Re: What is this port? is it a trojan?

["Ryan Smith" <RyanSmith () mail UTexas edu>]

----- Original Message -----
From: "Hyperion" <nemesis () croasdalepreston fsnet co uk>

>  Just recently I have taken to doing regular, netstat - probes on my
machine
> to see the different connections that arise and so forth.
>  Today I found a rather mysterious port with the number, 44334 and I have
> copied/paste the results of the netstat -an below for people to look at.
>  Is the port in question, -44334- a Trojan? it strikes me as a rather
> suspicious port and a rather large port number.
>  Could anyone tell me how I can find out what's running behind the port in
> question, and also what to do about it if it is a port.

What operating system are you running?  If you're using XP you can use the
command "netstat -ao" and it will list the proccess ID (PID) of the program
associated with the port
Armed with that info, you can go to task manager and click the "processes"
tab.  Then under view there will be an option "set columns" make sure the
PID is checked, then sort by PID and you'll find your program.

If you don't like the legwork, you can also download fport.exe from
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subconte
nt=/resources/proddesc/fport.htm
This will print all open ports with the full path of the program associated
to them.
This is probably the easiest and best solution, but now you have options.
AFAIK fport runs on NT, 2000 and XP.

>  I have run my virus software, but it did not find any viruses or Trojans
> installed on my machine, so I am at a loss as to what to do.
> I am also very limited in my security knowledge, so I am basically stuck
for
> the necessary ideas or solutions on what to do in order to find out what's
> behind this port.
> Any and all help is greatly appreciated thanks.
>
> Details of netstat below::
>
> Active Connections
>
>   Proto  Local Address          Foreign Address        State
>   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1038           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:44334          0.0.0.0:0              LISTENING
>   TCP    127.0.0.1:110          0.0.0.0:0              LISTENING
>   TCP    127.0.0.1:1279         127.0.0.1:110          TIME_WAIT
>   TCP    217.135.174.224:1280   195.92.193.154:110     TIME_WAIT
>   UDP    0.0.0.0:445            *:*
>   UDP    0.0.0.0:500            *:*
>   UDP    0.0.0.0:1036           *:*
>   UDP    0.0.0.0:44334          *:*
>   UDP    127.0.0.1:123          *:*
>   UDP    127.0.0.1:1900         *:*
>   UDP    217.135.174.224:123    *:*
>   UDP    217.135.174.224:1900   *:*
FYI: I'm hoping that this IP has been "sanitized".  By this I mean, its not
a good idea to put your ip out there (with a list of open ports no less),
even if just to a security mailing list.  In the future, you might (if you
haven't already) replace it with an ip in the 192.168.0.0/24 range, then
state at the beginning to assume that's your address.

Hope this helps,
Ryan W Smith



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------