Re: [PEN-TEST] Ports

[Ryan Permeh <ryan () EEYE COM>]

if this is a 2k box, it is likely that an unnamed rpc process has this port
open.  again, if you do have access to this box, there are a variety of
tools that you can use to check what process has this port open.  for
windows, try sysinternals.com's  tdimon, or inzider at ntsecurity.nu.  For
unix boxen, use lsof.

This port is ususally not running a specific service, and must use a
portmapper, or nt prc locator service to find which services are actually
runing on this box.  It also could be a trojan, spyware, or some other type
of crappy intruder, if so, a decent antiviral may pick it up.  OR(if on a
unix box), it could just be a nonprivledged user's need to run a daemon
process.  non root users can only typically bind to ports above 1024(there
are kernel patches for some os's that modify this type of  behavior though).

Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Matt" <saryon () SWBELL NET>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Saturday, December 16, 2000 9:41 PM
Subject: Ports


> I know there was a discussion on this list a while back about ports.
> Recently on two different machines I have noticed a wierd port 1025,
> open.  I cant think of any program that uses it.  I have checked the
> port database and it says network blackjack.  Any searching on network
> blackjack has come up as more lists of ports, and no information on what
> it is.  Does anyone here know what this is.
>
> Thanks
>
> Matt Carlson