Solved TCP Foreign Addresses

[timw128]

Hello- I am having trouble finding out who the established addresses are within 'netstat -an'.

I can find the geolocation, but I don't know who they are. I believe my Kaspersky Internet Security v16

is the one established to Russia, but not sure. Also, the one's established in the US in California can't be found-

or at least I don't know how to find them. Can someone help me, please?

Thank you!

 

[Digital Life]

I usually use IP Address Details - ipinfo.io to find info on a IP's

 

[timw128]

I usually use IP Address Details - ipinfo.io to find info on a IP's

Thanks for that...take a look at this. Never heard of this outfit and have no idea what they do-

https://www.fastly.com

 

[timw128]

Then there's this one, which is, perhaps, my Kaspersky-

AS3327 Linx Telecommunications B.V. - ipinfo.io

 

[UsernameIssues]

I believe my Kaspersky Internet Security v16 is the one established to Russia, but not sure.

From an elevated commend prompt, try:

netstat -an -b

The "-b" option might show you the app that made the connection.

From netstat's help:

C:\windows\system32>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

  -a            Displays all connections and listening ports.
[COLOR=Red]  -b            Displays the executable involved in creating each connection or
                listening port.[/COLOR] In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.

Sometimes you will only get...

Can not obtain ownership information

...instead of the app info.

 

[timw128]

Sometimes you will only get...

Can not obtain ownership information

...instead of the app info.

Yeah, a lot of Opera browser connects established but that's due to my Gmail being open, to retrieve thread update info for here, and of course, 'sevenforums' is open, as well.

 

[UsernameIssues]

You might also want to look at Windows 7's native Resource Monitor > Network tab.

 

[Digital Life]

I am not sure what the companies do that own those IP's but if you can make heads or tails out of their web page's here ya go.

https://www.fastly.com/
AS54113 Fastly - ipinfo.io Details

History – LinxTelecom and LinxDatacenter
AS3327 Linx Telecommunications B.V. - ipinfo.io Details

If they are ISP's and your computer is talking to one of their users you may want to do a thorough malware scan.

 

[timw128]

I am not sure what the companies do that own those IP's but if you can make heads or tails out of their web page's here ya go.

https://www.fastly.com/
AS54113 Fastly - ipinfo.io Details

History – LinxTelecom and LinxDatacenter
AS3327 Linx Telecommunications B.V. - ipinfo.io Details

If they are ISP's and your computer is talking to one of their users you may want to do a thorough malware scan.

Yeah, it's crazy... that 'fastly.com' outfit has something to do with outfits that interface with social media platforms. That's a whole different market. For instance, Fastly's clients include Vimeo, BuzzFeed, New Relic,
KAYAK, Opera Software ( of which I use Opera browser), et al.
'linxtelecom.com' is a server mamagement concern and provider. I went to Kaspersky Internet Security a year ago, after being with avast! for about 6 yrs. Why?... Kaspersky and BitDefender have consistently been ranked the #1 AV for 4-5 yrs. running. BitDefender does not integrate with Opera browser, and Kaspersky does, to a degree.

I'm going to run that cmd prompt-

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Timbo-ENVY
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 34-64-A9-1B-D9-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::599b:348f:15ee:747b%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, September 27, 2016 10:03:51 AM
Lease Expires . . . . . . . . . . : Wednesday, September 28, 2016 10:52:58 PM

Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 338977961
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-4F-C8-F9-34-64-A9-1B-D9-01

DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
2001:4860:4860::8844
8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B16CB80A-70E0-44EC-B5A1-005A9E168400}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Now, netstat -an-

