Re: LISTENING, ESTABLISHED, CLOSE_WAIT TCP Ports & UDP Ports?

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 12/07/04


Date: Tue, 7 Dec 2004 06:59:51 -0500

Hmm, I'm very surprised they wouldn't show up in Google, and that they would
have an open listening port. You could submit copies of those files to one
or more anti-virus companies.

"JediRockClimber" <someone@somedomain.net> wrote in message
news:uymkwR%232EHA.1144@TK2MSFTNGP09.phx.gbl...
> Thanks a lot for the Analysis,
> I found that both IDUServ.exe and IPTray.exe are part of the Intel Desktop
> Utilities, specifically Temperature Monitor and Speed of fans utilities,
> what I don't understand is why are they're opening ports for listening.
> Weird, I guess I should contact Intel Support, he?
> Thanks a lot
>
>
> "Karl Levinson, mvp" <levinson_k@despammed.com> escribió en el mensaje
> news:OZejVyf2EHA.3128@TK2MSFTNGP14.phx.gbl...
> > Danger Will Robinson!
> >
> > Google found zero hits explaining what IDUServ.exe is, and only two hits
> > in
> > french explaining what IPTray.exe is. This is usually a very bad thing,
> > because legitimate file names pretty much always show up in google.
[Note
> > that the reverse is not true - if you find a file name in google, you
> > still
> > can't be sure if your file named that is good or bad just from the
google
> > results alone.]
> >
> > ccproxy.exe is used by Norton Internet Security, which includes a
> > firewall,
> > but if you don't have this installed on your server, then that would be
> > suspicious too.
> >
> > Based on this, unless you know what these file names are and do, you may
> > want to inspect your system for signs of hacking. Some ways to do this:
> >
> > http://securityadmin.info/faq.asp#hacked
> >
> > Also, RKDETECT from www.google.com and Silent Runners from
> > www.silentrunners.org can be useful.
> >
> > If you want to know what those other files do, search Google for the
file
> > names. If your copy is legitimate, what you find in google will explain
> > what it is exactly.
> >
> > The following entry appears to show your IP address using Terminal
> > Services
> > to remotely control your server at the time. This IP matches the IP you
> > appeared to use to post this message.
> >
> >> TCP 192.168.1.10:3389 66.245.216.179:10215 ESTABLISHED
> >> svchost.exe
> >
> > There weren't any other entries that appeared to show an attacker on the
> > Internet using TCP to connect to your server. However, do note that
> > windows
> > root kits do have the ability to hide some port activity like listening
> > ports from you, if a windows root kit was installed.
> >
> > Windows root kits conceal themselves from locally run programs and local
> > users, but you can potentially see them if you do things across the
> > network
> > through Windows networking, such as running a virus scan on a mapped
drive
> > letter from another computer, or inspecting the startup locations in the
> > registry from another computer. I don't know whether a windows root kit
> > is
> > installed here, I just mention it as a possibility to keep in mind as
you
> > look for things.
> >
> > What you've done below doesn't show you outbound traffic coming from
> > malware. Checking your firewall logs and/or running Ethereal will show
> > you
> > this. Some firewall logs like www.kerio.com and www.sygate.com will
tell
> > you what .EXE file generated each outbound traffic stream, which is
> > useful.
> >
> >
> >
> > "JediRockClimber" <someone@somedomain.net> wrote in message
> > news:ePgmsOR2EHA.1260@TK2MSFTNGP12.phx.gbl...
> >> I'm running Windows Server 2003.
> >> Can somebody explain me why are all this ports opened, and how are they
> > bein
> >> used, is this a security risk can somebody in the network or from the
> >> internet gain access to my server?
> >> what kind of messure do I need to take beside just to place a firewall?
> >> Thanks a lot...
> >>
> >> This is what i get when I run netstat -ano
> >> Active Connections
> >>
> >> Proto Local Address Foreign Address State
> >> PID
> >> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING
> >> wins.exe
> >> TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
> >> dns.exe
> >> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> >> svchost.exe
> >> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> >> System
