ip – Why http microsoft connection in netstat check?

I checked established connections with “netstat” command in command prompt, and I found that there are some connections with ip’s of microsoft (I checked ip online) that have http (and not https) connection established, they bring to some svchost.exe in a Win32 folder of the system. I know that http connections are not safe, but I guess they are safe since they have microsoft ip, but why these connections are not encrypted (http)? Is it normal?

network – Have I been hacked ( netstat output too many dgrams and stream connections)

enter image description here

enter image description here

netstat output

These are the output images of the netstat command I ran it shows that they’re are too many outbound connection and many dgrams and stream . I also tried to capture the output using Wireshark and then reverse checking the IP address to whom does it belongs ( using www.arin.net) it showed up various organisation ( Google, Astricia).

I also tried to turnoff the wifi and then ran netstat but no change in the dgram and stream connections.

Please help , any input will be appreciated.

networking – What are signs of a compromised device that would be seen with the terminal commands “ip addr”, ” cat /proc/mounts” and “netstat -anlW”, or others?

What indicators of remote access or system modification could be seen with these commands, or others? For instance, is a stream outputting to “@chrome_dev_tools_remote” in netstat a sign of remote access?

networking – Where are localhost /loopback stats counted (windows netstat)?

A server I use is recording a high number of received packet(s) discarded as visible in netstat -s.

The majority of the tcp communication on this box is effectively to/from localhost. Some apps responsible for this local communication

a) reference localhost (loopback)

b) use the local IP

c) target a vip (name) behind which the box sits.

My questions:

Will the statistics associated with traffic referencing a/b/c all be aggregated together under ipv4 / v6 (with “actual” tcp traffic to the rest of the network) when I run netstat?

Is there any way to to isolate a from b/c and tcp traffic that is NOT isolated to the server in question?

networking – Netstat showing connections even when I am not using the Internet?

From my understanding, the netstat command is mainly used to identify software running on the computer that uses an internet connection.

So ideally, when I am disconnected from the Internet, netstat should not display any commands, shouldn't it? But it still displays "Listening" on many https connections.

netstat capture

Can anyone explain if I look at this from the wrong angle?

support – NGINX – Hide IP on netstat

I leave my doubt here so that people better informed about Nginx can help me.

I have an application that uses port 2083 and that works as follows:

User -> Server on which Nginx Proxy is hosted (Machine 1) -> Actual IP of the application (Machine 2).

My goal is that the user when logging in (after nginx redirection) on machine 2 (where the application is hosted) can not see the IP address of the actual machine (so d & # 39; Prevent any attack by DDoS).

It turns out that after connecting to the application and opening the command prompt (cmd), entering netstat -n displays the real IP address of the machine (which I want to hide).

Would it be possible to do this (hide the real IP address) using Nginx itself? All redirects work perfectly, I just want to hide the IP address of the machine on which the application is hosted.

my code in nginx.conf:

stream {
server {
        listen 2083;
        proxy_pass IP_SERVIDOR_APLICACAO: 2083;
        }
}

I took notice of the "MASQUERADING" function of IPTables, I tried both machines and it did not work. The netstat IP address is always displayed. I've also tested the parameter "proxy_bind $ remote_addr transparent;" from nginx, without success.

Any help and knowledge will be welcome.

Thank you very much.

Cuddles!

Edit netstat and ss to prevent show connections on some ports

I am working on a PoC and I am currently adding APT (Advanced Persistent Threat). I would like to know if anyone knows how to edit the Linux source code so that the netstat and / or ss tools are modified to not display connections on certain ports.

adb shell busybox netstat – Ethiopia Android Pile Exchange

I'm trying to look at the marked processes to each individual TCP connection using busybox netstat -p as shown in their documentation. However, after rooting and checking my root with RootChecker, it looks like I have root access and SU access; but unable to run adb shell busybox netstat and it shows the error

Running the netstat busybox command

From the android terminal

I use NoxPlayer 6.2.6.1, running Android version 4.4.2. This shows an image of my attempt to do the same thing in the terminal emulator itself.

RootChecker

And that shows an image of rootChecker verifying that I have rooted the phone well.

I came across some articles saying that / proc / net is a symbolic link; thus providing only a "shortcut" to the file path and not to the actual file; thus, the netstat command could not be executed?

I hope to have some help to solve this problem.

netstat – Understand, interpret and take action on established connections

Context:

I have what I think is a serious malware problem, but virtually all of the analytics do not detect anything or they seldom do it consistently. I believe that the malware (somehow / form / form) configures a VM on my computer and is linked to the main installation with a network / share manipulation. Just a few days ago, I decided to encrypt a partition on an external drive and on the operating system partition on which Windows 10 is installed or otherwise, but I do not want to do not really remember with a distraction. I have never received the confirmation and restart phase when encrypting the OS partition. So it was probably my storage partition that I had previously created.
The machine is now behaving almost normally with a few exceptions. I had problems with a few websites for which I wanted to get downloads and I decided to see which netstat network was listed for connections to my PC. There are several established entries with the same name as my PC, all with port connections ranging from 44,000 to 51,000 via TCP, and some with regular IP addresses via https. Trying to look up the addresses using the WHOIS IP address, he tells me that several are Microsoft, a Verizon (this one is confusing because I do not have Verizon service) and the others are returning a error saying that there are no records "A". Please see the netstat output below and the resolved connection information.

