Security Basics mailing list archives

Re: Why do all of my win2sp4 machines have port 110 open?

From: Kirk Schafer <infosec-capital () rainswept com>
Date: Thu, 14 Oct 2004 11:57:08 -0500

The latest versions of Symantec's Antivirus implement worm detection. Ifyou're using the Symantec/Norton Antivirus (Corporate, Personal, orEnterprise), this is your "problem". In this case, the computers you arescanning do NOT have port 110 open, rather, it's YOUR computer. SAV/NAVis locally intercepting your request to open that port. I noticed thisbehavior right after rolling out SAV EE 9.


There are at least two ways to verify this for yourself:

1) Temporarily disable SAV/NAV on the computer you are scanning FROM,then again scan the computer (or telnet). Unless it's actually open, youshouldn't see port 110 at the destination, and telnet will fail.

 2) Use a port scanner that implements its own sockets

As a side effect, I've just pointed out a chink in Symantec's armor.Please post back to this list what you find.


Best regards,
Kirk Schafer

Bowes, Ronald (EST) wrote:

There's a program called FPort from www.foundstone.com which can tell you
which service or program is using a port:

C:\Documents and Settings\RBowes\Desktop>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
1044  svchost        ->  135   TCP   C:\WINDOWS\system32\svchost.exe
4     System         ->  139   TCP
4     System         ->  445   TCP
532   rcHost         ->  798   TCP   C:\Program Files\CA\Unicenter Remote
Control\rcHost.exe
[.....]

Grab that, run it, and see what's listening on TCP 110.



Ron Bowes
Information Protection Centre
Government Of Manitoba

-----Original Message-----

From: waters [mailto:realized () gmail com]Sent: Tuesday, October 12, 2004 9:27 PM

To: security-basics () securityfocus com
Subject: Why do all of my win2sp4 machines have port 110 open?

When i telnet to that port on 110, i connect then get disconnected
right away. Norton with updated def files and housecall(trendmicro)
reports nothing, and no trojans were also found via the two.

Is this normal?

i am using a network security scanner and so far 4/34 windows
machines, the only 4 it scanned so far, all have something on port
110.

How can i find out whats going on?

netstat and tcpview (
http://www.sysinternals.com/ntw2k/source/tcpview.shtml ) show nothing
on 110 either.

--

___________________________________________________
Kirk Schafer

Infosec Capital - Your Information Security Asset
308 East Broadway Ave, PO Box 1851
Fairfield, IA 52556
641-919-1783 (mobile)

http://www.infosec-capital.com

Current thread:

Why do all of my win2sp4 machines have port 110 open? waters (Oct 13)
- Re: Why do all of my win2sp4 machines have port 110 open? waters (Oct 13)
- Re: Why do all of my win2sp4 machines have port 110 open? Steve (Oct 14)
- Re: Why do all of my win2sp4 machines have port 110 open? freeasabird_13 (Oct 15)
- <Possible follow-ups>
- RE: Why do all of my win2sp4 machines have port 110 open? Bowes, Ronald (EST) (Oct 14)
  - Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 14)
  - Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 15)
  - Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 15)
- RE: Why do all of my win2sp4 machines have port 110 open? Andrew Shore (Oct 14)