Security Basics mailing list archives

Re: What does this mean?

From: Dedric Ramsey - Ramsey Consulting Svcs <ramseycs () bellsouth net>
Date: Mon, 26 Apr 2004 14:21:14 -0400


Adnan Ali wrote:

Active Connections:
Proto Local Addr Foreign Addr State============================================
TCP    0.0.0.0:135   0.0.0.0:0        LISTENING


This is used for NetBIOS


TCP    0.0.0.0:445   0.0.0.0:0        LISTENING


So is this port.

TCP    0.0.0.0:1026  0.0.0.0:0        LISTENING

TCP    0.0.0.0:1027  0.0.0.0:0        LISTENING

These two seem normal as well, the same with ports 135,445,1025/UDPshown below.

UDP 0.0.0.0:135 *:*UDP 0.0.0.0:445 *:*UDP 0.0.0.0:1025 *:*UDP 0.0.0.0:38037 *:*

As for this port, Google led me to this site(http://www.ncsu.edu/it/antivirus/install/FireWall-Ports.html), which says:


Msgsys

Msgsys is an Alert Management System (AMS) process for generating andsending configured AMS alerts. Msgsys communications uses port 38037 and38292 for both TCP and UDP communication.

Are you running any Symantec Products, specifically one of their AVlines, or Firewalls?

UDP 172.20.4.76:500 *:*

This is used for ISAKMP (Internet Security Association and KeyManagement Protocol), so there shouldnt be anything to worry about thereeither. Its just there since Windows 2000 supports IPSec.

I get this output even when I am running no networkapplication on the machine.
Of course, this all seems quite suspicious.
Can somebody please help me figure out what is going
on? At least find the respective applications
listening
on various ports.??

Thanks and best regards,

So to me, with just the information you've provided, nothing is out ofthe ordinary. Of course, if it makes you feel better, point Nmap orsomething similar at it and see what you find. Same with your AVscanner of choice. (Trend Micro has a nice web based one on their site,as does Panda, although Ive never used theirs)


Take care,

--
Dedric Ramsey
Ramsey Consulting Services
770.826.8008


---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

Current thread:

What does this mean? Adnan Ali (Apr 26)
- Re: What does this mean? Bryan Ware (Apr 26)
- RE: What does this mean? David Gillett (Apr 26)
  - Re: What does this mean? Ansgar -59cobalt- Wiechers (Apr 27)
- Re: What does this mean? Dedric Ramsey - Ramsey Consulting Svcs (Apr 26)
  - Re: What does this mean? Ansgar -59cobalt- Wiechers (Apr 27)
  - Re: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? Jason Haith (Apr 26)
- <Possible follow-ups>
- RE: What does this mean? Bénoni MARTIN (Apr 26)
  - RE: What does this mean? Adnan Ali (Apr 28)
- Re: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? Adnan Ali (Apr 28)
- RE: What does this mean? David Gillett (Apr 28)
- RE: What does this mean? Adnan Ali (Apr 30)