Using Netstat And CMD To Find If There Is Any Established Suspicious Connection/Process On Your Windows System. A Sign Of Being Hacked? (Video)

A candidate icon for Portal:Computer security

A candidate icon for Portal:Computer security (Photo credit: Wikipedia)

So I was poking around on YouTube and I stumbled onto How to find out if your pc is hacked video which embedded below so you could watch it.  Anyhow, even though the video’s quality was bad and the upload date was dated since 2008, the content within should be helpful and relevant still.  The video simply instructed you to compare the process IDs of the established connections from netstat’s output list in CMD window against the process IDs of the running services inside the Windows Task Manager, and if you find the pairing of the process IDs of established/active connections/services are suspicious (i.e., check the process names and locations within a system and compare these suspicious processes to known process names and locations from the reputable process resources from the Internet) — you can then either run an excellent antivirus software to confirm if your system is hacked or not or investigate further.  What if you can’t find the process IDs which netstat’s result list shows inside Windows Task Manager?  You might want to click on the button near the bottom inside Windows Task manager which labels as Show processes from all users.  Also the video instructs you to add a Process ID column into your Windows Task Manager so you can view and compare the process IDs from Windows Task Manager against the netstat’s result list.  According to the video, the command to execute netstat so the states and process IDs of the connections would show is [netstat -ano].  Also, to add a process ID column to Windows Task Manager you should go to View > Select Columns > and check the box that says PID (Process Identifier).  For your information, this instruction is tailored for Windows 7 when I had done it to confirm the accuracy of the instructions within the video.  Check out the video right after the break and enjoy!

7 thoughts on “Using Netstat And CMD To Find If There Is Any Established Suspicious Connection/Process On Your Windows System. A Sign Of Being Hacked? (Video)

  1. http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?_r=0

    Could I be one of the lucky 100,000 computers picked by the N.S.A. Lol!

    No cable connection
    No Wi Fi
    Airplane mode active

    I still have a cluster of established connections???

    TCP 127.0.0.1:5354 127.0.0.1:49189 ESTABLISHED 1928
    TCP 127.0.0.1:5354 127.0.0.1:49190 ESTABLISHED 1928
    TCP 127.0.0.1:6543 0.0.0.0:0 LISTENING 4080
    TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING 1908
    TCP 127.0.0.1:49153 127.0.0.1:49154 ESTABLISHED 884
    TCP 127.0.0.1:49154 127.0.0.1:49153 ESTABLISHED 884
    TCP 127.0.0.1:49155 127.0.0.1:49156 ESTABLISHED 884
    TCP 127.0.0.1:49156 127.0.0.1:49155 ESTABLISHED 884
    TCP 127.0.0.1:49157 127.0.0.1:49158 ESTABLISHED 884
    TCP 127.0.0.1:49158 127.0.0.1:49157 ESTABLISHED 884
    TCP 127.0.0.1:49159 127.0.0.1:49160 ESTABLISHED 884
    TCP 127.0.0.1:49160 127.0.0.1:49159 ESTABLISHED 884

    • To tell you the truth, I don’t know much about the ports that are being used to established and listened on your computer, but these ports look suspicious to me. In case I’m not sure what applications you are using on your computer to establish these connections and ports, you may want to use an antivirus scanner to scan to see if there is something suspicious that is lurking about. Kaspersky is a good one. Furthermore, do a rootkit scan. You can also try Hitman Pro to do a second opinion scan to see if there is a malware that is acting this way. Also, try to close up as many applications that your Windows does not need but run them on the background, one by one and check to see which application is responsible for these strange ports and connections. Do Google search to see what are these ports commonly used for so you get a rough idea what application or malware may be responsible for these strange connections. You can also try to plug another computer into your LAN/WAN to see if it will behave the same. On the side, why not update your router’s firmware so nobody is hijacking your router, just another way to harden your network. Other than the tips I can share, I don’t know why your computer is using these strange connections and ports.

      • Thanks for the response. What was really strange is I disconnected my Wi Fi and internet cable and performed another netstat scan five minutes later and Those suspicious Established connections were still connected. I performed several more netstat scans with no connection made to the internet in any way and they came up again. I joked with my fiance and said maybe I am one of the 100,000 computers that the NSA put radio frequency devices into. Link below:

        http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?_r=0

        She and I had a good laugh because I would only be so special to have that kind of attention. Lol!

        I then hooked up my internet cable and rebooted in safe mode with networking and the suspicious established connections went away.

        Thanks again for the time you took out of your life to respond.

      • You’re welcome! If it’s NSA and you’ve nothing to hide, you’re lucky fews… 🙂 If they’re hackers, take computer security precautions.

  2. I disconnected my cable and disconnected my WiFi and ran net stat. A very odd thing happened because there is a cluster of established connections that stayed established even after I had absolutely no internet connection of any type. Below is a list I copied:

    TCP 127.0.0.1:5354 127.0.0.1:49189 ESTABLISHED 1928
    TCP 127.0.0.1:5354 127.0.0.1:49190 ESTABLISHED 1928
    TCP 127.0.0.1:6543 0.0.0.0:0 LISTENING 4080
    TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING 1908
    TCP 127.0.0.1:49153 127.0.0.1:49154 ESTABLISHED 884
    TCP 127.0.0.1:49154 127.0.0.1:49153 ESTABLISHED 884
    TCP 127.0.0.1:49155 127.0.0.1:49156 ESTABLISHED 884
    TCP 127.0.0.1:49156 127.0.0.1:49155 ESTABLISHED 884
    TCP 127.0.0.1:49157 127.0.0.1:49158 ESTABLISHED 884
    TCP 127.0.0.1:49158 127.0.0.1:49157 ESTABLISHED 884
    TCP 127.0.0.1:49159 127.0.0.1:49160 ESTABLISHED 884
    TCP 127.0.0.1:49160 127.0.0.1:49159 ESTABLISHED 884

  3. Pingback: Installing Windows On Mac? | EssayBoard

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.