Security Incidents mailing list archives
Re: Weird UDP trafic
From: Captain James T Kirk <Captain_Kirk () myrealbox com>
Date: Wed, 11 Jul 2001 17:15:44 -0400 (Eastern Daylight Time)
Here's a list of known ports: Known ports from 0 to 1023 25 tcp, udp smtp Simple Mail Transfer; alias=mail 80 tcp udp WWW World Wide Web HTTP 135 tcp udp loc-srv / epmap Location Service / DCE endpoint resolution 137 tcp udp netbios-ns NetBIOS Name Service 138 tcp udp netbios-dgm NetBIOS Datagram Service 139 tcp udp netbios-ssn NetBIOS Session Service 445 tcp udp microsoft-ds Microsoft-DS 500 tcp udp isakmp internet Secuirty Association and Key management protocol Registered ports from 1024 to 49151 1025 tcp listen listener RFS remote_file_sharing 1026 tcp nterm remote_login network_terminal 1031 & 1032 tcp udp iad3 BBN IAD @timeplex.com 1433 tcp, udp ms-sql-s Microsoft-SQL-Server 1434 tcp, udp ms-sql-m Microsoft-SQL-Monitor @microsoft.com 3372 tcp, udp tip2 loc252.tandem.com 3456 tcp udp vat VAT default data ee.lbl.gov 10000 tcp udp ndmp Network Data Management Protocol netapp.com Looks like you have a web server listening on port 80 (Microsoft Personal Web Server perhaps?), a Microsoft SQL Server listening to port 1433 (using a database for your web pages?), you are checking your mail on port 25, ports 135 to 139 are being used for your dial-up connection (or whatever) and it looks like you have File and Print sharing enabled and turned on. check out http://www.iana.org/assignments/port-numbers On Tue, 10 Jul 2001, Jacques Exelrud wrote:
I'm using ZoneAlarm on a machine. Starting some days ago the alert log started to show a UDP connection from my machine to my machine (denied by ZoneAlamr) The UDP port is 10000. After check netstat -n -a I lso found some weird ports: TCP 0.0.0.0:25 0.0.0.0:0 LISTENING TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING TCP 1.0.0.1:1433 0.0.0.0:0 LISTENING TCP 127.0.0.1:1433 0.0.0.0:0 LISTENING TCP 192.168.64.1:139 0.0.0.0:0 LISTENING TCP 192.168.64.1:1433 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1028 *:* UDP 0.0.0.0:1031 *:* UDP 0.0.0.0:1434 *:* UDP 0.0.0.0:3456 *:* UDP 0.0.0.0:10000 *:* UDP 192.168.64.1:137 *:* UDP 192.168.64.1:138 *:* Some of the are known but other are, at least, suspicious. Any sugestions on how to find who owns those ports ? ZoneAlarm does not bother me with them so I suspect that who owns them is services.exe or other Win200 program that have been allowed to act like a server. Thanks in advance, Jacques ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Weird UDP trafic Jacques Exelrud (Jul 11)
- Re: Weird UDP trafic Captain James T Kirk (Jul 11)
- Re: Weird UDP trafic sarnold (Jul 11)
- Re: Weird UDP trafic George Bakos (Jul 12)
- Re: Weird UDP trafic Rajeev Kumar (Jul 12)
- <Possible follow-ups>
- Re: Weird UDP trafic bludclot (Jul 11)