Vulnerability Development mailing list archives
Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME)
From: "Jon O." <jono () MICROSHAFT ORG>
Date: Wed, 9 Aug 2000 09:00:59 -0700
It appears that we do not have enough information about this to know exactly what we are dealing with. First, we need the specific build number of your napster install. Next, we need checksums on the executable to make sure we are working with the same file and not a trojaned one downloaded from who knows where. As far as tracking sockets and program execution, there is a tool called Socket Spy which I have found helpful. It allows you to attach to a executable and records all the sockets calls. Also, there are some tools called NTFilemon and NTRegmon which I have found helpful when looking for trojans. Filemon shows the raw disk read/writes of all running applications and Regmon shows application's hook into the Registry. These are good tools every security person (dealing with MS) should know and love. NTFilemon/Regmon was put out by ntinternals.com but that site is now gone. Turns out the same guys have been hard at work and created even more tools including a socket monitor. Find them here: http://www.winternals.com http://www.win-tech.com I suggest that the person who has the Napster install with these strange ports run these programs and provide copies of his executable to people who would like to find out what is going on. Thanks, Jon http://www.networkcommand.com PSA: Use *BSD -- it's better. On Wed, 9 Aug 2000, Bluefish wrote:
With beta 5, a telnet connection would offer a prompt: "[RPL2]:"; with beta 6, no prompt. The open port remains after an uninstall.Even after computer reboot?!? Sounds uggly. To me it sounds very much like a backdoor, but I suppose it could also be a broken uninstall program, failures to properly remove applications in the windows environment is common, and usually the uninstall softwares doesn't say antything. Anyone had any luck in determin what application/dll is causing this? I suppose checking for "run" entries in the registry, or looking for new active processes, could track down the offender. (does anyone know a more scientific method to track which process has opened a port under windows?) IMHO, this may very well be a serious vulnerability. If it isn't a backdoor, and a vulnerability is found in the code, numerous affected users may not upgrade because they believe they have uninstalled the vulnerable application! ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Francois . Perreault (Aug 08)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) LordRaYden (Aug 09)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Bluefish (Aug 09)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Jon O. (Aug 10)
- Compaq Insight Manager /Proxy/LoginResponse DoS DK (Aug 09)
- Message not available
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) GraffiX (Aug 10)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Pedram Amini (Aug 10)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) GraffiX (Aug 10)