Re: What does this mean?

From: Adnan Ali (call_ret_at_yahoo.com)
Date: 04/28/04

  • Next message: Adnan Ali: "RE: What does this mean?" 
    Date: Wed, 28 Apr 2004 05:56:16 -0700 (PDT)
To: Dedric Ramsey - Ramsey Consulting Svcs <ramseycs@bellsouth.net>

    --- Dedric Ramsey - Ramsey Consulting Svcs
    <ramseycs@bellsouth.net> wrote:
    >
    > Adnan Ali wrote:
    >
    > >
    > > Active Connections:
    > > Proto Local Addr Foreign Addr State
    > > ============================================
    > >
    > > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    >
    > This is used for NetBIOS

    ok

    >
    > >
    > > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    >
    > So is this port.

    smb used for filesharing?

    >
    > > TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    > >
    > > TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
    >
    > These two seem normal as well, the same with ports
    > 135,445,1025/UDP
    > shown below.

    Let me say I feel uncomfortabel about these open ports
    as these are unpriviledged ports listening for
    connection requests. Using tcpview I found that one
    them is being used by lsass.exe (IPSec?) alongwith
    port 500. That's alright, what about the other port?

    Let me give you my output from tcpview today:
    (Some ports have changed, lsass.exe is now listening
    on a different port. 500 is standard, but above 1023
    it is picking up any port at random. Should have been
    assigned a fixed port!)

    lsass.exe:228 UDP 0.0.0.0:1027 *:*

    lsass.exe:228 UDP 172.20.4.76:500 *:*

    -----Fine, being used by lsass.exe (ISAKMP).
            

            

    MsgSys.EXE:828 UDP 0.0.0.0:38037 *:*

    -----As you said, this is AMS.

    MSTask.exe:612 TCP 0.0.0.0:1057 0.0.0.0:0 LISTENING

    -----Another of MS autostartup applications

    services.exe:216UDP 0.0.0.0:1041 *:*

    ------What this should be?

    svchost.exe:388 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

    svchost.exe:388 UDP 0.0.0.0:135 *:*

    System:8 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

    System:8 UDP 0.0.0.0:445 *:*

    ------alright as you said.

    winlogon.exe:184UDP 0.0.0.0:1053 *:*

    -----windows logon ?

    System:8 TCP 0.0.0.0:1069 0.0.0.0:0 LISTENING

    ------Now what about this port? I just can't figure
    out what is this being used for? Any explanations.

    >
    > > UDP 0.0.0.0:135 *:*
    >
    > > UDP 0.0.0.0:445 *:*
    >
    > > UDP 0.0.0.0:1025 *:*
    >
    > > UDP 0.0.0.0:38037 *:*
    >
    > As for this port, Google led me to this site
    >
    (http://www.ncsu.edu/it/antivirus/install/FireWall-Ports.html),
    > which says:
    >
    > Msgsys
    > Msgsys is an Alert Management System (AMS) process
    > for generating and
    > sending configured AMS alerts. Msgsys communications
    > uses port 38037 and
    > 38292 for both TCP and UDP communication.
    >
    > Are you running any Symantec Products, specifically
    > one of their AV
    > lines, or Firewalls?
    >
    > > UDP 172.20.4.76:500 *:*
    >
    >
    > This is used for ISAKMP (Internet Security
    > Association and Key
    > Management Protocol), so there shouldnt be anything
    > to worry about there
    > either. Its just there since Windows 2000 supports
    > IPSec.
    >
    > > I get this output even when I am running no
    > network
    > > application on the machine.
    > >
    > > Of course, this all seems quite suspicious.
    > >
    > > Can somebody please help me figure out what is
    > going
    > > on? At least find the respective applications
    > > listening
    > > on various ports.??
    > >
    > > Thanks and best regards,
    >
    > So to me, with just the information you've provided,
    > nothing is out of
    > the ordinary. Of course, if it makes you feel
    > better, point Nmap or
    > something similar at it and see what you find. Same
    > with your AV
    > scanner of choice. (Trend Micro has a nice web based
    > one on their site,
    > as does Panda, although Ive never used theirs)
    >
    > Take care,
    >
    > --
    > Dedric Ramsey
    > Ramsey Consulting Services
    > 770.826.8008
    >
    >

    Thanks for all your help.

     

            
                    
    __________________________________
    Do you Yahoo!?
    Win a $20,000 Career Makeover at Yahoo! HotJobs
    http://hotjobs.sweepstakes.yahoo.com/careermakeover

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Adnan Ali: "RE: What does this mean?"
    • Quantcast