> >> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
> >> svchost.exe
> >> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
> >> svchost.exe
> >> TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:2804 0.0.0.0:0 LISTENING
> >> IDUServ.exe
> >> TCP 0.0.0.0:3001 0.0.0.0:0 LISTENING
> >> ntfrs.exe
> >> TCP 0.0.0.0:3005 0.0.0.0:0 LISTENING
> >> wins.exe
> >> TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING
> >> dns.exe
> >> TCP 0.0.0.0:3012 0.0.0.0:0 LISTENING
> >> tcpsvcs.exe
> >> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING
> >> lsass.exe
> >> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
> >> svchost.exe
> >> TCP 127.0.0.1:389 127.0.0.1:1037 ESTABLISHED
> >> lsass.exe
> >> TCP 127.0.0.1:389 127.0.0.1:1038 ESTABLISHED
> >> lsass.exe
> >> TCP 127.0.0.1:389 127.0.0.1:1039 ESTABLISHED
> >> lsass.exe
> >> TCP 127.0.0.1:389 127.0.0.1:3007 ESTABLISHED
> >> lsass.exe
> >> TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING
> >> ccproxy.exe
> >> TCP 127.0.0.1:1037 127.0.0.1:389 ESTABLISHED
> >> ismserv.exe
> >> TCP 127.0.0.1:1038 127.0.0.1:389 ESTABLISHED
> >> ismserv.exe
> >> TCP 127.0.0.1:1039 127.0.0.1:389 ESTABLISHED
> >> ismserv.exe
> >> TCP 127.0.0.1:2804 127.0.0.1:3117 ESTABLISHED
> >> IDUServ.exe
> >> TCP 127.0.0.1:2804 127.0.0.1:4202 ESTABLISHED
> >> IDUServ.exe
> >> TCP 127.0.0.1:3007 127.0.0.1:389 ESTABLISHED
> >> dns.exe
> >> TCP 127.0.0.1:3082 0.0.0.0:0 LISTENING
> >> alg.exe
> >> TCP 127.0.0.1:3117 127.0.0.1:2804 ESTABLISHED
> >> iptray.exe
> >> TCP 127.0.0.1:4202 127.0.0.1:2804 ESTABLISHED
> >> iptray.exe
> >> TCP 192.168.1.10:139 0.0.0.0:0 LISTENING
> >> System
> >> TCP 192.168.1.10:139 192.168.1.50:2931 ESTABLISHED
> >> System
> >> TCP 192.168.1.10:139 192.168.1.56:1267 ESTABLISHED
> >> System
> >> TCP 192.168.1.10:389 192.168.1.10:3099 ESTABLISHED
> >> lsass.exe
> >> TCP 192.168.1.10:1025 192.168.1.10:3103 ESTABLISHED
> >> lsass.exe
> >> TCP 192.168.1.10:1025 192.168.1.10:3105 ESTABLISHED
> >> lsass.exe
> >> TCP 192.168.1.10:1025 192.168.1.10:3902 ESTABLISHED
> >> lsass.exe
> >> TCP 192.168.1.10:1025 192.168.1.10:4742 ESTABLISHED
> >> lsass.exe
> >> TCP 192.168.1.10:3099 192.168.1.10:389 ESTABLISHED
> >> ntfrs.exe
> >> TCP 192.168.1.10:3103 192.168.1.10:1025 ESTABLISHED
> >> ntfrs.exe
> >> TCP 192.168.1.10:3105 192.168.1.10:1025 ESTABLISHED
> >> ntfrs.exe
> >> TCP 192.168.1.10:3389 66.245.216.179:10215 ESTABLISHED
> >> svchost.exe
> >> TCP 192.168.1.10:3832 192.168.1.10:389 CLOSE_WAIT
> >> svchost.exe
> >> TCP 192.168.1.10:3902 192.168.1.10:1025 ESTABLISHED
> >> lsass.exe
> >> TCP 192.168.1.10:4204 192.168.1.10:389 CLOSE_WAIT
> >> mmc.exe
> >> TCP 192.168.1.10:4339 192.168.1.10:389 CLOSE_WAIT
> >> mmc.exe
> >> TCP 192.168.1.10:4455 192.168.1.10:389 CLOSE_WAIT
> >> mmc.exe
> >> TCP 192.168.1.10:4478 192.168.1.10:389 CLOSE_WAIT
> >> mmc.exe
> >> TCP 192.168.1.10:4742 192.168.1.10:1025 ESTABLISHED
> >> lsass.exe
> >> UDP 0.0.0.0:42 *:*
> >> wins.exe
> >> UDP 0.0.0.0:445 *:*
> >> System
> >> UDP 0.0.0.0:500 *:*
> >> lsass.exe
> >> UDP 0.0.0.0:1030 *:*
> >> svchost.exe
> >> UDP 0.0.0.0:1031 *:*
> >> svchost.exe
> >> UDP 0.0.0.0:1035 *:*
> >> dns.exe
> >> UDP 0.0.0.0:1036 *:*
> >> ismserv.exe
> >> UDP 0.0.0.0:3002 *:*
> >> ntfrs.exe
> >> UDP 0.0.0.0:3004 *:*
> >> wins.exe
> >> UDP 0.0.0.0:3006 *:*
> >> dns.exe
> >> UDP 0.0.0.0:3068 *:*
> >> lsass.exe
> >> UDP 0.0.0.0:3086 *:*
> >> winlogon.exe
> >> UDP 0.0.0.0:3419 *:*
> >> spoolsv.exe
> >> UDP 0.0.0.0:3587 *:*
> >> dfssvc.exe
> >> UDP 0.0.0.0:3831 *:*
> >> svchost.exe
> >> UDP 0.0.0.0:3908 *:*
> >> llssrv.exe
> >> UDP 0.0.0.0:4199 *:*
> >> winlogon.exe
> >> UDP 0.0.0.0:4203 *:*
> >> mmc.exe
> >> UDP 0.0.0.0:4338 *:*
> >> mmc.exe
> >> UDP 0.0.0.0:4500 *:*
> >> lsass.exe
> >> UDP 127.0.0.1:53 *:*
> >> dns.exe
> >> UDP 127.0.0.1:123 *:*
> >> svchost.exe
> >> UDP 127.0.0.1:1034 *:*
> >> dns.exe
> >> UDP 127.0.0.1:3129 *:*
> >> iexplore.exe
> >> UDP 192.168.1.10:53 *:*
> >> dns.exe
> >> UDP 192.168.1.10:67 *:*
> >> tcpsvcs.exe
> >> UDP 192.168.1.10:68 *:*
> >> tcpsvcs.exe
> >> UDP 192.168.1.10:88 *:*
> >> lsass.exe
> >> UDP 192.168.1.10:123 *:*
> >> svchost.exe
> >> UDP 192.168.1.10:137 *:*
> >> System
> >> UDP 192.168.1.10:138 *:*
> >> System
> >> UDP 192.168.1.10:389 *:*
> >> lsass.exe
> >> UDP 192.168.1.10:464 *:*
> >> lsass.exe
> >> UDP 192.168.1.10:2535 *:*
> >> tcpsvcs.exe
> >>
> >>
> >
> >
>
>



