0

I have a process making malicious connection (as detected by my router). I am trying to identify which process is it, but when trying to list connections I get a OwningProcess's PID equal to zero 0.

I don't get what that means. Could it be because the process has ultra high privileges (more than system) ? Or could it be obfuscated somehow ?

Example below (States are TimeWait because blocked by my router):

LocalAddress         LocalPort RemoteAddress         RemotePort State       AppliedSetting OwningProcess
------------         --------- -------------         ---------- -----       -------------- -------------
192.168.1.5          578xx     185.59.220.198        443        TimeWait                   0
192.168.1.5          578xx     138.199.36.11         443        TimeWait                   0
192.168.1.5          578xx     138.199.27.229        443        TimeWait                   0
192.168.1.5          578xx     89.187.169.39         443        TimeWait                   0
192.168.1.5          578xx     169.150.247.33        443        TimeWait                   0

FYI, IPs seems to be related to *.bunnyinfra.net I am not sure if they are related to malicious ip or they are malicious themselves.

EDIT I finally found the origin, but I am still looking to understand the problem: Ghostery Extension was generating those requests (because Edge browser was running in the background) Removing the Extension fixed the issue, nevertheless:

  • Why would I see the process having a PID equal to zero 0 ?

Note: I was using Powershell as Administrator

PS: It seems that the IP belongs to the extension's CDN, and that it is a false positive malicious IP. Probably due to the provider being used for malicious purpose by other applications.

Improve this question
7
  • 1
    The TCP state machine is complicated. In this case, the key is the "TimeWait" status. It is not at all related to your router.
    – Daniel B
    Commented Feb 13, 2023 at 20:53
  • 1
    What leads you to believe that those IPs are malidious?
    – Frank Thomas
    Commented Feb 13, 2023 at 20:54
  • Did you validate the IPA's as malicious? For example using sites like: virustotal.com/gui/home/url
    – postanote
    Commented Feb 13, 2023 at 23:04
  • 2
    'TimeWait' endpoints have been closed by the process that opened (and used) them, so they are no longer linked to that or any other process; they exist (only) to prevent creating a conflicting connection while 'leftover' packets from the previous connection may still exist in the network, which could cause protocol errors and lost traffic. Since the data slot for PID only allows an integer, 0 is used as a dummy value.
    – dave_thompson_085
    Commented Feb 14, 2023 at 0:40
  • 1
    A PID of 0 for the OwningProcess column usually indicates that the operating system was unable to determine which process is responsible for the connection. This could be due to various reasons, such as the process being terminated or the connection being made by a kernel-level driver or a system-level process. It is unlikely that the process has "ultra high" privileges.
    – Hackoo
    Commented Feb 14, 2023 at 3:47

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .