Vulnerability Development mailing list archives
Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME)
From: Pedram Amini <pedram.amini () TULANE EDU>
Date: Thu, 10 Aug 2000 10:52:53 -0500
I would suggest you grab yourself a copy of Inzider (www.ntsecurity.nu/toolbox/inzider) It will tell you which process is binding to what port. -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of GraffiX Sent: Wednesday, August 09, 2000 1:55 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) I've installed both beta 5 and beta 6 as they were released (hell, even earlier releases for that matter), and port 20445 has never been open on any of the boxes I've put it on, nor has there been any unaccounted for ports open due to any Napster installs, or execution. I would suggest to you that either: a) the port you're seeing open and listening is entirely unrelated to the Napster install, regardless of what version (i.e. something else is coincidentally opening up that port, perhaps triggered by the executing of Napster?), or b) you've obtained a copy of the Napster install that has been tampered with, and indeed has a backdoor wrapped up in the setup of the program As stated below, I'd suggest searching for all iterances of programs located in the "run" portions of your registry, as well as any *.ini files, *.bat files, etc, which load upon boot. Programs such as the ol' KernelToys (WinTop) are rudimentarily useful for Win9x platforms, though if the process is buried in a thread, you're SOL. Sysinternals offers TCPView, which will give you a realtime view of what ports are listening, etc. Using that in conjunction with killing off process one by one and noting which ports stop listening may be a good place to start trying to figure out what the hell is opening up 20445. G'luck, GraffiX At 02:46 AM 8/9/00 +0200, you wrote:
With beta 5, a telnet connection would offer a prompt: "[RPL2]:"; with beta 6, no prompt. The open port remains after an uninstall.Even after computer reboot?!? Sounds uggly. To me it sounds very much like a backdoor, but I suppose it could also be a broken uninstall program, failures to properly remove applications in the windows environment is common, and usually the uninstall softwares doesn't say antything. Anyone had any luck in determin what application/dll is causing this? I suppose checking for "run" entries in the registry, or looking for new active processes, could track down the offender. (does anyone know a more scientific method to track which process has opened a port under windows?) IMHO, this may very well be a serious vulnerability. If it isn't a backdoor, and a vulnerability is found in the code, numerous affected users may not upgrade because they believe they have uninstalled the vulnerable application! ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Francois . Perreault (Aug 08)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) LordRaYden (Aug 09)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Bluefish (Aug 09)
- Compaq Insight Manager /Proxy/LoginResponse DoS DK (Aug 09)
- Message not available
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) GraffiX (Aug 10)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) Pedram Amini (Aug 10)
- Re: tcp port 20445 is open after napster 2.0 beta install (win98 and winME) GraffiX (Aug 10)