Relevant Pages

  • help: using smtp.gmail.com as SMART_HOST
    ... with my Google gmail address. ... is pop.gmail.com, using port 995. ... Retrieving mail is not the problem since my Google searches ... client, I believe the term is) to send my mail to Google's ...
    (comp.mail.sendmail)
  • Re: Can we move and leave no forwarding address?
    ... you should try using "real" Usenet access where you have a killfile and message processing rules to help filter out this crap. ... but it's better than having to repeatedly see these spam posts on Google. ... One really nice thing about Motzarella is that they also support using IP port 80. ... Using a traditional "NNTP" newsreader gives you greater control over filtering, sorting, and flagging messages. ...
    (rec.arts.disney.parks)
  • Re: What Would Cause ISA to Block GoogleBots?
    ... This looks to me like Google coming on my site and are consecutive log ... to connect to Google at 66.249.66.204 on Port 55334 and ISA denies it. ... On some DNS requests the log file looks like this; ...
    (microsoft.public.isa)
  • Re: problem with file_get_contents
    ... No one wants to access Google on port 8000 and there are no requests from Google that are getting blocked. ... Outbound port blocking is commonly done by companies who care about their systems. ... that starbucks coffee is very expensive :-) ...
    (comp.lang.php)
  • Re: General questions about Sockets
    ... > could I push it before I see the network slowing down and/or errors? ... Nagle/Delayed ACK interaction but you could confirm it with a packet ... > I can setup any port in my registry, but what would be the 'default' one I ... Google could confirm it. ...
    (microsoft.public.win32.programmer.networks)