Re: Port 21 open on pc's not running ftp?
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 05/06/05
- Next message: Tom Pepper Willett: "Re: how do I stop a spammer or at least get my isp to listen to me?"
- Previous message: Karl Levinson, mvp: "Re: how do I stop a spammer or at least get my isp to listen to me?"
- In reply to: Ken: "Re: Port 21 open on pc's not running ftp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 6 May 2005 07:53:46 -0400
Another idea, you could confirm whether the port is really listening on the
computer by using a crossover ethernet cable directly between two computers
and doing telnet that way to see if the problem still happens.
I would think that telnetting to the real IP address of the local computer
[e.g. not 127.0.0.1] should usually give the same response as doing so from
a remote computer.
"Ken" <Ken@discussions.microsoft.com> wrote in message
news:C59FEDC5-8152-4412-9B08-6B1FD6F8D5DF@microsoft.com...
> Thanks for the reply. I will look into the rootkit and Hijiack. To
answer
> some of your questions: All of the pcs are on the local network, the only
> firewalls in place are the windows xp firewall included in sp2. Only
about 5
> of the 20 somthing pc's are xp. All the pc's are running McAfee
Enterprise
> vshield and are current on the dat releases. I have looked at both the
> running processes and startup programs using msconfig and haven't seen
> anything that shouldn't be there. The only anomoly I have found so far is
> that the open port doesn't appear locally. i.e. on the machine being
tested
> a telnet <machinename> 21 replies with at connection failed. If I go to a
> remote machine and run the same telnet command pointing to the first pc I
get
> the open port 21 anomoly. So whatever it is only shows up through the
> network. Our network switches are Dell powerconnect gigabit switches
which
> to my knowledge shouldn't be listing on port 21, but I will run a test
across
> pc's on our cabletron switch to verify. I have run the same test on pc's
at
> a remote location that have the same software applied and I don't get the
> open port problem (they are also using a netgear switch instead of the
Dell),
> so I know the applications that we have installed at the office shouldn't
be
> opening the port.
>
> Thanks again for the help...
>
> "Karl Levinson, mvp" wrote:
>
> > No, this is not normal for Windows 2000, at least not on my workstation.
> > However, the fact that "all" the systems are so affected makes me wonder
> > whether this could be something that has been installed intentionally.
The
> > fact that nothing showed up in TCPView is unusual. If there is a
firewall
> > in between you and the systems you are scanning, you could be getting a
> > response back from the firewall.
> >
> > You could run the rootkit detection utility from www.sysinternals.com,
> > and/or RKDetect which you can find in google. The latter is run at the
> > command line using the command CSCRIPT.EXE RKDETECT.VBS
[your-ip-address]
> > You could also do a virus scan of one system's shared drives across the
> > network from another, known virus free system that is not behaving in
this
> > manner [for now, windows root kits can often be detected remotely from
clean
> > systems, as for now only the local system is fooled by the root kit].
You
> > could try running MSCONFIG on the XP systems to see some of the programs
> > starting up at startup. You could also search google for Hijack This,
run
> > that, and post the resulting log file in the Hijack This discussion
group on
> > their site. You could also try doing a search for files that have
changed
> > in the last day and inspect the results for anything unusual. You could
> > also inspect your firewall logs for anything unusual outbound or
inbound, or
> > unusual amounts of traffic either way.
> >
> >
> > "Ken" <Ken@discussions.microsoft.com> wrote in message
> > news:F4A6D786-9CE6-41FC-9900-F208DDC3F71F@microsoft.com...
> > > I just happened to run a port scan on the pc's in the office today and
> > found
> > > that every one of them has port 21 open and none of them are running
ftp
> > > services. Most are windows 2000 with a few being xp sp2 with the
firewall
> > > turned on. When you telnet to port 21 on these machines you can send
data
> > to
> > > them but no response is echo'ed back. The port closes about 20-30
seconds
> > > after being opened. When you ftp to these machines the connection
just
> > times
> > > out or gives an unknown error. What really gets me is that I ran
TCPView
> > > from sysinternals and no processes are listed as listening on port 21.
> > Does
> > > anyone have a clue on how the port could be open without a process
opening
> > > it? Am I missing something? Is this normal for windows now? Any
help
> > would
> > > be appreciated.
> >
> >
> >
- Next message: Tom Pepper Willett: "Re: how do I stop a spammer or at least get my isp to listen to me?"
- Previous message: Karl Levinson, mvp: "Re: how do I stop a spammer or at least get my isp to listen to me?"
- In reply to: Ken: "Re: Port 21 open on pc's not running ftp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
