Re: Active Ports
From: Vargas (vargasj_at_mail.wsu.edu)
Date: Thu, 26 Aug 2004 14:25:30 -0700 To: Duane Arnold <email@example.com>
newby here. i was tinkering with tcpview the other day killing processes
just to see how fast it would, and suddenly the Nt authority shut my
system. I wrote the event down, did a google, and found that i may have
been hit by blaster or a variant. i have aports, autoruns, process
explorer,sygate pro, spywareblaster. spywareguard, adaware v6 and spybot.
i can try to kill a process with aports by shutting the port, but it takes
a long time to work, and sometimes it just doesnt do it. tcpview works
more often than not. process explorer works about the same as the
so, here is my question: after the message about authority system shutting
down my machine scared the hell out of me, and after running norton and
avg and some other tests recommended by ms, plus one or two other test
which never showed anything wrong, and after my machine boots and runs ok,
never shuts down, well, what other tests can i run? i even have
systemsafe, and nothing oyt of the ordinary ever comes up. thanks for any
On Fri, 20 Aug 2004, Duane Arnold wrote:
> "Brian" <firstname.lastname@example.org> wrote in
> > I found this useful freeware program that runs in the background and
> > constantly monitors all running services. I was amazed to see that I
> > have 35 services listening on different ports and one established
> > connection (Messenger).
> Well is Messenger supposed to have a connection?
> > Surely that means that a hacker has 35 opportunities to penetrate my
> > PC. If the services are listening to all those ports it must mean that
> > they are receptive to any incoming signals.
> The only way a hacker for the most part is going to do that is if the
> machine has been compromised by a Trojan that is listening on the port and
> you see a remote connection. Yes, Sygate will allow the connection to the
> remote IP, because something a (program) has solicited inbound traffic from
> a remote site. Otherwise, Sygate should block all unsolicited inbound
> traffic. A Trojan can piggy back off something like svchost.exe or other
> programs like MSN and communicate out.
> > The Sygate SPFP firewall is presumably designed to intercept
> > non-standard code addressed to those services but can I be sure of
> > that?
> Unsolicited traffic YES but solicited traffic NO. And unsolicited traffic
> can come in if the FW is somehow mis-configured.
> > I have various other security programs installed but I'm not yet
> > convinced that this firewall is doing a good job. In particular, the
> > Traffic Log tells me that my PC is occasionally and spontaneously
> > (even during screen saver periods) addressing remote locations that
> > mean nothing to me when I trace them. Paranoia is setting in!
> Once, malware hits the machine and can execute, it's over and if you're
> depending upon the highly overrated Application Control the (crutch) to
> tell you what's happing with things on the computer and programs being
> stopped or not stopped by Application Control, then you may want to think
> You should look for yourself from time to time on a routine basis. You
> should put a short-cut for Active Ports with screen Refresh rate set to
> high and see what's making connection at the boot and login sequence, since
> Sygate cannot get to the TCP/IP connection before the malware can to stop
> You may want to use Process Explorer (free) to look at running processes
> and you can look inside a running process to see what processes are using
> You close down uneeded services that close down ports and *harden* the O/S
> to attack. The buck stops at the O/S and everything else is secondary to
> Duane :)