Re: Port usage and associated process

From: Gary Flynn (flynngn@jmu.edu)
Date: 11/01/02 

Date: Fri, 01 Nov 2002 13:48:17 -0500
From: Gary Flynn <flynngn@jmu.edu>

"Michel Gallant (MVP)" wrote:
>
> Thanks Gary. Fport and related info. is what I was looking for.
>
> However, it does NOT report those 2 NAV 2002 ports (25 SMTP, 110 POP3)
> that are listening (as verified by the Java port-scan utility):

I'm not familiar with the java port-scan utility. Do the ports show up
in the LISTENING state with netstat? Do they show up on an external
scan with something like nmap? If there is really something like a
normal SMTP server listening behind port 25, you should be able to
telnet to it and get a banner. If a banner doesn't show up immediately,
try typing "HELO myhost.com" without the quotes and see if anything
comes back. You're probably already aware that Norton implements some
type of proxy to scan email messages and uses those ports to shuffle
the messages around internally. They'll only be active if the email
checking is enabled. There is a fair amount of information on it
in the Symantec knowledge base.

Maybe they are not really listening services but endpoints for some
other process. I understand netstat can be misleading that way.

I've never run across anything where I noticed Fport missing anything
but I wasn't looking for it either :) 

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

Relevant Pages

  • Re: Port usage and associated process
    ... Fport and related info. is what I was looking for. ... that are listening: ... Gary Flynn wrote: ... > RPC services - portqry and tscan -s ...
    (microsoft.public.security)
  • Re: Hidden Services Scanner Required
    ... Fport can show you what IP ports are open and listening and which programs ... The book Incident Response is helpful in cases like these. ...
    (microsoft.public.win2000.security)
  • RE: irc port open on 6668/tcp and 6667/tcp
    ... I would run fport from www.foundstone.com to identify processes ... listening on these ports. ... > We are having two NT 4 domain controller servers, PDC ...
    (Security-Basics)
  • Re: 160 open connections!
    ... > A listening tcp port is a _server_, ... According to the Fport readme.txt: ...
    (comp.security.firewalls)
  • Re: Starting iptables
    ... it is not clear that you need a firewall at all. ... just don't open any ports. ... "netstat -putl" will let you find out what listening ports are open. ... mysql is listening on tcp port 3306. ...
    (Debian-User)