Questions:

  1. What does the error mean there are no "A" records?

  2. How to know if other MS connections are legitimate and if not, how to know more about the owner or the connection in order to be able to fix it other than trying to block this IP address?




source: whois.arin.net
IP address: 13.89.187.212
Name: MSFT
Handle: NET-13-64-0-0-1
Date of inscription: 26/03/15
Range: 13.64.0.0-13.107.255.255
Org: Microsoft Corporation
Org Channel: MSFT
Address: One Way Microsoft
City: Redmond
State / Province: WA
Postal code: 98052
Country: United States
Name servers:
Source: whois.arin.net IP address: 72.21.81.200 Name: EDGECAST-NETBLK-01 Handle: NET-72-21-80-0-1 Date of Registration: 4/23/07 Range: 72.21.80.0-72.21.95.255 Org: Communications Services MCI, Inc., Verizon Business Organizing handle: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn State / Province: VA Postal Code: 20147 Country: United States Name servers:
Source: whois.arin.net IP address: 204.79.197.222 Name: ECN-NETWORK Handle: NET-204-79-195-0-1 Date of Inscription: 12/15/94 Range: 204.79.195.0-204.79.197.255 Org: Microsoft Corporation Org Channel: MSFT Address: One Way Microsoft City: Redmond State / Province: WA Postal code: 98052 Country: United States Name servers:

Active connections

Local address of proto Foreign address TCP 127.0.0.1:44117 OFFICE COMPUTER-5A27A3L: 50311 BASE TCP 127.0.0.1:50277 DESKTOP-5A27A3L: 50278 BASE TCP 127.0.0.1:50278 DESKTOP-5A27A3L: 50277 BASE TCP 127.0.0.1:50279 DESKTOP-5A27A3L: 50280 BASE TCP 127.0.0.1:50280 DESKTOP-5A27A3L: 50279 BASE TCP 127.0.0.1:50281 DESKTOP-5A27A3L: 50282 BASE TCP 127.0.0.1:50282 OFFICE COMPUTER-5A27A3L: 50281 BASE TCP 127.0.0.1:50286 DESKTOP-5A27A3L: 50287 BASE TCP 127.0.0.1:50287 DESKTOP-5A27A3L: 50286 BASE TCP 127.0.0.1:50311 DESKTOP-5A27A3L: 44117 BASE TCP 127.0.0.1:50452 OFFICE COMPUTER-5A27A3L: 50453 BASE TCP 127.0.0.1:50453 DESKTOP-5A27A3L: 50452 BASE TCP 192.168.0.100:49677 13.89.187.212:https ESTABLISHED TCP 192.168.0.100:50003 a172-226-208-13: http CLOSE_WAIT TCP 192.168.0.100:50006 a172-226-180-31: https CLOSE_WAIT TCP 192.168.0.100:50007 52.165.171.165:https ESTABLISHED TCP 192.168.0.100:50025 ec2-52-51-170-189: https ESTABLISHED TCP 192.168.0.100:50293 ec2-54-213-168-194: https ESTABLISHED TCP 192.168.0.100:50300 104.16.249.249:https ESTABLISHED TCP 192.168.0.100:50363 52.96.10.82:https ESTABLISHED TCP 192.168.0.100:50378 52.96.10.82:https ESTABLISHED TCP 192.168.0.100:50382 52.96.10.82:https ESTABLISHED TCP 192.168.0.100:50387 52.96.10.82:https ESTABLISHED TCP 192.168.0.100:50522 ec2-52-11-249-239: TIME_WAIT https TCP 192.168.0.100:50528 91.216.218.226:https TIME_WAIT TCP 192.168.0.100:50537 a104-99-238-51: http TIME_WAIT TCP 192.168.0.100:50538 a-0001: https ESTABLISHED TCP 192.168.0.100:50539 72.21.81.200:https ESTABLISHED TCP 192.168.0.100:50540 ec2-52-54-93-130: http ESTABLISHED TCP 192.168.0.100:50541 13.107.136.254:https ESTABLISHED TCP 192.168.0.100:50542 13.107.246.254:https ESTABLISHED TCP 192.168.0.100:50543 204.79.197.222:https ESTABLISHED

Exploit the netstat output in the post-exploitation phase [on hold]

I've seen that checking the netstat output is a recurring practice in the post-exploitation phase to increase privileges. But I do not understand how to use the exit. Could you help me?