Epmap Connectionn Problem

[Charms Zhou]

There is one PC (WindowsXP installed) alway try to establish epmap
connection with our DNS/DHCP/VPN server(Windows2000 server installed). I use
command "netstat -ab" to see the result as below. I found this connection
established by Windows system services. I don't understand what and why this
happened.





C:\Documents and Settings\czhang>netstat -ab



Active Connections



Proto Local Address Foreign Address State PID

TCP christinezhang:epmap christinezhang.actuate.com:0 LISTENING
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ADVAPI32.dll

[svchost.exe]



TCP christinezhang:microsoft-ds christinezhang.actuate.com:0
LISTENING 4

[System]



TCP christinezhang:5225 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:5226 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:8008 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:1046 christinezhang.actuate.com:0 LISTENING
2684

[alg.exe]



TCP christinezhang:8005 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:netbios-ssn christinezhang.actuate.com:0 LISTENING
4

[System]



TCP christinezhang:1063 christinezhang.actuate.com:5226 ESTABLISHED
1896

[StatusClient.exe]



TCP christinezhang:5226 christinezhang.actuate.com:1063 ESTABLISHED
904

[javaw.exe]



TCP christinezhang:1056 baym-cs65.msgr.hotmail.com:1863 ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1344 baym-sb24.msgr.hotmail.com:1863 ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1348 207.68.178.61:http ESTABLISHED 2000

[msnmsgr.exe]



TCP christinezhang:1350 207.68.178.61:http ESTABLISHED 2000

[msnmsgr.exe]



TCP christinezhang:1352 192.168.218.145:netbios-ssn ESTABLISHED
4

[System]



TCP christinezhang:1353 shanghai.actuate.com:epmap ESTABLISHED
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

[svchost.exe]



TCP christinezhang:1318 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1319 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1321 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1322 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1324 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1341 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1343 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1345 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1347 shanghai.actuate.com:epmap TIME_WAIT
0

UDP christinezhang:microsoft-ds *:*
4

[System]



UDP christinezhang:1349 *:* 1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:isakmp *:* 708

[lsass.exe]



UDP christinezhang:4500 *:* 708

[lsass.exe]



UDP christinezhang:1027 *:* 1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:ntp *:* 1048

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:1222 *:* 1928

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\kernel32.dll

[rundll32.exe]



UDP christinezhang:1066 *:* 2000

[msnmsgr.exe]



UDP christinezhang:1900 *:* 1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-ns *:* 4

[System]



UDP christinezhang:1900 *:* 1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-dgm *:*
4

[System]



UDP christinezhang:ntp *:* 1048

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]





I also use command "netstat -a" on server Shanghai, the result as below:



