Re: LISTENING, ESTABLISHED, CLOSE_WAIT TCP Ports & UDP Ports?

From: JediRockClimber (someone_at_somedomain.net)
Date: 12/06/04

  • Next message: Jayme Pechan: "DCOM Access Permissions" 
    Date: Mon, 6 Dec 2004 14:33:59 -0800

    Thanks a lot for the Analysis,
    I found that both IDUServ.exe and IPTray.exe are part of the Intel Desktop
    Utilities, specifically Temperature Monitor and Speed of fans utilities,
    what I don't understand is why are they're opening ports for listening.
    Weird, I guess I should contact Intel Support, he?
    Thanks a lot

    "Karl Levinson, mvp" <levinson_k@despammed.com> escribió en el mensaje
    news:OZejVyf2EHA.3128@TK2MSFTNGP14.phx.gbl...
    > Danger Will Robinson!
    >
    > Google found zero hits explaining what IDUServ.exe is, and only two hits
    > in
    > french explaining what IPTray.exe is. This is usually a very bad thing,
    > because legitimate file names pretty much always show up in google. [Note
    > that the reverse is not true - if you find a file name in google, you
    > still
    > can't be sure if your file named that is good or bad just from the google
    > results alone.]
    >
    > ccproxy.exe is used by Norton Internet Security, which includes a
    > firewall,
    > but if you don't have this installed on your server, then that would be
    > suspicious too.
    >
    > Based on this, unless you know what these file names are and do, you may
    > want to inspect your system for signs of hacking. Some ways to do this:
    >
    > http://securityadmin.info/faq.asp#hacked
    >
    > Also, RKDETECT from www.google.com and Silent Runners from
    > www.silentrunners.org can be useful.
    >
    > If you want to know what those other files do, search Google for the file
    > names. If your copy is legitimate, what you find in google will explain
    > what it is exactly.
    >
    > The following entry appears to show your IP address using Terminal
    > Services
    > to remotely control your server at the time. This IP matches the IP you
    > appeared to use to post this message.
    >
    >> TCP 192.168.1.10:3389 66.245.216.179:10215 ESTABLISHED
    >> svchost.exe
    >
    > There weren't any other entries that appeared to show an attacker on the
    > Internet using TCP to connect to your server. However, do note that
    > windows
    > root kits do have the ability to hide some port activity like listening
    > ports from you, if a windows root kit was installed.
    >
    > Windows root kits conceal themselves from locally run programs and local
    > users, but you can potentially see them if you do things across the
    > network
    > through Windows networking, such as running a virus scan on a mapped drive
    > letter from another computer, or inspecting the startup locations in the
    > registry from another computer. I don't know whether a windows root kit
    > is
    > installed here, I just mention it as a possibility to keep in mind as you
    > look for things.
    >
    > What you've done below doesn't show you outbound traffic coming from
    > malware. Checking your firewall logs and/or running Ethereal will show
    > you
    > this. Some firewall logs like www.kerio.com and www.sygate.com will tell
    > you what .EXE file generated each outbound traffic stream, which is
    > useful.
    >
    >
    >
    > "JediRockClimber" <someone@somedomain.net> wrote in message
    > news:ePgmsOR2EHA.1260@TK2MSFTNGP12.phx.gbl...
    >> I'm running Windows Server 2003.
    >> Can somebody explain me why are all this ports opened, and how are they
    > bein
    >> used, is this a security risk can somebody in the network or from the
    >> internet gain access to my server?
    >> what kind of messure do I need to take beside just to place a firewall?
    >> Thanks a lot...
    >>
    >> This is what i get when I run netstat -ano
    >> Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> PID
    >> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING
    >> wins.exe
    >> TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
    >> dns.exe
    >> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    >> svchost.exe
    >> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    >> System
    >> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
    >> svchost.exe
    >> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    >> svchost.exe
    >> TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:2804 0.0.0.0:0 LISTENING
