaining that connection.

If you fire up task manager you'll see this is one Microsoft's svchost.exe process. If you fire up ProcessExplorer

bought my MS). You get more info, this particular svchost.exe process (1276 in my case) is "DNS Client" if you hover over the process name.

As I'm writting this I also notice a random local TCP port connected to

1026 of a remote machine which happens to be our Exchange email server.

Anyway I've babbled long enough, hopefully that gives you some insight into how to track these things down.

clock/calendar in the taskbar.

Thanks for your babbling. I really appreciate it:)