should i kill these two process with python?
Deborah Swanson
python at deborahswanson.net
Sat Mar 25 21:52:11 EDT 2017
Chris Angelico wrote, on Saturday, March 25, 2017 1:53 AM
>
> On Sat, Mar 25, 2017 at 7:41 PM, Ho Yeung Lee
> <jobmattcon at gmail.com> wrote:
> > TCP 127.0.0.1:1663 127.0.0.1:28091
> ESTABLISHED 9900
> > TCP 127.0.0.1:28091 127.0.0.1:1663
> ESTABLISHED 9532
> >
> > above two process connect to itself, named ismagent and updateui.exe
> >
> > are they the malware software?
> >
> >
> > TCP 127.0.0.1:1663 127.0.0.1:28091
> ESTABLISHED 9900
> > TCP 127.0.0.1:7496 0.0.0.0:0
> LISTENING 7496
> > TCP 127.0.0.1:27015 0.0.0.0:0
> LISTENING 9968
> > TCP 127.0.0.1:28091 0.0.0.0:0
> LISTENING 9532
> > TCP 127.0.0.1:28091 127.0.0.1:1663
> ESTABLISHED 9532
> > TCP 127.0.0.1:43227 0.0.0.0:0
> LISTENING 3772
> > TCP 127.0.0.1:50000 0.0.0.0:0
> LISTENING 9532
> > TCP 192.168.1.102:1128 210.176.156.35:443
> FIN_WAIT_2 5124
> > TCP 192.168.1.102:1509 64.233.188.102:443
> ESTABLISHED 6700
> > TCP 192.168.1.102:1510 216.58.203.46:443
> ESTABLISHED 6700
> > TCP 192.168.1.102:1511 216.58.203.46:443
> ESTABLISHED 6700
> > TCP 192.168.1.102:1512 216.58.200.5:443
> ESTABLISHED 6700
> > TCP 192.168.1.102:1513 172.217.26.195:443
> ESTABLISHED 6700
> > TCP 192.168.1.102:1514 172.217.26.195:443
> CLOSE_WAIT 6700
> > TCP 192.168.1.102:1898 111.221.29.156:443
> ESTABLISHED 1544
>
> This question is about systems administration and has nothing
> to do with Python.
>
> To figure out what each connection represents, you'll have to
> figure out what programs are on the two ends. (In the case of
> listening sockets, figure out which program is listening.)
> Then research what's actually being done by those programs. A
> simple dump like this is not going to tell you much about
> whether it's malware.
>
> ChrisA
You can also look up the IP addresses with a DNS lookup tool that aren't
your machine (127.0.0.1 and 192.168.1.102). This may be helpful if you
recognize who they are, or you can google the IP addresses and/or their
owners. If they're malware, Google will have lots of pages on them.
This looks like a readout from Essential Net Tools running in Express
mode. If you select Addvanced mode, ENT will tell you the process name
and lots of other good stuff for each entry, plus ENT is a full network
toolbox and you won't need Google.
Deborah
More information about the Python-list
mailing list