    >> IDUServ.exe
    >> TCP 0.0.0.0:3001 0.0.0.0:0 LISTENING
    >> ntfrs.exe
    >> TCP 0.0.0.0:3005 0.0.0.0:0 LISTENING
    >> wins.exe
    >> TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING
    >> dns.exe
    >> TCP 0.0.0.0:3012 0.0.0.0:0 LISTENING
    >> tcpsvcs.exe
    >> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING
    >> lsass.exe
    >> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
    >> svchost.exe
    >> TCP 127.0.0.1:389 127.0.0.1:1037 ESTABLISHED
    >> lsass.exe
    >> TCP 127.0.0.1:389 127.0.0.1:1038 ESTABLISHED
    >> lsass.exe
    >> TCP 127.0.0.1:389 127.0.0.1:1039 ESTABLISHED
    >> lsass.exe
    >> TCP 127.0.0.1:389 127.0.0.1:3007 ESTABLISHED
    >> lsass.exe
    >> TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING
    >> ccproxy.exe
    >> TCP 127.0.0.1:1037 127.0.0.1:389 ESTABLISHED
    >> ismserv.exe
    >> TCP 127.0.0.1:1038 127.0.0.1:389 ESTABLISHED
    >> ismserv.exe
    >> TCP 127.0.0.1:1039 127.0.0.1:389 ESTABLISHED
    >> ismserv.exe
    >> TCP 127.0.0.1:2804 127.0.0.1:3117 ESTABLISHED
    >> IDUServ.exe
    >> TCP 127.0.0.1:2804 127.0.0.1:4202 ESTABLISHED
    >> IDUServ.exe
    >> TCP 127.0.0.1:3007 127.0.0.1:389 ESTABLISHED
    >> dns.exe
    >> TCP 127.0.0.1:3082 0.0.0.0:0 LISTENING
    >> alg.exe
    >> TCP 127.0.0.1:3117 127.0.0.1:2804 ESTABLISHED
    >> iptray.exe
    >> TCP 127.0.0.1:4202 127.0.0.1:2804 ESTABLISHED
    >> iptray.exe
    >> TCP 192.168.1.10:139 0.0.0.0:0 LISTENING
    >> System
    >> TCP 192.168.1.10:139 192.168.1.50:2931 ESTABLISHED
    >> System
    >> TCP 192.168.1.10:139 192.168.1.56:1267 ESTABLISHED
    >> System
    >> TCP 192.168.1.10:389 192.168.1.10:3099 ESTABLISHED
    >> lsass.exe
    >> TCP 192.168.1.10:1025 192.168.1.10:3103 ESTABLISHED
    >> lsass.exe
    >> TCP 192.168.1.10:1025 192.168.1.10:3105 ESTABLISHED
    >> lsass.exe
    >> TCP 192.168.1.10:1025 192.168.1.10:3902 ESTABLISHED
    >> lsass.exe
    >> TCP 192.168.1.10:1025 192.168.1.10:4742 ESTABLISHED
    >> lsass.exe
    >> TCP 192.168.1.10:3099 192.168.1.10:389 ESTABLISHED
    >> ntfrs.exe
    >> TCP 192.168.1.10:3103 192.168.1.10:1025 ESTABLISHED
    >> ntfrs.exe
    >> TCP 192.168.1.10:3105 192.168.1.10:1025 ESTABLISHED
    >> ntfrs.exe
    >> TCP 192.168.1.10:3389 66.245.216.179:10215 ESTABLISHED
    >> svchost.exe
    >> TCP 192.168.1.10:3832 192.168.1.10:389 CLOSE_WAIT
    >> svchost.exe
    >> TCP 192.168.1.10:3902 192.168.1.10:1025 ESTABLISHED
    >> lsass.exe
    >> TCP 192.168.1.10:4204 192.168.1.10:389 CLOSE_WAIT
    >> mmc.exe
    >> TCP 192.168.1.10:4339 192.168.1.10:389 CLOSE_WAIT
    >> mmc.exe
    >> TCP 192.168.1.10:4455 192.168.1.10:389 CLOSE_WAIT
    >> mmc.exe
    >> TCP 192.168.1.10:4478 192.168.1.10:389 CLOSE_WAIT
    >> mmc.exe
    >> TCP 192.168.1.10:4742 192.168.1.10:1025 ESTABLISHED
    >> lsass.exe
    >> UDP 0.0.0.0:42 *:*
    >> wins.exe
    >> UDP 0.0.0.0:445 *:*
    >> System
    >> UDP 0.0.0.0:500 *:*
    >> lsass.exe
    >> UDP 0.0.0.0:1030 *:*
    >> svchost.exe
    >> UDP 0.0.0.0:1031 *:*
    >> svchost.exe
    >> UDP 0.0.0.0:1035 *:*
    >> dns.exe
    >> UDP 0.0.0.0:1036 *:*
    >> ismserv.exe
    >> UDP 0.0.0.0:3002 *:*
    >> ntfrs.exe
    >> UDP 0.0.0.0:3004 *:*
    >> wins.exe
    >> UDP 0.0.0.0:3006 *:*
    >> dns.exe
    >> UDP 0.0.0.0:3068 *:*
    >> lsass.exe
    >> UDP 0.0.0.0:3086 *:*
    >> winlogon.exe
    >> UDP 0.0.0.0:3419 *:*
    >> spoolsv.exe
    >> UDP 0.0.0.0:3587 *:*
    >> dfssvc.exe
    >> UDP 0.0.0.0:3831 *:*
    >> svchost.exe
    >> UDP 0.0.0.0:3908 *:*
    >> llssrv.exe
    >> UDP 0.0.0.0:4199 *:*
    >> winlogon.exe
    >> UDP 0.0.0.0:4203 *:*
    >> mmc.exe
    >> UDP 0.0.0.0:4338 *:*
    >> mmc.exe
    >> UDP 0.0.0.0:4500 *:*
    >> lsass.exe
    >> UDP 127.0.0.1:53 *:*
    >> dns.exe
    >> UDP 127.0.0.1:123 *:*
    >> svchost.exe
    >> UDP 127.0.0.1:1034 *:*
    >> dns.exe
    >> UDP 127.0.0.1:3129 *:*
    >> iexplore.exe
    >> UDP 192.168.1.10:53 *:*
    >> dns.exe
    >> UDP 192.168.1.10:67 *:*
    >> tcpsvcs.exe
    >> UDP 192.168.1.10:68 *:*
    >> tcpsvcs.exe
    >> UDP 192.168.1.10:88 *:*
    >> lsass.exe
    >> UDP 192.168.1.10:123 *:*
    >> svchost.exe
    >> UDP 192.168.1.10:137 *:*
    >> System
    >> UDP 192.168.1.10:138 *:*
    >> System
    >> UDP 192.168.1.10:389 *:*
    >> lsass.exe
    >> UDP 192.168.1.10:464 *:*
    >> lsass.exe
    >> UDP 192.168.1.10:2535 *:*
    >> tcpsvcs.exe
    >>
    >>
    >
    >

  • Next message: Jayme Pechan: "DCOM Access Permissions"