Security Incidents mailing list archives

Re: Weird UDP trafic

From: Rajeev Kumar <rajeev () rajeevnet com>
Date: Thu, 12 Jul 2001 11:38:57 -0400

If you have a tool like lsof. You can use following command to see which
file is responsible for those oprn ports.

Under Linux (Login as root):

# lsof -i UDP   (will show all UDP open ports)

Rajeev

Jacques Exelrud wrote:


        I'm using ZoneAlarm on a machine. Starting some days ago the alert log
started to show a UDP connection from my machine to my machine (denied by
ZoneAlamr)
        The UDP port is 10000.
        After check netstat -n -a I lso found some weird ports:

  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1032           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
  TCP    1.0.0.1:1433           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
  TCP    192.168.64.1:139       0.0.0.0:0              LISTENING
  TCP    192.168.64.1:1433      0.0.0.0:0              LISTENING
  UDP    0.0.0.0:135            *:*
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1028           *:*
  UDP    0.0.0.0:1031           *:*
  UDP    0.0.0.0:1434           *:*
  UDP    0.0.0.0:3456           *:*
  UDP    0.0.0.0:10000          *:*
  UDP    192.168.64.1:137       *:*
  UDP    192.168.64.1:138       *:*

        Some of the are known but other are, at least, suspicious.

        Any sugestions on how to find who owns those ports ? ZoneAlarm does not
bother me with them so I suspect that who owns them is services.exe or other
Win200 program that have been allowed to act like a server.

        Thanks in advance,
        Jacques

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com


-- 
********************************************************************
        Rajeev Kumar (rajeev () rajeevnet com)
                http://www.rajeevnet.com
********************************************************************
-- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Weird UDP trafic Jacques Exelrud (Jul 11)
- Re: Weird UDP trafic Captain James T Kirk (Jul 11)
- Re: Weird UDP trafic sarnold (Jul 11)
- Re: Weird UDP trafic George Bakos (Jul 12)
- Re: Weird UDP trafic Rajeev Kumar (Jul 12)
- <Possible follow-ups>
- Re: Weird UDP trafic bludclot (Jul 11)