Working in a vacuum when initially looking at a server is par for course. My one clue is that the server for a web application of sorts. However, one does not know what the application is or what software may be serving up HTTP/HTTPS. Standards are that the server would be serving up on ports 80 and/or 443, respectively. Many applications will serve up this kind of traffic on variations like 8080 or, essentially, *80 and *443. I needed a script to quickly see what processes may be listening on those ports. This helps me gain insight to track down pieces and help the application owner/team investigate further. Here’s the script:
# Look for listening ports on *80 and *443 with process ID $Processes = @{} Get-Process -IncludeUserName | ForEach-Object { $Processes[$_.Id] = $_ } Get-NetTCPConnection | Where-Object { ($_.State -eq "Listen") -and ($_.LocalPort -like '*80' -or $_.LocalPort -like '*443') } | Select-Object LocalAddress, LocalPort, @{Name="PID"; Expression={ $_.OwningProcess }}, @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName }} | Sort-Object -Property ProcessName, UserName | Format-Table -AutoSize