Re: What does this mean?

From: Dedric Ramsey - Ramsey Consulting Svcs (ramseycs_at_bellsouth.net)
Date: 04/26/04

  • Next message: Brandon Enright: "RE: keyloggers" 
    Date: Mon, 26 Apr 2004 14:21:14 -0400
To: security-basics@securityfocus.com

    Adnan Ali wrote:

    >
    > Active Connections:
    > Proto Local Addr Foreign Addr State
    > ============================================
    >
    > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

    This is used for NetBIOS

    >
    > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

    So is this port.

    > TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    >
    > TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING

    These two seem normal as well, the same with ports 135,445,1025/UDP
    shown below.

    > UDP 0.0.0.0:135 *:*
    > UDP 0.0.0.0:445 *:*
    > UDP 0.0.0.0:1025 *:*
    > UDP 0.0.0.0:38037 *:*

    As for this port, Google led me to this site
    (http://www.ncsu.edu/it/antivirus/install/FireWall-Ports.html), which says:

    Msgsys
    Msgsys is an Alert Management System (AMS) process for generating and
    sending configured AMS alerts. Msgsys communications uses port 38037 and
    38292 for both TCP and UDP communication.

    Are you running any Symantec Products, specifically one of their AV
    lines, or Firewalls?

    > UDP 172.20.4.76:500 *:*

    This is used for ISAKMP (Internet Security Association and Key
    Management Protocol), so there shouldnt be anything to worry about there
    either. Its just there since Windows 2000 supports IPSec.

    > I get this output even when I am running no network
    > application on the machine.
    >
    > Of course, this all seems quite suspicious.
    >
    > Can somebody please help me figure out what is going
    > on? At least find the respective applications
    > listening
    > on various ports.??
    >
    > Thanks and best regards,

    So to me, with just the information you've provided, nothing is out of
    the ordinary. Of course, if it makes you feel better, point Nmap or
    something similar at it and see what you find. Same with your AV
    scanner of choice. (Trend Micro has a nice web based one on their site,
    as does Panda, although Ive never used theirs)

    Take care, 

    -- 
Dedric Ramsey
Ramsey Consulting Services
770.826.8008
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
  • Next message: Brandon Enright: "RE: keyloggers"
    • Quantcast