Security Basics mailing list archives
Re: What is this port? is it a trojan?
From: "Ryan Smith" <RyanSmith () mail UTexas edu>
Date: Mon, 30 Jun 2003 22:01:12 -0500
----- Original Message ----- From: "Hyperion" <nemesis () croasdalepreston fsnet co uk>
Just recently I have taken to doing regular, netstat - probes on my
machine
to see the different connections that arise and so forth. Today I found a rather mysterious port with the number, 44334 and I have copied/paste the results of the netstat -an below for people to look at. Is the port in question, -44334- a Trojan? it strikes me as a rather suspicious port and a rather large port number. Could anyone tell me how I can find out what's running behind the port in question, and also what to do about it if it is a port.
What operating system are you running? If you're using XP you can use the command "netstat -ao" and it will list the proccess ID (PID) of the program associated with the port Armed with that info, you can go to task manager and click the "processes" tab. Then under view there will be an option "set columns" make sure the PID is checked, then sort by PID and you'll find your program. If you don't like the legwork, you can also download fport.exe from http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subconte nt=/resources/proddesc/fport.htm This will print all open ports with the full path of the program associated to them. This is probably the easiest and best solution, but now you have options. AFAIK fport runs on NT, 2000 and XP.
I have run my virus software, but it did not find any viruses or Trojans installed on my machine, so I am at a loss as to what to do. I am also very limited in my security knowledge, so I am basically stuck
for
the necessary ideas or solutions on what to do in order to find out what's behind this port. Any and all help is greatly appreciated thanks. Details of netstat below:: Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:1038 0.0.0.0:0 LISTENING TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING TCP 127.0.0.1:110 0.0.0.0:0 LISTENING TCP 127.0.0.1:1279 127.0.0.1:110 TIME_WAIT TCP 217.135.174.224:1280 195.92.193.154:110 TIME_WAIT UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1036 *:* UDP 0.0.0.0:44334 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1900 *:* UDP 217.135.174.224:123 *:* UDP 217.135.174.224:1900 *:*
FYI: I'm hoping that this IP has been "sanitized". By this I mean, its not a good idea to put your ip out there (with a list of open ports no less), even if just to a security mailing list. In the future, you might (if you haven't already) replace it with an ip in the 192.168.0.0/24 range, then state at the beginning to assume that's your address. Hope this helps, Ryan W Smith --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- RE: What is this port? is it a trojan? Paul Kurczaba (Jul 02)
- <Possible follow-ups>
- Re: What is this port? is it a trojan? Mike Heitz (Jul 02)
- Re: What is this port? is it a trojan? KoRe MeLtDoWn (Jul 02)
- Re: What is this port? is it a trojan? Roger A. Grimes (Jul 02)
- RE: What is this port? is it a trojan? Hyperion (Jul 02)
- RE: What is this port? is it a trojan? dave klimen (Jul 02)
- Re: What is this port? is it a trojan? Ryan Smith (Jul 02)
- Re: What is this port? is it a trojan? nee cee (Jul 02)
- Re: What is this port? is it a trojan? Sabari Devadoss (Jul 02)
- Re: What is this port? is it a trojan? BlueScreen (Jul 02)
- RE: What is this port? is it a trojan? Sabol, Paul (Jul 02)
- Re: What is this port? is it a trojan? entmoot (Jul 02)
- RE: What is this port? is it a trojan? Dave Killion (Jul 02)
- RE: What is this port? is it a trojan? Spencer D'oro (Jul 02)
- RE: What is this port? is it a trojan? matthias . rasking (Jul 02)
- Re: What is this port? is it a trojan? vincent (Jul 02)
- RE: What is this port? is it a trojan? McLaughlin, Bryan (Jul 02)
(Thread continues...)