C:\Documents and Settings\jzhou>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP shanghai:echo shanghai.actuate.com:0 LISTENING
TCP shanghai:discard shanghai.actuate.com:0 LISTENING
TCP shanghai:daytime shanghai.actuate.com:0 LISTENING
TCP shanghai:qotd shanghai.actuate.com:0 LISTENING
TCP shanghai:chargen shanghai.actuate.com:0 LISTENING
TCP shanghai:smtp shanghai.actuate.com:0 LISTENING
TCP shanghai:nameserver shanghai.actuate.com:0 LISTENING
TCP shanghai:domain shanghai.actuate.com:0 LISTENING
TCP shanghai:http shanghai.actuate.com:0 LISTENING
TCP shanghai:epmap shanghai.actuate.com:0 LISTENING
TCP shanghai:https shanghai.actuate.com:0 LISTENING
TCP shanghai:microsoft-ds shanghai.actuate.com:0 LISTENING
TCP shanghairinter shanghai.actuate.com:0 LISTENING
TCP shanghai:548 shanghai.actuate.com:0 LISTENING
TCP shanghai:1025 shanghai.actuate.com:0 LISTENING
TCP shanghai:1031 shanghai.actuate.com:0 LISTENING
TCP shanghai:1036 shanghai.actuate.com:0 LISTENING
TCP shanghai:1040 shanghai.actuate.com:0 LISTENING
TCP shanghai:1042 shanghai.actuate.com:0 LISTENING
TCP shanghai:1047 shanghai.actuate.com:0 LISTENING
TCP shanghai:1049 shanghai.actuate.com:0 LISTENING
TCP shanghai:1059 shanghai.actuate.com:0 LISTENING
TCP shanghai:1667 shanghai.actuate.com:0 LISTENING
TCP shanghaiptp shanghai.actuate.com:0 LISTENING
TCP shanghai:1755 shanghai.actuate.com:0 LISTENING
TCP shanghai:1801 shanghai.actuate.com:0 LISTENING
TCP shanghai:2103 shanghai.actuate.com:0 LISTENING
TCP shanghai:2105 shanghai.actuate.com:0 LISTENING
TCP shanghai:2107 shanghai.actuate.com:0 LISTENING
TCP shanghai:2401 shanghai.actuate.com:0 LISTENING
TCP shanghai:2402 shanghai.actuate.com:0 LISTENING
TCP shanghai:3372 shanghai.actuate.com:0 LISTENING
TCP shanghai:3389 shanghai.actuate.com:0 LISTENING
TCP shanghai:6666 shanghai.actuate.com:0 LISTENING
TCP shanghai:7007 shanghai.actuate.com:0 LISTENING
TCP shanghai:7778 shanghai.actuate.com:0 LISTENING
TCP shanghai:8001 shanghai.actuate.com:0 LISTENING
TCP shanghai:epmap CHRISTINEZHANG:952 ESTABLISHED
TCP shanghai:netbios-ssn shanghai.actuate.com:0 LISTENING
TCP shanghai:netbios-ssn LIONELWANG:1826 ESTABLISHED
TCP shanghai:netbios-ssn YLI:1866 ESTABLISHED
TCP shanghai:netbios-ssn SISSIZHU:1532 ESTABLISHED
TCP shanghai:3389 JIANZHOU:4543 ESTABLISHED
UDP shanghai:echo *:*
UDP shanghai:discard *:*
UDP shanghai:daytime *:*
UDP shanghai:qotd *:*
UDP shanghai:chargen *:*
UDP shanghai:nameserver *:*
UDP shanghai:bootpc *:*
UDP shanghai:epmap *:*
UDP shanghai:snmp *:*
UDP shanghai:microsoft-ds *:*
UDP shanghai:1027 *:*
UDP shanghai:1033 *:*
UDP shanghai:1039 *:*
UDP shanghai:1048 *:*
UDP shanghai:1050 *:*
UDP shanghai:1060 *:*
UDP shanghai:1645 *:*
UDP shanghai:1646 *:*
UDP shanghai:l2tp *:*
UDP shanghai:1755 *:*
UDP shanghai:radius *:*
UDP shanghai:radacct *:*
UDP shanghai:3456 *:*
UDP shanghai:3527 *:*
UDP shanghai:domain *:*
UDP shanghai:bootps *:*
UDP shanghai:bootpc *:*
UDP shanghai:isakmp *:*
UDP shanghai:2535 *:*
UDP shanghai:domain *:*
UDP shanghai:1029 *:*
UDP shanghai:1030 *:*
UDP shanghai:1038 *:*
UDP shanghai:1041 *:*
UDP shanghai:domain *:*
UDP shanghai:bootps *:*
UDP shanghai:bootpc *:*
UDP shanghai:netbios-ns *:*
UDP shanghai:netbios-dgm *:*
UDP shanghai:isakmp *:*
UDP shanghai:2535 *:*







Thanks,

James

 

[Guest]

I can only offer my theory , but is it possible you may have a network
protocol on your machine trying to obtain an IP address ?

Or possibly an application trying to resolve a host name via the DNS server ?

Typically if one machine starts misbehaving , I'd look at malware.
Possibly install a local firewall , the likes of SP2 or third party like
zonealarm etc.
This might pinch off unwanted network traffic , you can confirure the
windows firewall to log successful connections and dropped packets.

