Security Basics mailing list archives

Re: unadministered open ports

From: Mordread Wallas <mordread.wallas () gmail com>
Date: Fri, 12 Aug 2005 23:55:09 +0200

Dear Peter,
You may try fport or vision tools from foundstone (free software).
With these tools, you'll be able to check exactly what are the running
processes. In fact, filtered ports don't mean that something is
listening all the time.

Best regards,
Mordread

11 Aug 2005 17:44:33 +0100, Peter Odigie <petermariano () ncema gov ng>:




What process spawned the ports?.

Take for example the ports below from a workstation
The ports that are "filtered"  are not supposed to be there, maybe the
user is/has done something wrong.

Do I have to put a filter on the my gateway?  but which ports do I
filter?

I guess I will finally have to go each of the computers and remove the
offending process (maybe a malware) but is there a way to do this
remotely?

Interesting ports on
(The 1653 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
116/tcp  filtered ansanotify
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
196/tcp  filtered dn6-smm-red
445/tcp  open     microsoft-ds
1025/tcp open     NFS-or-IIS
1076/tcp filtered sns_credit
2043/tcp filtered isis-bcast
3389/tcp open     ms-term-serv
5000/tcp open     UPnP


Thanks


Peter




On Thu, 2005-08-11 at 17:01, Sean Crawford wrote:

What ports are they for a start?.


What process spawned the ports?.


*sigh*

---> -----Original Message-----
---> From: Peter Odigie [mailto:petermariano () ncema gov ng]
---> Sent: Wednesday, 10 August 2005 7:21 PM
---> To: security-basics () securityfocus com
---> Subject: unadministered open ports
--->
--->
---> Hi All
--->
---> I have noticed that anytime I do a nmap of my LAN I see ports that are
---> not supposed to be open or used appearing as "filtered" on my
---> workstations.  I get a feeling that they have been infected.  I will
---> want to control this and I will like if I can do it remotely.
--->
---> Any help please
--->
---> Peter
--->
--->
--->
---> ________ Information from NOD32 ________
---> This message was checked by NOD32 Antivirus System for Linux
---> Mail Server.
--->   part000.txt - is OK
---> http://www.nod32.com
--->
---> __________ NOD32 1.1191 (20050810) Information __________
--->
---> This message was checked by NOD32 antivirus system.
---> http://www.eset.com
--->
--->

Current thread:

unadministered open ports Peter Odigie (Aug 10)
- <Possible follow-ups>
- RE: unadministered open ports Peter Odigie (Aug 12)
  - Re: unadministered open ports Jacob Bresciani (Aug 15)
  - Re: unadministered open ports Mordread Wallas (Aug 15)
- Re: unadministered open ports keydet89 (Aug 12)
  - Call Center Security Basics Mark Teicher (Aug 15)