Security Basics mailing list archives

Re: What does this mean?

From: Adnan Ali <call_ret () yahoo com>
Date: Wed, 28 Apr 2004 05:56:16 -0700 (PDT)


--- Dedric Ramsey - Ramsey Consulting Svcs
<ramseycs () bellsouth net> wrote:


Adnan Ali wrote:


Active Connections:
Proto  Local Addr    Foreign Addr     State 
============================================

TCP    0.0.0.0:135   0.0.0.0:0        LISTENING


This is used for NetBIOS

ok


TCP    0.0.0.0:445   0.0.0.0:0        LISTENING


So is this port.


smb used for filesharing?

TCP    0.0.0.0:1026  0.0.0.0:0        LISTENING

TCP    0.0.0.0:1027  0.0.0.0:0        LISTENING


These two seem normal as well, the same with ports
135,445,1025/UDP 
shown below.



Let me say I feel uncomfortabel about these open ports
as these are unpriviledged ports listening for 
connection requests. Using tcpview I found that one
them is being used by lsass.exe (IPSec?) alongwith
port 500. That's alright, what about the other port?

Let me give you my output from tcpview today:
(Some ports have changed, lsass.exe is now listening
on a different port. 500 is standard, but above 1023
it is picking up any port at random. Should have been
assigned a fixed port!)



lsass.exe:228   UDP     0.0.0.0:1027    *:*             

lsass.exe:228   UDP     172.20.4.76:500 *:*

-----Fine, being used by lsass.exe (ISAKMP). 
        

        

MsgSys.EXE:828  UDP     0.0.0.0:38037   *:*             

-----As you said, this is AMS.



MSTask.exe:612  TCP     0.0.0.0:1057    0.0.0.0:0 LISTENING     


-----Another of MS autostartup applications



services.exe:216UDP     0.0.0.0:1041    *:*             

------What this should be?



svchost.exe:388 TCP     0.0.0.0:135     0.0.0.0:0       LISTENING       


svchost.exe:388 UDP     0.0.0.0:135     *:*             

System:8        TCP     0.0.0.0:445     0.0.0.0:0       LISTENING       


System:8        UDP     0.0.0.0:445     *:*             

------alright as you said.



winlogon.exe:184UDP     0.0.0.0:1053    *:*             

-----windows logon ?



System:8        TCP     0.0.0.0:1069    0.0.0.0:0       LISTENING       


------Now what about this port? I just can't figure 
out what is this being used for? Any explanations.

UDP    0.0.0.0:135            *:*

UDP    0.0.0.0:445            *:*

UDP    0.0.0.0:1025           *:*

UDP    0.0.0.0:38037          *:*


As for this port, Google led me to this site

(http://www.ncsu.edu/it/antivirus/install/FireWall-Ports.html),

which says:

Msgsys
Msgsys is an Alert Management System (AMS) process
for generating and 
sending configured AMS alerts. Msgsys communications
uses port 38037 and 
38292 for both TCP and UDP communication.

Are you running any Symantec Products, specifically
one of their AV 
lines, or Firewalls?

UDP    172.20.4.76:500        *:*

  

This is used for ISAKMP (Internet Security
Association and Key 
Management Protocol), so there shouldnt be anything
to worry about there 
either.  Its just there since Windows 2000 supports
IPSec.

I get this output even when I am running no

network

application on the machine.

Of course, this all seems quite suspicious. 

Can somebody please help me figure out what is

going

on? At least find the respective applications
listening
on various ports.??

Thanks and best regards,


So to me, with just the information you've provided,
nothing is out of 
the ordinary.  Of course, if it makes you feel
better, point Nmap or 
something similar at it and see what you find.  Same
with your AV 
scanner of choice. (Trend Micro has a nice web based
one on their site, 
as does Panda, although Ive never used theirs)

Take care,

-- 
Dedric Ramsey
Ramsey Consulting Services
770.826.8008



Thanks for all your help.

 


        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

What does this mean? Adnan Ali (Apr 26)
- Re: What does this mean? Bryan Ware (Apr 26)
- RE: What does this mean? David Gillett (Apr 26)
  - Re: What does this mean? Ansgar -59cobalt- Wiechers (Apr 27)
- Re: What does this mean? Dedric Ramsey - Ramsey Consulting Svcs (Apr 26)
  - Re: What does this mean? Ansgar -59cobalt- Wiechers (Apr 27)
  - Re: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? Jason Haith (Apr 26)
- <Possible follow-ups>
- RE: What does this mean? Bénoni MARTIN (Apr 26)
  - RE: What does this mean? Adnan Ali (Apr 28)
- Re: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? David Gillett (Apr 28)
- RE: What does this mean? Adnan Ali (Apr 30)