I was troubleshooting an issue on a terminal server and noticed quite a few users had cmd.exe running. I immediately think "Oh crap, something malicous is going on" (toned down to keep rated PG). Before closing all of the cmd.exe processes, I run a netstat -a on the server. I recognized most of the stuff but there are somethings I didn't recognize and was hoping someone could help me figure it out. I removed the stuff I didn't recognize and the legitmate http requests and here are the ones i'm not sure of.
My questions are, where are these foreign addresses being resolved from? I've done an nslookup and can't find anything probably because these aren't full host names. I've never seen things like www:http, r2:http, event:http, iad23s05-in-f30:https, etc.
Any help is greatly appreciated.
Active Connections
Proto Local Address Foreign Address State
TCP *.*.*.*:50430 iad23s05-in-f14:http CLOSE_WAIT
TCP *.*.*.*:52130 r2:http TIME_WAIT
TCP *.*.*.*:52153 iad23s05-in-f30:https TIME_WAIT
TCP *.*.*.*:52177 www:http ESTABLISHED
TCP *.*.*.*:52178 www:http ESTABLISHED
TCP *.*.*.*:52179 www:http ESTABLISHED
TCP *.*.*.*:52180 www:http ESTABLISHED
TCP *.*.*.*:52181 www:http ESTABLISHED
TCP *.*.*.*:52182 www:http ESTABLISHED
TCP *.*.*.*:52184 r2:http ESTABLISHED
TCP *.*.*.*:52187 event:http CLOSE_WAIT
TCP *.*.*.*:52188 event:http CLOSE_WAIT
TCP *.*.*.*:52199 184:https ESTABLISHED
TCP *.*.*.*:52201 mpr1:https ESTABLISHED
TCP *.*.*.*:52202 mpr1:https ESTABLISHED
TCP *.*.*.*:52203 mpr1:https ESTABLISHED
TCP *.*.*.*:52204 a23-62-207-185:https ESTABLISHED
TCP *.*.*.*:52205 a23-62-207-185:https ESTABLISHED
TCP *.*.*.*:52206 iad23s05-in-f30:https ESTABLISHED
TCP *.*.*.*:52207 iad23s05-in-f30:https ESTABLISHED