See what you can find...
--
________
NIC
----------
Savage
________

There is one PC (WindowsXP installed) alway try to establish epmap
connection with our DNS/DHCP/VPN server(Windows2000 server installed). I use
command "netstat -ab" to see the result as below. I found this connection
established by Windows system services. I don't understand what and why this
happened.





C:\Documents and Settings\czhang>netstat -ab



Active Connections



Proto Local Address Foreign Address State PID

TCP christinezhang:epmap christinezhang.actuate.com:0 LISTENING
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ADVAPI32.dll

[svchost.exe]



TCP christinezhang:microsoft-ds christinezhang.actuate.com:0
LISTENING 4

[System]



TCP christinezhang:5225 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:5226 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:8008 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:1046 christinezhang.actuate.com:0 LISTENING
2684

[alg.exe]



TCP christinezhang:8005 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:netbios-ssn christinezhang.actuate.com:0 LISTENING
4

[System]



TCP christinezhang:1063 christinezhang.actuate.com:5226 ESTABLISHED
1896

[StatusClient.exe]



TCP christinezhang:5226 christinezhang.actuate.com:1063 ESTABLISHED
904

[javaw.exe]



TCP christinezhang:1056 baym-cs65.msgr.hotmail.com:1863 ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1344 baym-sb24.msgr.hotmail.com:1863 ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1348 207.68.178.61:http ESTABLISHED 2000

[msnmsgr.exe]



TCP christinezhang:1350 207.68.178.61:http ESTABLISHED 2000

[msnmsgr.exe]



TCP christinezhang:1352 192.168.218.145:netbios-ssn ESTABLISHED
4

[System]



TCP christinezhang:1353 shanghai.actuate.com:epmap ESTABLISHED
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

[svchost.exe]



TCP christinezhang:1318 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1319 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1321 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1322 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1324 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1341 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1343 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1345 shanghai.actuate.com:microsoft-ds TIME_WAIT

0

TCP christinezhang:1347 shanghai.actuate.com:epmap TIME_WAIT
0

UDP christinezhang:microsoft-ds *:*
4

[System]



UDP christinezhang:1349 *:* 1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:isakmp *:* 708

[lsass.exe]



UDP christinezhang:4500 *:* 708

[lsass.exe]



UDP christinezhang:1027 *:* 1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:ntp *:* 1048

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:1222 *:* 1928

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\kernel32.dll

[rundll32.exe]



UDP christinezhang:1066 *:* 2000

[msnmsgr.exe]



UDP christinezhang:1900 *:* 1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-ns *:* 4

[System]



UDP christinezhang:1900 *:* 1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-dgm *:*
4

[System]

 

[Charms Zhou]

1. The problem is still here after I change the machine's DNS server;
2. The machine is with SP2 and fire wall is on;
3. The port number connect to server's epmap port is protean.

I can only offer my theory , but is it possible you may have a network
protocol on your machine trying to obtain an IP address ?

Or possibly an application trying to resolve a host name via the DNS
server ?

Typically if one machine starts misbehaving , I'd look at malware.
Possibly install a local firewall , the likes of SP2 or third party like
zonealarm etc.
This might pinch off unwanted network traffic , you can confirure the
windows firewall to log successful connections and dropped packets.

See what you can find...
--
________
NIC
----------
Savage
________

There is one PC (WindowsXP installed) alway try to establish epmap
connection with our DNS/DHCP/VPN server(Windows2000 server installed). I
use
command "netstat -ab" to see the result as below. I found this connection
established by Windows system services. I don't understand what and why
this
happened.





