Re: Listening ports.
From: N. Miller (nsm_at_blackhole.aosake.net)
Date: 03/24/04
- Next message: WayuU: "RE: help"
- Previous message: Br0wnbear: "Re: i think i may have been infected with a virus/worm!"
- In reply to: BRIAN: "Listening ports."
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Listening ports."
- Reply: anonymous_at_discussions.microsoft.com: "Re: Listening ports."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Mar 2004 16:42:30 -0800
In article <127af01c4111e$8a094190$a101280a@phx.gbl>,
BBILLICH@MADISONIND.COM says...
> I understand that windows sets up listening ports on a
> computer for certain tasks/processes, and the foreign
> address comes up as mymachine.mydomain.com:0 (or at least
> it has in the past).
> So I'm wondering what's going on
> when the foreign address is showing 0.0.0.0:0?? Do I have
> a worm like listening problem?? If I do, how do I get rid
> of it?
It may not be a worm at all. Whether you show "mymachine.mydomain.com:p", or
"0.0.0.0:p" depends upon whether you run netstat -a, or netstat -an. The
first case resolves names where ever possible, the second case only shows
the IP address.
You would need a process viewer to tie the ports to the processes. But
sometimes you can get a fair idea by knowing what programs access remote
ports; especially if you have a brand new installation.
I would only worry about established connections, or "TIME_WAIT" entries
which I can't account for. Here is a "netstat -a" report from my computer:
Active Connections
Proto Local Address Foreign Address State
TCP megumi:1041 MEGUMI:0 LISTENING
...
TCP megumi:1041 msnews.microsoft.com:nntp ESTABLISHED
TCP megumi:1071 Naomi:nbsession TIME_WAIT
...
This is a highly edited output I got just a few minutes ago. Everything else
in the list was just "Listening". Port 1071 is showing a recently closed
connection between two computers on my LAN. I am behind a router, so people
on the Internet will never be able to make NetBIOS connections to my
computers.
Port 1041 is my connection to the Microsoft NNTP servers while I read, and
post these groups.
Here is the same report, using "netstat -an" instead:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING
...
TCP 192.168.102.100:1041 207.46.248.16:119 ESTABLISHED
TCP 192.168.102.100:1071 192.168.102.101:139 TIME_WAIT
...
The "Established" connection means that you are exchanging packets with the
remote computer. In one of the lines, both addresses are in the same
"subnet"; the packets are flitting through a few feet of CAT 5e cable
between two computers in my house. The other line is a connection to
Microsoft.
It is not bad to see these; but it is not good to see them when you aren't
expecting to. Running IM clients will show such entries. News & mail clients
connecting to servers. P2P servers. Web browsers. You need to analyze what
you see to sort the expected connections from the unwelcome ones. I can't
say I have ever seen an unwelcome visitor phoning home; but my router and
mail server logs show denied attempts to connect inbound to me.
-- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint
- Next message: WayuU: "RE: help"
- Previous message: Br0wnbear: "Re: i think i may have been infected with a virus/worm!"
- In reply to: BRIAN: "Listening ports."
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Listening ports."
- Reply: anonymous_at_discussions.microsoft.com: "Re: Listening ports."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
