Vulnerability Development mailing list archives
Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME)
From: GraffiX <graffix () GRAFFIX TZO COM>
Date: Wed, 9 Aug 2000 11:54:40 -0700
I've installed both beta 5 and beta 6 as they were released (hell, even earlier releases for that matter), and port 20445 has never been open on any of the boxes I've put it on, nor has there been any unaccounted for ports open due to any Napster installs, or execution. I would suggest to you that either: a) the port you're seeing open and listening is entirely unrelated to the Napster install, regardless of what version (i.e. something else is coincidentally opening up that port, perhaps triggered by the executing of Napster?), or b) you've obtained a copy of the Napster install that has been tampered with, and indeed has a backdoor wrapped up in the setup of the program As stated below, I'd suggest searching for all iterances of programs located in the "run" portions of your registry, as well as any *.ini files, *.bat files, etc, which load upon boot. Programs such as the ol' KernelToys (WinTop) are rudimentarily useful for Win9x platforms, though if the process is buried in a thread, you're SOL. Sysinternals offers TCPView, which will give you a realtime view of what ports are listening, etc. Using that in conjunction with killing off process one by one and noting which ports stop listening may be a good place to start trying to figure out what the hell is opening up 20445. G'luck, GraffiX At 02:46 AM 8/9/00 +0200, you wrote:
> With beta 5, a telnet connection would offer a prompt: "[RPL2]:";
> with beta 6, no prompt. The open port remains after an uninstall.
Even after computer reboot?!?
Sounds uggly. To me it sounds very much like a backdoor, but I suppose it
could also be a broken uninstall program, failures to properly remove
applications in the windows environment is common, and usually the
uninstall softwares doesn't say antything.
Anyone had any luck in determin what application/dll is causing this? I
suppose checking for "run" entries in the registry, or looking for new
active processes, could track down the offender. (does anyone know a more
scientific method to track which process has opened a port under windows?)
IMHO, this may very well be a serious vulnerability. If it isn't a
backdoor, and a vulnerability is found in the code, numerous affected
users may not upgrade because they believe they have uninstalled the
vulnerable application!
..:::::::::::::::::::::::::::::::::::::::::::::::::..
http://www.11a.nu || http://bluefish.11a.nu
eleventh alliance development & security team
Current thread:
- tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Francois . Perreault (Aug 08)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) LordRaYden (Aug 09)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Bluefish (Aug 09)
- Compaq Insight Manager /Proxy/LoginResponse DoS DK (Aug 09)
- Message not available
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) GraffiX (Aug 10)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Pedram Amini (Aug 10)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) GraffiX (Aug 10)