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:554 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1046 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 192.168.1.3:139 0.0.0.0:0 LISTENING
TCP 192.168.1.3:6877 62.128.100.174:443 ESTABLISHED
TCP 192.168.1.3:6891 216.58.216.69:443 ESTABLISHED
TCP 192.168.1.3:6926 173.194.198.189:443 ESTABLISHED
TCP 192.168.1.3:7052 91.203.99.18:443 ESTABLISHED
TCP 192.168.1.3:7109 184.172.52.106:80 ESTABLISHED
TCP 192.168.1.3:7110 216.58.216.68:443 ESTABLISHED
TCP 192.168.1.3:7111 216.58.216.78:443 ESTABLISHED
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:554 [::]:0 LISTENING
TCP [::]:1025 [::]:0 LISTENING
TCP [::]:1026 [::]:0 LISTENING
TCP [::]:1027 [::]:0 LISTENING
TCP [::]:1028 [::]:0 LISTENING
TCP [::]:1029 [::]:0 LISTENING
TCP [::]:1046 [::]:0 LISTENING
TCP [::]:2869 [::]:0 LISTENING
TCP [::]:3587 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:10243 [::]:0 LISTENING
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5004 *:*
UDP 0.0.0.0:5005 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:55943 *:*
UDP 0.0.0.0:62705 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:57039 *:*
UDP 127.0.0.1:57359 *:*
UDP 192.168.1.3:137 *:*
UDP 192.168.1.3:138 *:*
UDP 192.168.1.3:1900 *:*
UDP 192.168.1.3:57038 *:*
UDP [::]:500 *:*
UDP [::]:3540 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:4500 *:*
UDP [::]:5004 *:*
UDP [::]:5005 *:*
UDP [::]:5355 *:*
UDP [::]:55944 *:*
UDP [::]:62706 *:*
UDP [::1]:1900 *:*
UDP [::1]:57037 *:*
UDP [fe80::599b:348f:15ee:747b%12]:546 *:*
UDP [fe80::599b:348f:15ee:747b%12]:1900 *:*
UDP [fe80::599b:348f:15ee:747b%12]:57036 *:*

C:\Windows\system32>

 

[Digital Life]

I took the liberty to find some info on your last post.

{
"ip": "62.128.100.174",
"hostname": "No Hostname",
"city": "Kiev",
"region": "Kyiv City",
"country": "UA",
"loc": "50.4333,30.5167",
"org": "AS3327 Linx Telecommunications B.V."
}{
"ip": "216.58.216.69",
"hostname": "ord30s21-in-f69.1e100.net",
"city": "Mountain View",
"region": "California",
"country": "US",
"loc": "37.4192,-122.0574",
"org": "AS15169 Google Inc.",
"postal": "94043"
}{
"ip": "173.194.198.189",
"hostname": "iz-in-f189.1e100.net",
"city": "Mountain View",
"region": "California",
"country": "US",
"loc": "37.4192,-122.0574",
"org": "AS15169 Google Inc.",
"postal": "94043"
}{
"ip": "91.203.99.18",
"hostname": "autoupdate.opera.com",
"city": "Oslo",
"region": "Oslo County",
"country": "NO",
"loc": "59.9167,10.7500",
"org": "AS39832 Opera Software AS",
"postal": "0001"
}{
"ip": "184.172.52.106",
"hostname": "6a.34.acb8.ip4.static.sl-reverse.com",
"city": "Houston",
"region": "Texas",
"country": "US",
"loc": "29.7633,-95.3633",
"org": "AS36351 SoftLayer Technologies Inc.",
"postal": "77002"
}{
"ip": "216.58.216.68",
"hostname": "ord30s21-in-f68.1e100.net",
"city": "Mountain View",
"region": "California",
"country": "US",
"loc": "37.4192,-122.0574",
"org": "AS15169 Google Inc.",
"postal": "94043"
}{
"ip": "216.58.216.78",
"hostname": "ord30s21-in-f14.1e100.net",
"city": "Mountain View",
"region": "California",
"country": "US",
"loc": "37.4192,-122.0574",
"org": "AS15169 Google Inc.",
"postal": "94043"
}

I'm using Windows 10 right now so instead of my usual way to search a list in a text file of multiple IP's for info on IP's I used Win 10 Bash instead of Linux.

 

[Digital Life]

LOL guess who

}{
  "ip": "184.172.52.106",
  "hostname": "6a.34.acb8.ip4.static.sl-reverse.com",
  "city": "Houston",
  "region": "Texas",
  "country": "US",
  "loc": "29.7633,-95.3633",
  "org": "AS36351 SoftLayer Technologies Inc.",
  "postal": "77002"
 }{

The Internet Service Provider (ISP) that owns the network address of 184.172.52.106 is ThePlanet.com Internet Services, Inc. and located in Texas within the United States. The IP Address resolves to the DNS record of 6a.34.acb8.ip4.static.sl-reverse.com. Currently there are 2 domain names that utilize this address. The primary domain hosted by this IP is Windows 10 Forums along with 1 other domains.

