Trojan detection and open ports

[Thomas Ray <thomas.ray () tcud state tx us>]

-I just ran Languard scanner on my box and network behind our Raptor and it
finds this:
    port 135 [epmap => DCE endpoint resolution]
 on our Domain server and on our webserver (both non-Firewall servers) that
both run NT4sp6.
-It also finds it on my win2k box as well as on a win95 box. the only
similarity between these 2 is that port 139 (NetBIOS) is also open. I also
run the only win2k box in our small office setup. all other systems run
win95. the other systems don't have port 135. this win95 box acts as a
"faxserver" which may explain the why it has port 135 open after you read
the following info
-A quick search thru M$ Technet finds only the following:

port 135 is a "well-known" port assigned by IANA (per M$)
it's service name is.......epmap
it's alias is............. loc-srv
uses TCP and UDP

searching on M-slug's website finds this paper:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/CNET/cnad_arc_plgn.h
tm
DCE = Distributed Computing Environment   (aka RPC - Remote Procedure Call)

If I check the description in Services for Remote Procedure Call, I find:
"Provides the endpoint mapper and other miscellaneous RPC services."


The other ports you mentioned are not shown in the list here -->
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnf
c_por_zqyu.asp

This website says this:
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html

135     tcp     epmap                   DCE endpoint resolution
135     tcp     loc-srv                 NCS local location broker
135     udp     epmap                   DCE endpoint resolution

port 5053 not listed

7000    tcp     ExploitTranslation      [trojan] Exploit Translation Server
7000    tcp     afs3-fileserver         file server itself  msdos
7000    udp     afs3-fileserver         file server itself

This website says this:
www.portsdb.org

port 135 (we already know)

port 5053 not listed

port 7000
http://www.portsdb.org/bin/portsdb.cgi?portnumber=7000&protocol=ANY&String=


Ports Prot Name Category 
Source or Submitter of the Port Details 
Details 
 
7000 - 7003 TCP EverQuest User
EverQuest MMORPG (Massive Multiplayer Online Role Playing Game)
 
7000 TCP Bricktrace Daemon System
Daemon running on a Bintec Brick router, which sends debugging
information(i.e. all data send over the bri-lines) to a client.
 
7000 TCP afs3-fileserver IANA
file server itself
 
7000 UDP Remote Grab Cracker
Remote Grab Trojan
 
7000 UDP afs3-fileserver IANA
file server itself



Hope this little bit of info helps,
tom



> From: "Philip J. Koenig" <pjklist () ekahuna com>
> To: firewall-wizards () nfr com
> Date: Fri, 7 Sep 2001 02:06:57 -0700
> Subject: [fw-wiz] Trojan detection and open ports
>
> Have a client whose laptop was recently infected by the new Magistr.B 
> virus.
>
> In investigating this problem, I noticed that this machine (Win98SE) 
> had some mysterious open ports, in particular:
>
> 135: TCP
> 5053: TCP
> 7000: TCP
> 7000: UDP
>
> 135 I remember from somewhere as normal (a NetBIOS thing?) but lists 
> I have call it "DCE endpoint resolution" which doesn't make any sense 
> to me.  None of the trojan port lists I reviewed showed anything on 
> 5053, and 7000 is used by SubSeven, among others.  Using a trojan 
> scanner didn't turn up anything.
>
> Anyone have any ideas what might be keeping those ports open?
>
> Lastly - I was hoping to find some sort of tool that would scan for 
> common open ports used by trojan programs, but the only anti-trojan 
> tools I seem to be able to easily find are ones that run on the local 
> PC.  Any pointers to something that works like the various DDoS 
> zombie scanners or the eEye CodeRed scanner?
>
> Thanks,
> Phil
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards