Firewall Wizards mailing list archives
Trojan detection and open ports
From: Thomas Ray <thomas.ray () tcud state tx us>
Date: Fri, 7 Sep 2001 13:06:39 -0500
-I just ran Languard scanner on my box and network behind our Raptor and it finds this: port 135 [epmap => DCE endpoint resolution] on our Domain server and on our webserver (both non-Firewall servers) that both run NT4sp6. -It also finds it on my win2k box as well as on a win95 box. the only similarity between these 2 is that port 139 (NetBIOS) is also open. I also run the only win2k box in our small office setup. all other systems run win95. the other systems don't have port 135. this win95 box acts as a "faxserver" which may explain the why it has port 135 open after you read the following info -A quick search thru M$ Technet finds only the following: port 135 is a "well-known" port assigned by IANA (per M$) it's service name is.......epmap it's alias is............. loc-srv uses TCP and UDP searching on M-slug's website finds this paper: http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/CNET/cnad_arc_plgn.h tm DCE = Distributed Computing Environment (aka RPC - Remote Procedure Call) If I check the description in Services for Remote Procedure Call, I find: "Provides the endpoint mapper and other miscellaneous RPC services." The other ports you mentioned are not shown in the list here --> http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnf c_por_zqyu.asp This website says this: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html 135 tcp epmap DCE endpoint resolution 135 tcp loc-srv NCS local location broker 135 udp epmap DCE endpoint resolution port 5053 not listed 7000 tcp ExploitTranslation [trojan] Exploit Translation Server 7000 tcp afs3-fileserver file server itself msdos 7000 udp afs3-fileserver file server itself This website says this: www.portsdb.org port 135 (we already know) port 5053 not listed port 7000 http://www.portsdb.org/bin/portsdb.cgi?portnumber=7000&protocol=ANY&String= Ports Prot Name Category Source or Submitter of the Port Details Details 7000 - 7003 TCP EverQuest User EverQuest MMORPG (Massive Multiplayer Online Role Playing Game) 7000 TCP Bricktrace Daemon System Daemon running on a Bintec Brick router, which sends debugging information(i.e. all data send over the bri-lines) to a client. 7000 TCP afs3-fileserver IANA file server itself 7000 UDP Remote Grab Cracker Remote Grab Trojan 7000 UDP afs3-fileserver IANA file server itself Hope this little bit of info helps, tom
From: "Philip J. Koenig" <pjklist () ekahuna com> To: firewall-wizards () nfr com Date: Fri, 7 Sep 2001 02:06:57 -0700 Subject: [fw-wiz] Trojan detection and open ports Have a client whose laptop was recently infected by the new Magistr.B virus. In investigating this problem, I noticed that this machine (Win98SE) had some mysterious open ports, in particular: 135: TCP 5053: TCP 7000: TCP 7000: UDP 135 I remember from somewhere as normal (a NetBIOS thing?) but lists I have call it "DCE endpoint resolution" which doesn't make any sense to me. None of the trojan port lists I reviewed showed anything on 5053, and 7000 is used by SubSeven, among others. Using a trojan scanner didn't turn up anything. Anyone have any ideas what might be keeping those ports open? Lastly - I was hoping to find some sort of tool that would scan for common open ports used by trojan programs, but the only anti-trojan tools I seem to be able to easily find are ones that run on the local PC. Any pointers to something that works like the various DDoS zombie scanners or the eEye CodeRed scanner? Thanks, Phil
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Trojan detection and open ports Philip J. Koenig (Sep 07)
- <Possible follow-ups>
- Trojan detection and open ports Thomas Ray (Sep 08)
- RE: Trojan detection and open ports Dawes, Rogan (ZA - Johannesburg) (Sep 12)