RE: What is this port? is it a trojan?

From: Sabol, Paul (PSABOL_at_mgmmirage.com)
Date: 07/01/03

  • Next message: Potter, Tim: "Part 2 - Best tools to put on Linux Laptop"
    Date: Tue, 1 Jul 2003 08:21:24 -0700
    To: Hyperion <nemesis@croasdalepreston.fsnet.co.uk>, "Security Basics Mailing List" <security-basics@securityfocus.com>
    
    

    If you are using Windows XP:

    C:\> netstat -ano

    This will give you a list of PIDs associated with each
    listening/established port. Then:

    C:\> tasklist /svc -fi "pid eq <pid goes here>"

    This will identify which process is related to the PID.

    If you are not running Windows XP, you can grab FPORT from Foundstone
    and that does pretty much the same thing.

    -Paul

    -----Original Message-----
    From: Hyperion [mailto:nemesis@croasdalepreston.fsnet.co.uk]
    Sent: Monday, June 30, 2003 9:52 AM
    To: Security Basics Mailing List
    Subject: What is this port? is it a trojan?

    Hello all :)

     I have been taking a more detailed interest in my pc's security of
    late, and security for computers in general, and I am learning at quite
    a fast rate, although there is a great, great deal of information to
    learn out there.

     Just recently I have taken to doing regular, netstat - probes on my
    machine to see the different connections that arise and so forth.
     Today I found a rather mysterious port with the number, 44334 and I
    have copied/paste the results of the netstat -an below for people to
    look at.
     Is the port in question, -44334- a Trojan? it strikes me as a rather
    suspicious port and a rather large port number.
     Could anyone tell me how I can find out what's running behind the port
    in question, and also what to do about it if it is a port.
     I have run my virus software, but it did not find any viruses or
    Trojans installed on my machine, so I am at a loss as to what to do.
    I am also very limited in my security knowledge, so I am basically stuck
    for the necessary ideas or solutions on what to do in order to find out
    what's behind this port.
    Any and all help is greatly appreciated thanks.

    Details of netstat below::

    Active Connections

      Proto Local Address Foreign Address State
      TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
      TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
      TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
      TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
      TCP 0.0.0.0:1038 0.0.0.0:0 LISTENING
      TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
      TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
      TCP 127.0.0.1:110 0.0.0.0:0 LISTENING
      TCP 127.0.0.1:1279 127.0.0.1:110 TIME_WAIT
      TCP 217.135.174.224:1280 195.92.193.154:110 TIME_WAIT
      UDP 0.0.0.0:445 *:*
      UDP 0.0.0.0:500 *:*
      UDP 0.0.0.0:1036 *:*
      UDP 0.0.0.0:44334 *:*
      UDP 127.0.0.1:123 *:*
      UDP 127.0.0.1:1900 *:*
      UDP 217.135.174.224:123 *:*
      UDP 217.135.174.224:1900 *:*

    My Regards
    Hyperion

    ------------------------------------------------------------------------

    ---
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access
    in about an hour, with no client, server changes, or ongoing
    maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    

  • Next message: Potter, Tim: "Part 2 - Best tools to put on Linux Laptop"

    Relevant Pages

    • Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap:
      ... assuming netstat wasn't one of the programs ... listed there for port 1313 correspond to the PIDs chkproc spit out. ... all your services while you upgrade all the software that needs upgrading. ... > Every week or so I'll run chkrootkit, mostly just because I feel I ...
      (comp.os.linux.security)
    • RE: What is this port? is it a trojan?
      ... But I can tell you if you are running TPF that is wheat it is. ... Subject: What is this port? ... Just recently I have taken to doing regular, netstat - probes on my machine ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: I think Ive been hacked...please help!
      ... > connecting within seconds of boot. ... port scanning the machine from the outside ... experience performing incident response activities, ... one will run netstat and see something listening on ...
      (Incidents)
    • RE: What is this port? is it a trojan?
      ... taken an in depth look at all the aspects of the wall. ... Subject: What is this port? ... copied/paste the results of the netstat -an below for people to look at. ... The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Help, my machine has been hacked
      ... >> also take a look at processes running in your system, ... >> opened (netstat -tupan), environment changesetc. ... If you provide port 80 to the outside ... filter invalid packets, in particular tcp scans with invalid flags, where ...
      (comp.os.linux.security)