Security Basics mailing list archives
Re: What does this mean?
From: Adnan Ali <call_ret () yahoo com>
Date: Wed, 28 Apr 2004 05:56:16 -0700 (PDT)
--- Dedric Ramsey - Ramsey Consulting Svcs <ramseycs () bellsouth net> wrote:
Adnan Ali wrote:Active Connections: Proto Local Addr Foreign Addr State ============================================ TCP 0.0.0.0:135 0.0.0.0:0 LISTENINGThis is used for NetBIOS
ok
TCP 0.0.0.0:445 0.0.0.0:0 LISTENINGSo is this port.
smb used for filesharing?
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:1027 0.0.0.0:0 LISTENINGThese two seem normal as well, the same with ports 135,445,1025/UDP shown below.
Let me say I feel uncomfortabel about these open ports as these are unpriviledged ports listening for connection requests. Using tcpview I found that one them is being used by lsass.exe (IPSec?) alongwith port 500. That's alright, what about the other port? Let me give you my output from tcpview today: (Some ports have changed, lsass.exe is now listening on a different port. 500 is standard, but above 1023 it is picking up any port at random. Should have been assigned a fixed port!) lsass.exe:228 UDP 0.0.0.0:1027 *:* lsass.exe:228 UDP 172.20.4.76:500 *:* -----Fine, being used by lsass.exe (ISAKMP). MsgSys.EXE:828 UDP 0.0.0.0:38037 *:* -----As you said, this is AMS. MSTask.exe:612 TCP 0.0.0.0:1057 0.0.0.0:0 LISTENING -----Another of MS autostartup applications services.exe:216UDP 0.0.0.0:1041 *:* ------What this should be? svchost.exe:388 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING svchost.exe:388 UDP 0.0.0.0:135 *:* System:8 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING System:8 UDP 0.0.0.0:445 *:* ------alright as you said. winlogon.exe:184UDP 0.0.0.0:1053 *:* -----windows logon ? System:8 TCP 0.0.0.0:1069 0.0.0.0:0 LISTENING ------Now what about this port? I just can't figure out what is this being used for? Any explanations.
UDP 0.0.0.0:135 *:*UDP 0.0.0.0:445 *:*UDP 0.0.0.0:1025 *:*UDP 0.0.0.0:38037 *:*As for this port, Google led me to this site
(http://www.ncsu.edu/it/antivirus/install/FireWall-Ports.html),
which says: Msgsys Msgsys is an Alert Management System (AMS) process for generating and sending configured AMS alerts. Msgsys communications uses port 38037 and 38292 for both TCP and UDP communication. Are you running any Symantec Products, specifically one of their AV lines, or Firewalls?UDP 172.20.4.76:500 *:*This is used for ISAKMP (Internet Security Association and Key Management Protocol), so there shouldnt be anything to worry about there either. Its just there since Windows 2000 supports IPSec.I get this output even when I am running nonetworkapplication on the machine. Of course, this all seems quite suspicious. Can somebody please help me figure out what isgoingon? At least find the respective applications listening on various ports.?? Thanks and best regards,So to me, with just the information you've provided, nothing is out of the ordinary. Of course, if it makes you feel better, point Nmap or something similar at it and see what you find. Same with your AV scanner of choice. (Trend Micro has a nice web based one on their site, as does Panda, although Ive never used theirs) Take care, -- Dedric Ramsey Ramsey Consulting Services 770.826.8008
Thanks for all your help. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- What does this mean? Adnan Ali (Apr 26)
- Re: What does this mean? Bryan Ware (Apr 26)
- RE: What does this mean? David Gillett (Apr 26)
- Re: What does this mean? Ansgar -59cobalt- Wiechers (Apr 27)
- Re: What does this mean? Dedric Ramsey - Ramsey Consulting Svcs (Apr 26)
- Re: What does this mean? Ansgar -59cobalt- Wiechers (Apr 27)
- Re: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? Jason Haith (Apr 26)
- <Possible follow-ups>
- RE: What does this mean? BĂ©noni MARTIN (Apr 26)
- RE: What does this mean? Adnan Ali (Apr 28)
- Re: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? David Gillett (Apr 28)
- RE: What does this mean? Adnan Ali (Apr 30)