configure Veteran Posted January 28, 2002 Veteran Share Posted January 28, 2002 I've a security-related question to ask you guys. As you can see, these are the list of that has been opened. Please walk me through each of them so that I know what they do and why they're in the "LISTENING" state. ;) C:Documents and Settingsconfigure>netstat -anActive Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:1214 0.0.0.0:0 LISTENING TCP xxx.xxx.xxx.xx:1214 64.4.12.131:1863 ESTABLISHED TCP xxx.xxx.xxx.xx:12257 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1077 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1215 *:* UDP xxx.xxx.xxx.xx:123 *:* UDP xxx.xxx.xxx.xx:1212 *:* UDP xxx.xxx.xxx.xx:7113 *:* C:Documents and Settingsconfigure> Link to comment Share on other sites More sharing options...
Silvorgold Posted January 28, 2002 Share Posted January 28, 2002 whoa alot of #s...but its late here so that woke me up lol, i cant help u out there cuz i'm not good with ip stuff...maybe its in the listening state to wait for u to do something on the net...ie - surf the web...connect to the net, so it's listening lol crazy idea but thats my 2? Canadian (1.25? US) Link to comment Share on other sites More sharing options...
configure Veteran Posted January 28, 2002 Author Veteran Share Posted January 28, 2002 aybe its in the listening state to wait for u to do something on the net...ie - surf the web Nope, I don't think so. If I was surfing, it should be "ESTABLISHED" not "LISTENING" :p Link to comment Share on other sites More sharing options...
Silvorgold Posted January 28, 2002 Share Posted January 28, 2002 maybe the isp is listening to what your doing nah... theres hundreds of things it could mean....but the ppl who would know seem to be not on neowin right now... Link to comment Share on other sites More sharing options...
ElGato Posted January 28, 2002 Share Posted January 28, 2002 This should give you some info on ports and what they are used for, I would be suspicious about high numbered ports as these are generally used by trojans and the like. Link to comment Share on other sites More sharing options...
ElGato Posted January 28, 2002 Share Posted January 28, 2002 And you do seem to have a trojan on port 1212, :o Name: Kaos Aliases: Ports: 1212 (port can not be changed) Files: Kaos.zip - 154,119 bytes Kaos13.zip - 171,243 bytes Client.exe -393,728 bytes Client.exe - 428,544 bytes Server.exe - 17,920 bytesServer.exe - 29,184 bytes Deskmanager.exe - Shell32.exe - Systrj.exe - Created: July 1999 Requires: Actions: Remote Access Versions: 1.0, 1.1, 1.3, Registers: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Notes: Works on Windows 95, 98 and NT. Version 1.1 was loaded through theStart menu. Country: written in Greece Program: Written in Visual Basic. Link to comment Share on other sites More sharing options...
ElGato Posted January 28, 2002 Share Posted January 28, 2002 ...and one on port 1025, :o Name: Remote Storm Aliases: Ports: 1025, 1025 (UDP), 1441 Files: Remote.storm.zip - 239,232 bytes Remotestorm1.2.zip - 239,682 bytesRemote storm.exe - 307,200 bytes Extract.exe - 177,152 bytes Mswinsck.ocx -108,336 bytes Dllrun.exe - Run.exe - - 44,544 bytes Created: Feb 2000 Requires: Mswinsck.ocx - is required to run the trojan. Actions: Remote Access Compressed with the packer UPX. Versions: 1.2, 1.2.1, Registers: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Notes: Works on Windows. Country: written in Poland Program: Written in Visual Basic. Link to comment Share on other sites More sharing options...
ElGato Posted January 28, 2002 Share Posted January 28, 2002 And another on port 123, :o I think you'd better check this list; http://www.simovits.com/nyheter9902.html, then disconnect your machine from the internet and burn it now, unclean! unclean!, :p Link to comment Share on other sites More sharing options...
configure Veteran Posted January 28, 2002 Author Veteran Share Posted January 28, 2002 I never remember executing any files could possibly being infected by a trojan. If I'm really infected by above trojan, how do I remove it? Link to comment Share on other sites More sharing options...
fr33k Posted January 28, 2002 Share Posted January 28, 2002 what makes you think your infected? Link to comment Share on other sites More sharing options...
configure Veteran Posted January 28, 2002 Author Veteran Share Posted January 28, 2002 Moved to Internet Troubleshooters forum. (Why can't I post things at the right place in the first hand? :ponder: ) what makes you think your infected?After reading what ElGato said, but I still doubt very much that I'm infected. :ermm: Link to comment Share on other sites More sharing options...
