With any suspected intrusion, the first thing it like to do is run the DOS netstat command. This gives us a list of listening ports as well as all active connections.
What we'll be looking for is:
In this case, the host is suspected of issuing Netbios port scans. If that was really happening, we'd expect to see a high number active (State=ESTABLISHED) or attempted connections (State=SYN_SENT) to lots of different target (Foreign) addresses where the target port number was :139.
We don't see any Netbios connections in the following netstat output, but that's because the administrator had already killed the process that was generating the scans.
What we do see is over 100 established TCP connections
C:/> netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:7 0.0.0.0:0 LISTENING TCP 0.0.0.0:9 0.0.0.0:0 LISTENING TCP 0.0.0.0:13 0.0.0.0:0 LISTENING TCP 0.0.0.0:17 0.0.0.0:0 LISTENING TCP 0.0.0.0:19 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING TCP 0.0.0.0:1045 0.0.0.0:0 LISTENING TCP 0.0.0.0:1046 0.0.0.0:0 LISTENING TCP 0.0.0.0:1774 0.0.0.0:0 LISTENING TCP 0.0.0.0:1784 0.0.0.0:0 LISTENING TCP 0.0.0.0:1785 0.0.0.0:0 LISTENING TCP 0.0.0.0:1797 0.0.0.0:0 LISTENING TCP 0.0.0.0:1799 0.0.0.0:0 LISTENING TCP 0.0.0.0:1800 0.0.0.0:0 LISTENING TCP 0.0.0.0:1805 0.0.0.0:0 LISTENING TCP 0.0.0.0:1817 0.0.0.0:0 LISTENING TCP 0.0.0.0:1993 0.0.0.0:0 LISTENING TCP 0.0.0.0:4075 0.0.0.0:0 LISTENING TCP 0.0.0.0:4080 0.0.0.0:0 LISTENING TCP 0.0.0.0:4081 0.0.0.0:0 LISTENING TCP 0.0.0.0:4297 0.0.0.0:0 LISTENING TCP 0.0.0.0:4609 0.0.0.0:0 LISTENING TCP 0.0.0.0:5631 0.0.0.0:0 LISTENING TCP 0.0.0.0:6103 0.0.0.0:0 LISTENING TCP 0.0.0.0:60000 0.0.0.0:0 LISTENING TCP 127.0.0.1:1041 0.0.0.0:0 LISTENING TCP 127.0.0.1:1045 127.0.0.1:1046 ESTABLISHED TCP 127.0.0.1:1046 127.0.0.1:1045 ESTABLISHED TCP 127.0.0.1:43958 0.0.0.0:0 LISTENING TCP 107.xxx.xx.xxx:139 0.0.0.0:0 LISTENING TCP 107.xxx.xx.xxx:1026 212.199.157.29:3958 ESTABLISHED TCP 107.xxx.xx.xxx:1029 212.199.157.29:2850 ESTABLISHED TCP 107.xxx.xx.xxx:1044 212.199.157.29:3259 ESTABLISHED TCP 107.xxx.xx.xxx:1065 212.199.157.29:2905 ESTABLISHED TCP 107.xxx.xx.xxx:1077 212.199.157.29:1946 ESTABLISHED TCP 107.xxx.xx.xxx:1113 212.199.157.29:2964 ESTABLISHED TCP 107.xxx.xx.xxx:1141 212.199.157.29:4121 ESTABLISHED TCP 107.xxx.xx.xxx:1144 212.199.157.29:4132 ESTABLISHED TCP 107.xxx.xx.xxx:1148 212.199.157.29:2973 ESTABLISHED TCP 107.xxx.xx.xxx:1160 212.199.157.29:2865 ESTABLISHED TCP 107.xxx.xx.xxx:1191 212.179.236.101:1025 ESTABLISHED TCP 107.xxx.xx.xxx:1199 212.199.157.29:3322 ESTABLISHED TCP 107.xxx.xx.xxx:1224 212.199.157.29:1945 ESTABLISHED TCP 107.xxx.xx.xxx:1229 212.199.157.29:2981 ESTABLISHED TCP 107.xxx.xx.xxx:1244 212.143.34.67:2745 