Re: Out of my league.....

[Daniel Bruce Lynes <dlynes () cwazy co uk>]

On Wednesday 07 January 2004 13:16, Jeff Johnson wrote:

> (therefore, the firewall catches and logs them).  These blocks come with
> the message Block host "" internet access, and are typically using ports 
> 139 & 445.  Looked suspicious, so, I ran an fport scan on the server, and
> it did show ports 139 & 445 open, but, shows that the Pid is 8 (the
> system).....Also did some ethereal scan of the network, and it does show
> that the server is trying to access this specific external ip address.

Nothing wrong there.  I wouldn't allow 139 or 445 outside of the network, 
either.  They're used by Windows' network neighborhood.  However, if you're 
running a mainly Windows network, you want to keep these ports open usually, 
or Network Neighborhood will no longer work.

> My question is (kudos if you've patiently read everything so far), how do I
> find out what this process is that is trying to do these accesses, or am I
> being overly paranoid.  As you can most likely tell from this, I'm not the

There's a freeware(?) program I believe available on download.com or somewhere 
else for Windows that allows you to see what programs are attached to port 
numbers.  I don't generally use Windows, or I'd be able to give you a 
download URL and name for it.  But, I remember that it does exist.  There was 
mention of it in Sys Admin magazine a while back, when they were talking 
about the '-p' switch for the Linux netstat command.

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------