Re: What is this port? is it a trojan?

["Roger A. Grimes" <rogerg () cox net>]

It's hard to tell just looking at the netstat info below.  The port is a
little unusual, but is definitely not uncommon.  Many legitimate programs
open up high port numbers.  If the netstat trace showed it connecting to a
remote Internet host, then I'd be more suspicious.  The key to any unknown
port opening is to trace it back to the program, process, or service that is
opening the port and then doing research on the found cause (just as you are
asking to do).  There are several "port enumerators" that will tie back the
program to the port.  If you have Windows XP, you can do it using netstat
command-line parameters (I think it is -o or -p)...which ties the open port
to a process ID (PID) that can then be traced back to the program (using
Task Manager) or a lot of other PID-listing tools.  If you don't have XP,
consider Foundstone's F-port or www.sysinternals.com' TCPView (although I
get a lot of blue screens after installing it).

Be advised there are many ways for a malicious program to hide from port
viewers, although they tend to be the exception rather than the rule.

Good luck.

Roger
****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
****************************************************************************
*************

----- Original Message ----- 
From: "Hyperion" <nemesis () croasdalepreston fsnet co uk>
To: "Security Basics Mailing List" <security-basics () securityfocus com>
Sent: Monday, June 30, 2003 12:52 PM
Subject: What is this port? is it a trojan?


> Hello all :)
>
>  I have been taking a more detailed interest in my pc's security of late,
> and security for computers in general, and I am learning at quite a fast
> rate, although there is a great, great deal of information to learn out
> there.
>
>  Just recently I have taken to doing regular, netstat - probes on my
machine
> to see the different connections that arise and so forth.
>  Today I found a rather mysterious port with the number, 44334 and I have
> copied/paste the results of the netstat -an below for people to look at.
>  Is the port in question, -44334- a Trojan? it strikes me as a rather
> suspicious port and a rather large port number.
>  Could anyone tell me how I can find out what's running behind the port in
> question, and also what to do about it if it is a port.
>  I have run my virus software, but it did not find any viruses or Trojans
> installed on my machine, so I am at a loss as to what to do.
> I am also very limited in my security knowledge, so I am basically stuck
for
> the necessary ideas or solutions on what to do in order to find out what's
> behind this port.
> Any and all help is greatly appreciated thanks.
>
> Details of netstat below::
>
> Active Connections
>
>   Proto  Local Address          Foreign Address        State
>   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1038           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:44334          0.0.0.0:0              LISTENING
>   TCP    127.0.0.1:110          0.0.0.0:0              LISTENING
>   TCP    127.0.0.1:1279         127.0.0.1:110          TIME_WAIT
>   TCP    217.135.174.224:1280   195.92.193.154:110     TIME_WAIT
>   UDP    0.0.0.0:445            *:*
>   UDP    0.0.0.0:500            *:*
>   UDP    0.0.0.0:1036           *:*
>   UDP    0.0.0.0:44334          *:*
>   UDP    127.0.0.1:123          *:*
>   UDP    127.0.0.1:1900         *:*
>   UDP    217.135.174.224:123    *:*
>   UDP    217.135.174.224:1900   *:*
>
>
> My Regards
> Hyperion
>
>
> --------------------------------------------------------------------------
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------