RazerBack Posted January 28, 2002 Share Posted January 28, 2002 Active Ports easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs. http://www.smartline.ru/software/aports.zip List of common ports http://www.networkice.com/advice/Exploits/Ports Ports used by Trojans http://www.dalmatian.com/TrojanPortsfiles/...yheter9902.html Link to comment Share on other sites More sharing options...
configure Veteran Posted January 28, 2002 Author Veteran Share Posted January 28, 2002 Thanks for the advice ;) Link to comment Share on other sites More sharing options...
RazerBack Posted January 28, 2002 Share Posted January 28, 2002 Weird thing is I happened to see this on a website just today.:ponder: Link to comment Share on other sites More sharing options...
Jon Posted January 28, 2002 Share Posted January 28, 2002 Guys, dont be stupid enough to think that a trojan is the *only* service to run on a specific port. For example, upnp works via port 5000. There is also a trojan (cant remember the name, something french) which uses this port. Basically when a trojan is written, it can use whatever port it dam well wants, it could use port 80 if it wanted, but then the user would get errors left right and centre. So before you go off on one saying "ARG YOU'VE GOT 8 TROJANS!", first check to see if they are legit services... Jon :old: Link to comment Share on other sites More sharing options...
ElGato Posted January 28, 2002 Share Posted January 28, 2002 Jon's right, and I guess I was scaremongering a little, :p , but you do need to verify that these ports are being used by legit services. Link to comment Share on other sites More sharing options...
configure Veteran Posted January 28, 2002 Author Veteran Share Posted January 28, 2002 Thank you Jon. Link to comment Share on other sites More sharing options...
Vlad Posted February 3, 2002 Share Posted February 3, 2002 configure, a lot of those "listening" ports are for the internal system. For example, here's my netstat -na: Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:2290 0.0.0.0:0 LISTENING *TCP 192.168.1.3:139 0.0.0.0:0 LISTENING *TCP 192.168.1.3:1175 0.0.0.0:0 LISTENING *TCP 192.168.1.3:1175 192.168.1.9:139 ESTABLISHED TCP 192.168.1.3:2290 31.234.101.103:6667 ESTABLISHED *UDP Omitted for space* The final connection ("ESTABLISHED") is my connection to an irc server. At the same time, my computer is "LISTENING" on the same local port (2290). I assume this is part of an internal loop that the kernel uses for firewalling/filtering/whatever packets. The top 2 lines are for windows file sharing, and the lines marked with * show how my computer responds to another windows computer on my network (which also has file sharing). It's a good idea to know your ports; get familiar with the most common ones so that you can read your netstat at a glance. Also remember that any instances of "127.0.0.1, 0.0.0.0, and your IP address" can, in the vast, vast, VAST majority of cases be safely ignored as part of the normal workings of your system. What you need to watch for, however, are things that might look like this: TCP YOURIPADDRESS:80 0.0.0.0:0 LISTENING If I saw this on my computer, I would instantly know that I have (most likely) a webserver running off my machine (80 = http). Popular trojans have specific ports associated with them (subseven and whatnot). Link to comment Share on other sites More sharing options...
configure Veteran Posted February 3, 2002 Author Veteran Share Posted February 3, 2002 Thanks for the tips Vlad :) Link to comment Share on other sites More sharing options...
Vlad Posted February 3, 2002 Share Posted February 3, 2002 No problem. You use a firewall, configure? Link to comment Share on other sites More sharing options...
configure Veteran Posted February 3, 2002 Author Veteran Share Posted February 3, 2002 Vlad, I don't use any firewall. I don't need it, I'm on dialup, there's no need for it. Link to comment Share on other sites More sharing options...
Recommended Posts