RE: ghostly mail ports

[Security Newsletters-TM <SecurityNewsletters.tm () telus com>]

Hi Joe; 

It does sound like there IS a mail server.   Try doing a 'netstat' on the
command line and seeing if the ports are truly bound.  Don't forget, many
trojan and viruses can deliver such a peice of hidden background software,
so scan your system regularly!

One port SMTP (25) is for other computers to connect to for sending mail
(SMTP).
The other one (110) is for other computers to connect to retreive the mail
(POP3)

This is normal, 
but then again, nothing on Winblows ever is. 

-Patrick Best


-----Original Message-----
From: joe [mailto:joseph.beard () btopenworld com]
Sent: January 7, 2003 7:45 PM
To: security-basics () securityfocus com
Subject: ghostly mail ports


Hi, im new to security and this is my first post, so be gentle :)

I have a fairly good understanding of the tcp/ip model and i think i
understand what ports are for! but i cant understand that on my box, i have
the 2 default mail ports (25 and 110) open. Its a windows 2000 box, service
pack three. Im pretty sure im not running a mail server of any description.

The ports appear in box scanline and superscan eg

C:\>sl -bht 1-1000 192.168.0.1
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com

Scan of 1 IP started at Wed Jan 08 00:36:51 2003

----------------------------------------------------------------------------
-
192.168.0.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 25 110 135 139 445


----------------------------------------------------------------------------
-

Scan finished at Wed Jan 08 00:37:09 2003

1 IP and 1000 ports scanned in 0 hours 0 mins 18.16 secs

but in netstat, activeports, fport they dont! does anybody know where they
have come from? i googled for ages but dont seem to be getting anywhere.



thanks

joe