Re: Weird UDP trafic

[Captain James T Kirk <Captain_Kirk () myrealbox com>]

Here's a list of known ports:

Known ports from 0 to 1023

25
 tcp, udp smtp Simple Mail Transfer; alias=mail

80
 tcp udp WWW World Wide Web HTTP

135
 tcp udp loc-srv / epmap Location Service / DCE endpoint resolution

137
 tcp udp netbios-ns NetBIOS Name Service

138
 tcp udp netbios-dgm NetBIOS Datagram Service

139
 tcp udp netbios-ssn NetBIOS Session Service

445
 tcp udp microsoft-ds Microsoft-DS

500
 tcp udp isakmp internet Secuirty Association and Key management protocol

Registered ports from 1024 to 49151

1025
 tcp listen listener RFS remote_file_sharing

1026
 tcp nterm remote_login network_terminal

1031 & 1032
 tcp udp iad3 BBN IAD @timeplex.com

1433
 tcp, udp ms-sql-s Microsoft-SQL-Server

1434
 tcp, udp ms-sql-m Microsoft-SQL-Monitor @microsoft.com

3372
 tcp, udp tip2 loc252.tandem.com

3456
 tcp udp vat VAT default data ee.lbl.gov

10000
 tcp udp ndmp Network Data Management Protocol netapp.com

Looks like you have a web server listening on port 80 (Microsoft Personal
Web Server perhaps?), a Microsoft SQL Server listening to port 1433 (using
a database for your web pages?), you are checking your mail on port 25,
ports 135 to 139 are being used for your dial-up connection (or whatever)
and it looks like you have File and Print sharing enabled and turned on.

check out http://www.iana.org/assignments/port-numbers

On Tue, 10 Jul 2001, Jacques Exelrud wrote:

>       I'm using ZoneAlarm on a machine. Starting some days ago the alert log
> started to show a UDP connection from my machine to my machine (denied by
> ZoneAlamr)
>       The UDP port is 10000.
>       After check netstat -n -a I lso found some weird ports:
>
>   TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1032           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
>   TCP    1.0.0.1:1433           0.0.0.0:0              LISTENING
>   TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
>   TCP    192.168.64.1:139       0.0.0.0:0              LISTENING
>   TCP    192.168.64.1:1433      0.0.0.0:0              LISTENING
>   UDP    0.0.0.0:135            *:*
>   UDP    0.0.0.0:445            *:*
>   UDP    0.0.0.0:500            *:*
>   UDP    0.0.0.0:1028           *:*
>   UDP    0.0.0.0:1031           *:*
>   UDP    0.0.0.0:1434           *:*
>   UDP    0.0.0.0:3456           *:*
>   UDP    0.0.0.0:10000          *:*
>   UDP    192.168.64.1:137       *:*
>   UDP    192.168.64.1:138       *:*
>
>       Some of the are known but other are, at least, suspicious.
>
>       Any sugestions on how to find who owns those ports ? ZoneAlarm does not
> bother me with them so I suspect that who owns them is services.exe or other
> Win200 program that have been allowed to act like a server.
>
>       Thanks in advance,
>       Jacques
>
>
>
>
> ----------------------------------------------------------------------------
>
>
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
>
> http://aris.securityfocus.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com