Source:
https://www.reasoncoresecurity.com/ip-address-184.172.52.106.aspx

 

[timw128]

I took the liberty to find some info on your last post.
I'm using Windows 10 right now so instead of my usual way to search a list in a text file of multiple IP's for info on IP's I used Win 10 Bash instead of Linux.

Thank you for that. Yes, the LinxTele connections are Kaspersky servers, more than likely Update.

The Google references are normal, as are the Opera, from Oslo.

SoftLayer Technologies Inc. is a Cloud server, Storage provider and I have no idea what they're doing being connected. More research is order.

Again, I thank you for your efforts.

tim

 

[Digital Life]

One more tidbit of info see this

}{
  "ip": "216.58.216.69",
  "hostname": "ord30s21-in-f69.[COLOR=red]1e100[/COLOR].net",
  "city": "Mountain View",
  "region": "California",
  "country": "US",
  "loc": "37.4192,-122.0574",
  "org": "AS15169 Google Inc.",
  "postal": "94043"
 }{

When you see 1e100 in the host name usually means it's Google

What is 1e100.net?

1e100.net is a Google-owned domain name used to identify the servers in our network.
Following standard industry practice, we make sure each IP address has a corresponding hostname. In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com. We did this for two reasons: first, to keep things simpler, and second, to proactively improve security by protecting against potential threats such as cross-site scripting attacks.
Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just in case

(1e100 is scientific notation for 1 googol) .

 

[timw128]

LOL guess who

}{
  "ip": "184.172.52.106",
  "hostname": "6a.34.acb8.ip4.static.sl-reverse.com",
  "city": "Houston",
  "region": "Texas",
  "country": "US",
  "loc": "29.7633,-95.3633",
  "org": "AS36351 SoftLayer Technologies Inc.",
  "postal": "77002"
 }{

The Internet Service Provider (ISP) that owns the network address of 184.172.52.106 is ThePlanet.com Internet Services, Inc. and located in Texas within the United States. The IP Address resolves to the DNS record of 6a.34.acb8.ip4.static.sl-reverse.com. Currently there are 2 domain names that utilize this address. The primary domain hosted by this IP is Windows 10 Forums along with 1 other domains.

Source:
https://www.reasoncoresecurity.com/ip-address-184.172.52.106.aspx

LOL!...Touche!... I'm a member at 'tenforums' but don't go there much at all, because I don't have 10- yet!

So, yeah, I know 'sevenforums' and 'tenforums' are virtually the same... so, same address, right?...

I contacted Softlayer, to no avail. So, the parent to 7 and 10 forums uses Softlayer Cloud Servers- they're in Texas. Do you think the other domain may be Windows 7 Forums, or is there no way to tell?...

Well, on a positive note, I come here whenever I don't understand something...and I leave with a bit more knowledge. Maybe I'm just getting paranoid, although I do nothing that should give me reason to be. But then there's the bad guys, too.

I have pretty good security. I run weekly scans, or more if something doesn't look right. I use other tools- AdwareCleaner, JRT, Mbam, and Eset Online Scanner along with TFC. I've started using Sysinternals tools, as well.

Sure appreciate your time and help- Thank you!

tim

 

[Digital Life]

Looks like the other server is in the beginning process of a being web server.
IIS Windows Server (184.172.52.106)

 

[UsernameIssues]

looks like the other server is in the beginning process of a being web server.
iis windows server (184.172.52.106)

View attachment 392216

TenForums.com WHOIS, DNS, & Domain Info - DomainTools

 

[timw128]

Oh, OK... well, everything in my 'netstat' is accounted for then...Yep!

Thanks!...good work!

 

[UsernameIssues]

Oh, OK... well, everything in my 'netstat' is accounted for then...Yep!

Thanks!...good work!

Good to hear

SevenForums.com WHOIS, DNS, & Domain Info - DomainTools
sevenforums seems to be hosted on that same server - same IP 184.172.52.106.