should i kill these two process with python?

Deborah Swanson python at deborahswanson.net
Sat Mar 25 21:52:11 EDT 2017 

Chris Angelico wrote, on Saturday, March 25, 2017 1:53 AM
> 
> On Sat, Mar 25, 2017 at 7:41 PM, Ho Yeung Lee 
> <jobmattcon at gmail.com> wrote:
> >   TCP    127.0.0.1:1663         127.0.0.1:28091        
> ESTABLISHED     9900
> >   TCP    127.0.0.1:28091        127.0.0.1:1663         
> ESTABLISHED     9532
> >
> > above two process connect to itself, named ismagent and updateui.exe
> >
> > are they the malware software?
> >
> >
> >   TCP    127.0.0.1:1663         127.0.0.1:28091        
> ESTABLISHED     9900
> >   TCP    127.0.0.1:7496         0.0.0.0:0              
> LISTENING       7496
> >   TCP    127.0.0.1:27015        0.0.0.0:0              
> LISTENING       9968
> >   TCP    127.0.0.1:28091        0.0.0.0:0              
> LISTENING       9532
> >   TCP    127.0.0.1:28091        127.0.0.1:1663         
> ESTABLISHED     9532
> >   TCP    127.0.0.1:43227        0.0.0.0:0              
> LISTENING       3772
> >   TCP    127.0.0.1:50000        0.0.0.0:0              
> LISTENING       9532
> >   TCP    192.168.1.102:1128     210.176.156.35:443     
> FIN_WAIT_2      5124
> >   TCP    192.168.1.102:1509     64.233.188.102:443     
> ESTABLISHED     6700
> >   TCP    192.168.1.102:1510     216.58.203.46:443      
> ESTABLISHED     6700
> >   TCP    192.168.1.102:1511     216.58.203.46:443      
> ESTABLISHED     6700
> >   TCP    192.168.1.102:1512     216.58.200.5:443       
> ESTABLISHED     6700
> >   TCP    192.168.1.102:1513     172.217.26.195:443     
> ESTABLISHED     6700
> >   TCP    192.168.1.102:1514     172.217.26.195:443     
> CLOSE_WAIT      6700
> >   TCP    192.168.1.102:1898     111.221.29.156:443     
> ESTABLISHED     1544
> 
> This question is about systems administration and has nothing 
> to do with Python.
> 
> To figure out what each connection represents, you'll have to 
> figure out what programs are on the two ends. (In the case of 
> listening sockets, figure out which program is listening.) 
> Then research what's actually being done by those programs. A 
> simple dump like this is not going to tell you much about 
> whether it's malware.
> 
> ChrisA

You can also look up the IP addresses with a DNS lookup tool that aren't
your machine (127.0.0.1 and 192.168.1.102). This may be helpful if you
recognize who they are, or you can google the IP addresses and/or their
owners. If they're malware, Google will have lots of pages on them.

This looks like a readout from Essential Net Tools running in Express
mode. If you select Addvanced mode, ENT will tell you the process name
and lots of other good stuff for each entry, plus ENT is a full network
toolbox and you won't need Google.

Deborah

More information about the Python-list mailing list