C:\Documents and Settings\czhang>netstat -ab



Active Connections



Proto Local Address Foreign Address State
PID

TCP christinezhang:epmap christinezhang.actuate.com:0 LISTENING
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ADVAPI32.dll

[svchost.exe]



TCP christinezhang:microsoft-ds christinezhang.actuate.com:0
LISTENING 4

[System]



TCP christinezhang:5225 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:5226 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:8008 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:1046 christinezhang.actuate.com:0 LISTENING
2684

[alg.exe]



TCP christinezhang:8005 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:netbios-ssn christinezhang.actuate.com:0
LISTENING
4

[System]



TCP christinezhang:1063 christinezhang.actuate.com:5226
ESTABLISHED
1896

[StatusClient.exe]



TCP christinezhang:5226 christinezhang.actuate.com:1063
ESTABLISHED
904

[javaw.exe]



TCP christinezhang:1056 baym-cs65.msgr.hotmail.com:1863
ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1344 baym-sb24.msgr.hotmail.com:1863
ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1348 207.68.178.61:http ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1350 207.68.178.61:http ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1352 192.168.218.145:netbios-ssn ESTABLISHED
4

[System]



TCP christinezhang:1353 shanghai.actuate.com:epmap ESTABLISHED
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

[svchost.exe]



TCP christinezhang:1318 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1319 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1321 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1322 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1324 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1341 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1343 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1345 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1347 shanghai.actuate.com:epmap TIME_WAIT
0

UDP christinezhang:microsoft-ds *:*
4

[System]



UDP christinezhang:1349 *:*
1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:isakmp *:*
708

[lsass.exe]



UDP christinezhang:4500 *:*
708

[lsass.exe]



UDP christinezhang:1027 *:*
1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:ntp *:*
1048

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:1222 *:*
1928

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\kernel32.dll

[rundll32.exe]



UDP christinezhang:1066 *:*
2000

[msnmsgr.exe]



UDP christinezhang:1900 *:*
1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-ns *:*
4

[System]



UDP christinezhang:1900 *:*
1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-dgm *:*
4

[System]

 

[Guest]

I'm out , but hope this article helps.

How to Use Portqry to Troubleshoot Active Directory Connectivity Issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;310456

--
________
NIC
----------
Savage
________

1. The problem is still here after I change the machine's DNS server;
2. The machine is with SP2 and fire wall is on;
3. The port number connect to server's epmap port is protean.

I can only offer my theory , but is it possible you may have a network
protocol on your machine trying to obtain an IP address ?

Or possibly an application trying to resolve a host name via the DNS
server ?

Typically if one machine starts misbehaving , I'd look at malware.
Possibly install a local firewall , the likes of SP2 or third party like
zonealarm etc.
This might pinch off unwanted network traffic , you can confirure the
windows firewall to log successful connections and dropped packets.

See what you can find...
--
________
NIC
----------
Savage
________

There is one PC (WindowsXP installed) alway try to establish epmap
connection with our DNS/DHCP/VPN server(Windows2000 server installed). I
use
command "netstat -ab" to see the result as below. I found this connection
established by Windows system services. I don't understand what and why
this
happened.





C:\Documents and Settings\czhang>netstat -ab



Active Connections



Proto Local Address Foreign Address State
PID

TCP christinezhang:epmap christinezhang.actuate.com:0 LISTENING
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ADVAPI32.dll

[svchost.exe]



TCP christinezhang:microsoft-ds christinezhang.actuate.com:0
LISTENING 4

[System]



TCP christinezhang:5225 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:5226 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:8008 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:1046 christinezhang.actuate.com:0 LISTENING
2684

[alg.exe]



TCP christinezhang:8005 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:netbios-ssn christinezhang.actuate.com:0
LISTENING
4

[System]



TCP christinezhang:1063 christinezhang.actuate.com:5226
ESTABLISHED
1896

[StatusClient.exe]



TCP christinezhang:5226 christinezhang.actuate.com:1063
ESTABLISHED
904

[javaw.exe]



TCP christinezhang:1056 baym-cs65.msgr.hotmail.com:1863
ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1344 baym-sb24.msgr.hotmail.com:1863
ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1348 207.68.178.61:http ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1350 207.68.178.61:http ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1352 192.168.218.145:netbios-ssn ESTABLISHED
4

[System]



TCP christinezhang:1353 shanghai.actuate.com:epmap ESTABLISHED
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

[svchost.exe]



