Re: Active Ports

From: Vargas (vargasj_at_mail.wsu.edu)
Date: 08/26/04


Date: Thu, 26 Aug 2004 14:25:30 -0700
To: Duane Arnold <notme@notme.com>


newby here. i was tinkering with tcpview the other day killing processes
just to see how fast it would, and suddenly the Nt authority shut my
system. I wrote the event down, did a google, and found that i may have
been hit by blaster or a variant. i have aports, autoruns, process
explorer,sygate pro, spywareblaster. spywareguard, adaware v6 and spybot.

i can try to kill a process with aports by shutting the port, but it takes
a long time to work, and sometimes it just doesnt do it. tcpview works
more often than not. process explorer works about the same as the
latter.

so, here is my question: after the message about authority system shutting
down my machine scared the hell out of me, and after running norton and
avg and some other tests recommended by ms, plus one or two other test
which never showed anything wrong, and after my machine boots and runs ok,
never shuts down, well, what other tests can i run? i even have
systemsafe, and nothing oyt of the ordinary ever comes up. thanks for any
reply.

jose

On Fri, 20 Aug 2004, Duane Arnold wrote:

> "Brian" <flackb@hotmail.com> wrote in
> news:4125afab$0$4136$ba620e4c@news.skynet.be:
>
> > I found this useful freeware program that runs in the background and
> > constantly monitors all running services. I was amazed to see that I
> > have 35 services listening on different ports and one established
> > connection (Messenger).
>
> Well is Messenger supposed to have a connection?
>
> > Surely that means that a hacker has 35 opportunities to penetrate my
> > PC. If the services are listening to all those ports it must mean that
> > they are receptive to any incoming signals.
>
> The only way a hacker for the most part is going to do that is if the
> machine has been compromised by a Trojan that is listening on the port and
> you see a remote connection. Yes, Sygate will allow the connection to the
> remote IP, because something a (program) has solicited inbound traffic from
> a remote site. Otherwise, Sygate should block all unsolicited inbound
> traffic. A Trojan can piggy back off something like svchost.exe or other
> programs like MSN and communicate out.
>
> > The Sygate SPFP firewall is presumably designed to intercept
> > non-standard code addressed to those services but can I be sure of
> > that?
>
> Unsolicited traffic YES but solicited traffic NO. And unsolicited traffic
> can come in if the FW is somehow mis-configured.
>
> > I have various other security programs installed but I'm not yet
> > convinced that this firewall is doing a good job. In particular, the
> > Traffic Log tells me that my PC is occasionally and spontaneously
> > (even during screen saver periods) addressing remote locations that
> > mean nothing to me when I trace them. Paranoia is setting in!
>
> Once, malware hits the machine and can execute, it's over and if you're
> depending upon the highly overrated Application Control the (crutch) to
> tell you what's happing with things on the computer and programs being
> stopped or not stopped by Application Control, then you may want to think
> again.
>
> You should look for yourself from time to time on a routine basis. You
> should put a short-cut for Active Ports with screen Refresh rate set to
> high and see what's making connection at the boot and login sequence, since
> Sygate cannot get to the TCP/IP connection before the malware can to stop
> it.
>
> You may want to use Process Explorer (free) to look at running processes
> and you can look inside a running process to see what processes are using
> it.
>
> http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_R
> ootkit_Tools_in_a_Windows_Environment.html
>
> You close down uneeded services that close down ports and *harden* the O/S
> to attack. The buck stops at the O/S and everything else is secondary to
> it.
>
> http://www.uksecurityonline.com/index5.php
>
> Duane :)
>



Relevant Pages

  • Re: Active Ports
    ... > Well is Messenger supposed to have a connection? ... Sygate should block all unsolicited inbound ... few 'Allowed' incoming polls on stealthed ports from addresses that I don't ... > You may want to use Process Explorer to look at running processes ...
    (comp.security.firewalls)
  • P.S.........
    ... >> Sygate. ... Your log is showing that the connection is being blocked ... > see if there is a port number problem. ... > with the port numbers listed in the traffic log for this ...
    (comp.security.misc)
  • P.S.........
    ... >> Sygate. ... Your log is showing that the connection is being blocked ... > see if there is a port number problem. ... > with the port numbers listed in the traffic log for this ...
    (comp.security.firewalls)
  • P.S.........
    ... >> Sygate. ... Your log is showing that the connection is being blocked ... > see if there is a port number problem. ... > with the port numbers listed in the traffic log for this ...
    (alt.computer.security)
  • Re: Port 80 is Open on My System
    ... > GRC.com test on the same connection. ... > Sygate says it and many, ... During an in-depth scan Sygate says my port 80 ... >> Call your ISP and ask them if they run a web proxy. ...
    (comp.security.firewalls)