Vulnerability Development mailing list archives

Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME)

From: "Jon O." <jono () MICROSHAFT ORG>
Date: Wed, 9 Aug 2000 09:00:59 -0700

It appears that we do not have enough information about this to know
exactly what we are dealing with.

First, we need the specific build number of your napster install.

Next, we need checksums on the executable to make sure we are working with
the same file and not a trojaned one downloaded from who knows where.

As far as tracking sockets and program execution, there is a tool called
Socket Spy which I have found helpful. It allows you to attach to a
executable and records all the sockets calls. Also, there are some tools
called NTFilemon and NTRegmon which I have found helpful when looking for
trojans. Filemon shows the raw disk read/writes of all running
applications and Regmon shows application's hook into the Registry. These
are good tools every security person (dealing with MS) should know and
love.

NTFilemon/Regmon was put out by ntinternals.com but that site is now gone.

Turns out the same guys have been hard at work and created even more tools
including a socket monitor.

Find them here:
http://www.winternals.com
http://www.win-tech.com

I suggest that the person who has the Napster install with these strange
ports run these programs and provide copies of his executable to people
who would like to find out what is going on.


Thanks,
Jon

http://www.networkcommand.com

PSA: Use *BSD -- it's better.





On Wed, 9 Aug 2000, Bluefish wrote:

With beta 5, a telnet connection would offer a prompt: "[RPL2]:";
with beta 6, no prompt.  The open port remains after an uninstall.


Even after computer reboot?!?

Sounds uggly. To me it sounds very much like a backdoor, but I suppose it
could also be a broken uninstall program, failures to properly remove
applications in the windows environment is common, and usually the
uninstall softwares doesn't say antything.

Anyone had any luck in determin what application/dll is causing this? I
suppose checking for "run" entries in the registry, or looking for new
active processes, could track down the offender. (does anyone know a more
scientific method to track which process has opened a port under windows?)

IMHO, this may very well be a serious vulnerability. If it isn't a
backdoor, and a vulnerability is found in the code, numerous affected
users may not upgrade because they believe they have uninstalled the
vulnerable application!

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Francois . Perreault (Aug 08)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) LordRaYden (Aug 09)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Bluefish (Aug 09)
  - Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Jon O. (Aug 10)
- Compaq Insight Manager /Proxy/LoginResponse DoS DK (Aug 09)
- Message not available
  - Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) GraffiX (Aug 10)
    - Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Pedram Amini (Aug 10)