TCP christinezhang:1318 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1319 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1321 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1322 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1324 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1341 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1343 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1345 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1347 shanghai.actuate.com:epmap TIME_WAIT
0

UDP christinezhang:microsoft-ds *:*
4

[System]



UDP christinezhang:1349 *:*
1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:isakmp *:*
708

[lsass.exe]



UDP christinezhang:4500 *:*
708

[lsass.exe]



UDP christinezhang:1027 *:*
1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:ntp *:*
1048

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:1222 *:*
1928

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\kernel32.dll

[rundll32.exe]

 

[Charms Zhou]

1. The problem is still here after I change the machine's DNS server;
2. The machine is with SP2 and fire wall is on;
3. The port number connect to server's epmap port is protean. I found the
client mathine's port number is difference every time I use command
"netstat" on server.
4. Only the machine establish epmap connection to the server in our LAN.

I can only offer my theory , but is it possible you may have a network
protocol on your machine trying to obtain an IP address ?

Or possibly an application trying to resolve a host name via the DNS
server ?

Typically if one machine starts misbehaving , I'd look at malware.
Possibly install a local firewall , the likes of SP2 or third party like
zonealarm etc.
This might pinch off unwanted network traffic , you can confirure the
windows firewall to log successful connections and dropped packets.

See what you can find...
--
________
NIC
----------
Savage
________

There is one PC (WindowsXP installed) alway try to establish epmap
connection with our DNS/DHCP/VPN server(Windows2000 server installed). I
use
command "netstat -ab" to see the result as below. I found this connection
established by Windows system services. I don't understand what and why
this
happened.





C:\Documents and Settings\czhang>netstat -ab



Active Connections



Proto Local Address Foreign Address State
PID

TCP christinezhang:epmap christinezhang.actuate.com:0 LISTENING
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ADVAPI32.dll

[svchost.exe]



TCP christinezhang:microsoft-ds christinezhang.actuate.com:0
LISTENING 4

[System]



TCP christinezhang:5225 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:5226 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:8008 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:1046 christinezhang.actuate.com:0 LISTENING
2684

[alg.exe]



TCP christinezhang:8005 christinezhang.actuate.com:0 LISTENING
904

[javaw.exe]



TCP christinezhang:netbios-ssn christinezhang.actuate.com:0
LISTENING
4

[System]



TCP christinezhang:1063 christinezhang.actuate.com:5226
ESTABLISHED
1896

[StatusClient.exe]



TCP christinezhang:5226 christinezhang.actuate.com:1063
ESTABLISHED
904

[javaw.exe]



TCP christinezhang:1056 baym-cs65.msgr.hotmail.com:1863
ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1344 baym-sb24.msgr.hotmail.com:1863
ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1348 207.68.178.61:http ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1350 207.68.178.61:http ESTABLISHED
2000

[msnmsgr.exe]



TCP christinezhang:1352 192.168.218.145:netbios-ssn ESTABLISHED
4

[System]



TCP christinezhang:1353 shanghai.actuate.com:epmap ESTABLISHED
952

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

[svchost.exe]



TCP christinezhang:1318 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1319 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1321 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1322 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1324 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1341 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1343 shanghai.actuate.com:epmap TIME_WAIT
0

TCP christinezhang:1345 shanghai.actuate.com:microsoft-ds
TIME_WAIT

0

TCP christinezhang:1347 shanghai.actuate.com:epmap TIME_WAIT
0

UDP christinezhang:microsoft-ds *:*
4

[System]



UDP christinezhang:1349 *:*
1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:isakmp *:*
708

[lsass.exe]



UDP christinezhang:4500 *:*
708

[lsass.exe]



UDP christinezhang:1027 *:*
1172

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]



UDP christinezhang:ntp *:*
1048

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:1222 *:*
1928

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\kernel32.dll

[rundll32.exe]



UDP christinezhang:1066 *:*
2000

[msnmsgr.exe]



UDP christinezhang:1900 *:*
1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-ns *:*
4

[System]



UDP christinezhang:1900 *:*
1216

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP christinezhang:netbios-dgm *:*
4

[System]