Security Basics mailing list archives
Re: Why do all of my win2sp4 machines have port 110 open?
From: Kirk Schafer <infosec-capital () rainswept com>
Date: Thu, 14 Oct 2004 11:57:08 -0500
The latest versions of Symantec's Antivirus implement worm detection. If you're using the Symantec/Norton Antivirus (Corporate, Personal, or Enterprise), this is your "problem". In this case, the computers you are scanning do NOT have port 110 open, rather, it's YOUR computer. SAV/NAV is locally intercepting your request to open that port. I noticed this behavior right after rolling out SAV EE 9.
There are at least two ways to verify this for yourself:1) Temporarily disable SAV/NAV on the computer you are scanning FROM, then again scan the computer (or telnet). Unless it's actually open, you shouldn't see port 110 at the destination, and telnet will fail.
2) Use a port scanner that implements its own socketsAs a side effect, I've just pointed out a chink in Symantec's armor. Please post back to this list what you find.
Best regards, Kirk Schafer Bowes, Ronald (EST) wrote:
There's a program called FPort from www.foundstone.com which can tell you which service or program is using a port: C:\Documents and Settings\RBowes\Desktop>fport FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 1044 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe 4 System -> 139 TCP 4 System -> 445 TCP 532 rcHost -> 798 TCP C:\Program Files\CA\Unicenter Remote Control\rcHost.exe [.....] Grab that, run it, and see what's listening on TCP 110. Ron Bowes Information Protection Centre Government Of Manitoba -----Original Message-----From: waters [mailto:realized () gmail com] Sent: Tuesday, October 12, 2004 9:27 PMTo: security-basics () securityfocus com Subject: Why do all of my win2sp4 machines have port 110 open? When i telnet to that port on 110, i connect then get disconnected right away. Norton with updated def files and housecall(trendmicro) reports nothing, and no trojans were also found via the two. Is this normal? i am using a network security scanner and so far 4/34 windows machines, the only 4 it scanned so far, all have something on port 110. How can i find out whats going on? netstat and tcpview ( http://www.sysinternals.com/ntw2k/source/tcpview.shtml ) show nothing on 110 either.
-- ___________________________________________________ Kirk Schafer Infosec Capital - Your Information Security Asset 308 East Broadway Ave, PO Box 1851 Fairfield, IA 52556 641-919-1783 (mobile) http://www.infosec-capital.com
Current thread:
- Why do all of my win2sp4 machines have port 110 open? waters (Oct 13)
- Re: Why do all of my win2sp4 machines have port 110 open? waters (Oct 13)
- Re: Why do all of my win2sp4 machines have port 110 open? Steve (Oct 14)
- Re: Why do all of my win2sp4 machines have port 110 open? freeasabird_13 (Oct 15)
- <Possible follow-ups>
- RE: Why do all of my win2sp4 machines have port 110 open? Bowes, Ronald (EST) (Oct 14)
- Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 14)
- Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 15)
- Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 15)
- RE: Why do all of my win2sp4 machines have port 110 open? Andrew Shore (Oct 14)