Re: ghostly mail ports

["KEvin" <kevin () hatry com>]

Hi

i read a similar problem in a newsgroup some days ago, it seems that the
person who posted it had a firewall/virus scanner (norton i think) and that
the virus scanner was watching incoming (and departing) mail, thus waiting
on the ports 25 and 110.

Have you tried tcpview from sysinternal ? it's a good utility that could be
helpful to determine what application is listening ...


KEvin


----- Original Message -----
From: "joe" <joseph.beard () btopenworld com>
To: <security-basics () securityfocus com>
Sent: Wednesday, January 08, 2003 1:45 AM
Subject: ghostly mail ports


> Hi, im new to security and this is my first post, so be gentle :)
>
> I have a fairly good understanding of the tcp/ip model and i think i
> understand what ports are for! but i cant understand that on my box, i
have
> the 2 default mail ports (25 and 110) open. Its a windows 2000 box,
service
> pack three. Im pretty sure im not running a mail server of any
description.
> The ports appear in box scanline and superscan eg
>
> C:\>sl -bht 1-1000 192.168.0.1
> ScanLine (TM) 1.01
> Copyright (c) Foundstone, Inc. 2002
> http://www.foundstone.com
>
> Scan of 1 IP started at Wed Jan 08 00:36:51 2003
>
> --------------------------------------------------------------------------
--
> -
> 192.168.0.1
> Responded in 0 ms.
> 0 hops away
> Responds with ICMP unreachable: No
> TCP ports: 25 110 135 139 445
>
>
> --------------------------------------------------------------------------
--
> -
>
> Scan finished at Wed Jan 08 00:37:09 2003
>
> 1 IP and 1000 ports scanned in 0 hours 0 mins 18.16 secs
>
> but in netstat, activeports, fport they dont! does anybody know where they
> have come from? i googled for ages but dont seem to be getting anywhere.
>
>
>
> thanks
>
> joe