How can I find the cause of an unknown connection showing in iftop?

Question

I have connections like this showing frequently in iftop:

12.15.127.75.host.nwnx.net => 121.61.153.172 480b 160b 40b

I have no idea what it is or where it's come from. A netstat -a shows:

udp        0      0 12.15.127.75:netbios-ns *:*
udp        0      0 12.15.127.75:netbios-ns *:*

At the moment I've thinking I've probably been hacked, but does anyone have a clever way of investigating things like this?

** EDIT **

I have had a look at it with a packet sniffer (tcpdump), searching for the I.P connecting in of 124.134.97.173

124.134.97.173.1317 > 12.15.127.75.host.nwnx.net.ms-sql-s: Flags [S], cksum 0xb2af (correct), seq 1417033873, win 65535, options [mss 1440,nop,nop,sackOK], length 0
12.15.127.75.host.nwnx.net.ms-sql-s > 124.134.97.173.1317: Flags [R.], cksum 0xdf4b (correct), seq 0, ack 1417033874, win 0, length 0

Transmission Control Protocol, Src Port: ms-sql-s (1433), Dst Port: vrts-ipcserver (1317), Seq: 1, Ack: 1, Len: 0
Source port: ms-sql-s (1433)
Destination port: vrts-ipcserver (1317)

Still don't really know what to make of it though

Thanks

I recommend a packet capture on the connecting IP . – jeffatrackaid Mar 27 '13 at 19:56 — jeffatrackaid, Mar 27 '13 at 19:56

score 0 · Answer 1 · answered Mar 28 '13 at 16:36

Just looking at the provided info, which is not much, I would say a Veritas software is communicating with a Ms-SQL database over the network. vrts-ipcserver stands for one of the admin services for a Veritas installation.

You can find info regarding Veritas ports in here: http://h30499.www3.hp.com/t5/System-Administration/Ports-used-by-Veritas-admin-tools/td-p/3164261

How can I find the cause of an unknown connection showing in iftop?

1 Answers1