Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028

From: Harlan Carvey (keydet89@yahoo.com)
Date: 03/06/03

  • Next message: Salomao Barguil: "Solved !! "Girlnextdoor_" TCP Ports 1025/1028" 
    Date: Thu, 6 Mar 2003 13:56:54 -0800 (PST)
From: Harlan Carvey <keydet89@yahoo.com>
To: incidents@securityfocus.com

    Robbert,

    Have you tried running this on another machine? I'm
    sure you'll find the exact same thing. When I run
    netstat like you did, I get something similar. The
    important point is the STATE of the connection. In
    your case, and mine, the STATE is "LISTENING". That
    doesn't mean that there's a connection..."ESTABLISHED"
    does.

    Regarding ports 1025-1028...those are documented by
    Microsoft as being used for RPC. If you're REALLY
    paranoid, run fport from Foundstone to see what's
    bound to those ports.

    --- Robbert Helling <robjeh@wanadoo.nl> wrote:
    > If i look at my 2 first entries i see:
    > Active Connections
    >
    > Proto Local Address Foreign Address
    > State
    > TCP nack:epmap nack:0
    > LISTENING
    > TCP nack:microsoft-ds nack:0
    > LISTENING
    >
    > The Foreign Address shows my own host name, i'm not
    > sure why its listed
    > this way. But i guess you have to find your problem
    > locally.
    >
    >
    > At 18:59 5-3-2003, H C wrote:
    > >I'm not entirely sure what you mean by "foreign
    > >address listening to ports..."...netstat shows you
    > >what the local machine is listening on, and which
    > >endpoints the foreign addresses are connected to.
    > >
    > >Have you tried running Foundstone's fport yet?
    > >
    > >
    > > > > Running netstat -a , I found a foreign address
    > > > > "GirlNextDoor_" listening to ports TCP
    > 1025/1028.
    > > > >
    > > > > Can someone explain me what is going on this
    > > > desktop ?
    > > > >
    > > > > It's a Win2k/SP2 workstation with Mcafee
    > antivirus
    > > > and
    > > > > ZoneAlarm.
    > > > >
    > > > > Also, can you explain me the second set of
    > > > > connections, foreign address "*:*" ?
    > > > >
    > > > > Thanks for your help,
    > > > > Sal.
    > > > >
    > > > >
    > > >
    >
    >-------------------------------------------------------
    > > > > Microsoft Windows 2000 [Version 5.00.2195]
    > > > > (C) Copyright 1985-2000 Microsoft Corp.
    > > > >
    > > > > C:\>netstat -a
    > > > >
    > > > > Active Connections
    > > > >
    > > > > Proto Local Address Foreign
    > Address
    > > >
    > > > > State
    > > > > TCP p4win2k:epmap
    > Girlnextdoor_:0
    > > >
    > > > > LISTENING
    > > > > TCP p4win2k:microsoft-ds
    > Girlnextdoor_:0
    > > >
    > > > > LISTENING
    > > > > TCP p4win2k:1025
    > Girlnextdoor_:0
    > > >
    > > > > LISTENING
    > > > > TCP p4win2k:1028
    > Girlnextdoor_:0
    > > >
    > > > > LISTENING
    > > > > TCP p4win2k:netbios-ssn
    > Girlnextdoor_:0
    > > >
    > > > > LISTENING
    > > > > UDP p4win2k:epmap *:*
    > > > > UDP p4win2k:microsoft-ds *:*
    > > > > UDP p4win2k:1027 *:*
    > > > > UDP p4win2k:1030 *:*
    > > > > UDP p4win2k:netbios-ns *:*
    > > > > UDP p4win2k:netbios-dgm *:*
    > > > > UDP p4win2k:isakmp *:*
    > > > >
    > > > > C:\>
    > > > >
    > > >
    >
    >-------------------------------------------------------
    > > > >
    > > > >
    > __________________________________________________
    > > > > Do you Yahoo!?
    > > > > Yahoo! Tax Center - forms, calculators, tips,
    > more
    > > > > http://taxes.yahoo.com/
    > > > >
    > > > >
    > > >
    >
    >----------------------------------------------------------------------------
    > > > >
    > > > > <Pre>Lose another weekend managing your IDS?
    > > > > Take back your personal time.
    > > > > 15-day free trial of StillSecure Border
    > > > Guard.</Pre>
    > > > > <A
    > > > href="http://www.securityfocus.com/stillsecure">
    > > > http://www.securityfocus.com/stillsecure </A>
    > > > >
    > > > --
    > > > The Virgin BOFH...
    > > > Linux Registered User #288905
    > > > Public GnuPG Key B760A432 available at
    > > > http://www.ines.ro/public_keys/jay.gpg
    > > >
    > >
    > > > ATTACHMENT part 2 application/pgp-signature
    > >name=signature.asc
    > >
    > >
    > >
    > >__________________________________________________
    > >Do you Yahoo!?
    > >Yahoo! Tax Center - forms, calculators, tips, more
    > >http://taxes.yahoo.com/
    > >
    >
    >----------------------------------------------------------------------------
    > >
    > ><Pre>Lose another weekend managing your IDS?
    > >Take back your personal time.
    > >15-day free trial of StillSecure Border
    > Guard.</Pre>
    > ><A href="http://www.securityfocus.com/stillsecure">
    >
    > >http://www.securityfocus.com/stillsecure </A>
    >
    >
    >
    ----------------------------------------------------------------------------
    >
    > <Pre>Lose another weekend managing your IDS?
    > Take back your personal time.
    > 15-day free trial of StillSecure Border Guard.</Pre>
    > <A href="http://www.securityfocus.com/stillsecure">
    > http://www.securityfocus.com/stillsecure </A>
    >
    >

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Tax Center - forms, calculators, tips, more
    http://taxes.yahoo.com/

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: Salomao Barguil: "Solved !! "Girlnextdoor_" TCP Ports 1025/1028"

    Relevant Pages

    • Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028
      ... address listening to ports..."...netstat shows you ... endpoints the foreign addresses are connected to. ... >> Do you Yahoo!? ... >> Take back your personal time. ...
      (Incidents)
    • Imran, still alerting, stays almost swiftly, as the future applys onto their salt.
      ... in spite of the local's north. ... Just listening once again a reason in connection with the partnership is too ... then Hamza tamely contrasts a devoted ...
      (sci.crypt)
    • RE: Access to the servers from outside
      ... the first line shows us that port 80 is listening on ... > run the tcpdump command to see if we're actually receiving the TCP ... > We're definitely seeing the connection from the client, ... Let's focus on the firewall. ...
      (RedHat)
    • Re: !EventConnect Problem
      ... poll time of 500mS we get a break in communication approx once a day, ... The socket is not in a listening state. ... There's a problem with the connection address, ...
      (microsoft.public.windowsce.app.development)
    • RE: reusing TcpClient object
      ... try to create a separate thread for connection which is using a ... > client and I need to send one message per event. ... > the listening application whenever I need to send something. ... the connection process blocks the thread for a ...
      (microsoft.public.dotnet.framework)