ESTABLISHED TCP 107.xxx.xx.xxx:1249 212.179.249.184:2248 ESTABLISHED TCP 107.xxx.xx.xxx:1251 212.179.249.184:2249 ESTABLISHED TCP 107.xxx.xx.xxx:1252 212.179.249.184:2251 ESTABLISHED TCP 107.xxx.xx.xxx:1253 212.199.157.29:3022 ESTABLISHED TCP 107.xxx.xx.xxx:1278 212.199.157.29:3748 ESTABLISHED TCP 107.xxx.xx.xxx:1286 212.199.157.29:2013 ESTABLISHED TCP 107.xxx.xx.xxx:1299 212.179.249.184:2268 ESTABLISHED TCP 107.xxx.xx.xxx:1304 212.199.157.29:2936 ESTABLISHED TCP 107.xxx.xx.xxx:1339 212.199.157.29:1993 ESTABLISHED TCP 107.xxx.xx.xxx:1342 212.199.157.29:1994 ESTABLISHED TCP 107.xxx.xx.xxx:1357 212.199.157.29:2948 ESTABLISHED TCP 107.xxx.xx.xxx:1358 212.199.157.29:2952 ESTABLISHED TCP 107.xxx.xx.xxx:1359 212.199.157.29:2955 ESTABLISHED TCP 107.xxx.xx.xxx:1364 212.199.157.29:4216 ESTABLISHED TCP 107.xxx.xx.xxx:1370 212.199.157.29:4219 ESTABLISHED TCP 107.xxx.xx.xxx:1386 212.179.236.101:1025 ESTABLISHED TCP 107.xxx.xx.xxx:1416 212.199.157.29:3027 ESTABLISHED TCP 107.xxx.xx.xxx:1431 212.199.157.29:3209 ESTABLISHED TCP 107.xxx.xx.xxx:1434 212.199.157.29:3210 ESTABLISHED TCP 107.xxx.xx.xxx:1435 212.199.157.29:3211 ESTABLISHED TCP 107.xxx.xx.xxx:1456 212.199.157.29:4243 ESTABLISHED TCP 107.xxx.xx.xxx:1477 212.199.157.29:4497 ESTABLISHED TCP 107.xxx.xx.xxx:1497 212.199.157.29:3148 ESTABLISHED TCP 107.xxx.xx.xxx:1505 212.199.157.29:2080 ESTABLISHED TCP 107.xxx.xx.xxx:1515 212.199.157.29:3149 ESTABLISHED TCP 107.xxx.xx.xxx:1520 212.199.157.29:2079 ESTABLISHED TCP 107.xxx.xx.xxx:1539 212.199.157.29:3159 ESTABLISHED TCP 107.xxx.xx.xxx:1555 212.179.236.101:1025 ESTABLISHED TCP 107.xxx.xx.xxx:1571 212.199.157.29:2114 ESTABLISHED TCP 107.xxx.xx.xxx:1575 212.199.157.29:3382 ESTABLISHED TCP 107.xxx.xx.xxx:1609 212.179.249.184:2228 ESTABLISHED TCP 107.xxx.xx.xxx:1619 212.199.157.29:4322 ESTABLISHED TCP 107.xxx.xx.xxx:1634 212.199.157.29:2157 ESTABLISHED TCP 107.xxx.xx.xxx:1635 212.199.157.29:4346 ESTABLISHED TCP 107.xxx.xx.xxx:1642 212.199.157.29:4353 ESTABLISHED TCP 107.xxx.xx.xxx:1649 212.199.157.29:2179 ESTABLISHED TCP 107.xxx.xx.xxx:1657 212.199.157.29:4365 ESTABLISHED TCP 107.xxx.xx.xxx:1662 212.199.157.29:4378 ESTABLISHED TCP 107.xxx.xx.xxx:1687 212.199.157.29:4398 ESTABLISHED TCP 107.xxx.xx.xxx:1689 212.199.157.29:3386 ESTABLISHED TCP 107.xxx.xx.xxx:1690 212.199.157.29:3385 ESTABLISHED TCP 107.xxx.xx.xxx:1707 212.199.157.29:3600 ESTABLISHED [snip] UDP 0.0.0.0:7 *:* UDP 0.0.0.0:9 *:* UDP 0.0.0.0:13 *:* UDP 0.0.0.0:17 *:* UDP 0.0.0.0:19 *:* UDP 0.0.0.0:135 *:* UDP 0.0.0.0:161 *:* UDP 0.0.0.0:259 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:1044 *:* UDP 0.0.0.0:5632 *:* UDP 107.xxx.xx.xxx:137 *:* UDP 107.xxx.xx.xxx:138 *:* UDP 107.xxx.xx.xxx:500 *:* UDP 107.xxx.xx.xxx:520 *:*