• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Ports...

Question

configure    1

I've a security-related question to ask you guys. As you can see, these are the list of that has been opened. Please walk me through each of them so that I know what they do and why they're in the "LISTENING" state. ;)

C:Documents and Settingsconfigure>netstat -an

Active Connections

Proto Local Address Foreign Address State

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1214 0.0.0.0:0 LISTENING

TCP xxx.xxx.xxx.xx:1214 64.4.12.131:1863 ESTABLISHED

TCP xxx.xxx.xxx.xx:12257 0.0.0.0:0 LISTENING

UDP 0.0.0.0:445 *:*

UDP 0.0.0.0:500 *:*

UDP 0.0.0.0:1077 *:*

UDP 127.0.0.1:123 *:*

UDP 127.0.0.1:1215 *:*

UDP xxx.xxx.xxx.xx:123 *:*

UDP xxx.xxx.xxx.xx:1212 *:*

UDP xxx.xxx.xxx.xx:7113 *:*

C:Documents and Settingsconfigure>

Share this post


Link to post
Share on other sites

20 answers to this question

Recommended Posts

  • 0
Silvorgold    0

whoa alot of #s...but its late here so that woke me up lol, i cant help u out there cuz i'm not good with ip stuff...maybe its in the listening state to wait for u to do something on the net...ie - surf the web...connect to the net, so it's listening lol

crazy idea but thats my 2? Canadian (1.25? US)

Share this post


Link to post
Share on other sites
  • 0
configure    1
aybe its in the listening state to wait for u to do something on the net...ie - surf the web
Nope, I don't think so. If I was surfing, it should be "ESTABLISHED" not "LISTENING" :p

Share this post


Link to post
Share on other sites
  • 0
Silvorgold    0

maybe the isp is listening to what your doing nah...

theres hundreds of things it could mean....but the ppl who would know seem to be not on neowin right now...

Share this post


Link to post
Share on other sites
  • 0
ElGato    0

This should give you some info on ports and what they are used for, I would be suspicious about high numbered ports as these are generally used by trojans and the like.

Share this post


Link to post
Share on other sites
  • 0
ElGato    0

And you do seem to have a trojan on port 1212, :o

Name: Kaos

Aliases:

Ports: 1212 (port can not be changed)

Files: Kaos.zip - 154,119 bytes Kaos13.zip - 171,243 bytes Client.exe -393,728 bytes Client.exe - 428,544 bytes Server.exe - 17,920 bytesServer.exe - 29,184 bytes Deskmanager.exe - Shell32.exe - Systrj.exe -

Created: July 1999

Requires:

Actions: Remote Access

Versions: 1.0, 1.1, 1.3,

Registers: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

Notes: Works on Windows 95, 98 and NT. Version 1.1 was loaded through theStart menu.

Country: written in Greece

Program: Written in Visual Basic.

Share this post


Link to post
Share on other sites
  • 0
ElGato    0

...and one on port 1025, :o

Name: Remote Storm

Aliases:

Ports: 1025, 1025 (UDP), 1441

Files: Remote.storm.zip - 239,232 bytes Remotestorm1.2.zip - 239,682 bytesRemote storm.exe - 307,200 bytes Extract.exe - 177,152 bytes Mswinsck.ocx -108,336 bytes Dllrun.exe - Run.exe - - 44,544 bytes

Created: Feb 2000

Requires: Mswinsck.ocx - is required to run the trojan.

Actions: Remote Access

Compressed with the packer UPX.

Versions: 1.2, 1.2.1,

Registers: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

Notes: Works on Windows.

Country: written in Poland

Program: Written in Visual Basic.

Share this post


Link to post
Share on other sites
  • 0
configure    1

I never remember executing any files could possibly being infected by a trojan. If I'm really infected by above trojan, how do I remove it?

Share this post


Link to post
Share on other sites
  • 0
fr33k    2

what makes you think your infected?

Share this post


Link to post
Share on other sites
  • 0
configure    1

Moved to Internet Troubleshooters forum. (Why can't I post things at the right place in the first hand? :ponder: )

what makes you think your infected?
After reading what ElGato said, but I still doubt very much that I'm infected. :ermm:

Share this post


Link to post
Share on other sites
  • 0
RazerBack    0

Active Ports

easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer.

Active Ports maps ports to the owning application so you can watch which process has opened which port.

It also displays a local and remote IP address for each connection and allows you to close any port.

Active Ports can help you to detect trojans and other malicious programs.

http://www.smartline.ru/software/aports.zip

List of common ports

http://www.networkice.com/advice/Exploits/Ports

Ports used by Trojans

http://www.dalmatian.com/TrojanPortsfiles/...yheter9902.html

Share this post


Link to post
Share on other sites
  • 0
configure    1

Thanks for the advice ;)

Share this post


Link to post
Share on other sites
  • 0
RazerBack    0

Weird thing is I happened to see this on a website just today.:ponder:

Share this post


Link to post
Share on other sites
  • 0
Jon    5

Guys, dont be stupid enough to think that a trojan is the *only* service to run on a specific port.

For example, upnp works via port 5000. There is also a trojan (cant remember the name, something french) which uses this port.

Basically when a trojan is written, it can use whatever port it dam well wants, it could use port 80 if it wanted, but then the user would get errors left right and centre.

So before you go off on one saying "ARG YOU'VE GOT 8 TROJANS!", first check to see if they are legit services...

Jon

:old:

Share this post


Link to post
Share on other sites
  • 0
ElGato    0

Jon's right, and I guess I was scaremongering a little, :p , but you do need to verify that these ports are being used by legit services.

Share this post


Link to post
Share on other sites
  • 0
configure    1

Thank you Jon.

Share this post


Link to post
Share on other sites
  • 0
Vlad    12

configure, a lot of those "listening" ports are for the internal system. For example, here's my netstat -na:

Proto Local Address Foreign Address State

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING

TCP 0.0.0.0:2290 0.0.0.0:0 LISTENING

*TCP 192.168.1.3:139 0.0.0.0:0 LISTENING

*TCP 192.168.1.3:1175 0.0.0.0:0 LISTENING

*TCP 192.168.1.3:1175 192.168.1.9:139 ESTABLISHED

TCP 192.168.1.3:2290 31.234.101.103:6667 ESTABLISHED

*UDP Omitted for space*

The final connection ("ESTABLISHED") is my connection to an irc server. At the same time, my computer is "LISTENING" on the same local port (2290). I assume this is part of an internal loop that the kernel uses for firewalling/filtering/whatever packets. The top 2 lines are for windows file sharing, and the lines marked with * show how my computer responds to another windows computer on my network (which also has file sharing).

It's a good idea to know your ports; get familiar with the most common ones so that you can read your netstat at a glance. Also remember that any instances of "127.0.0.1, 0.0.0.0, and your IP address" can, in the vast, vast, VAST majority of cases be safely ignored as part of the normal workings of your system. What you need to watch for, however, are things that might look like this:

TCP YOURIPADDRESS:80 0.0.0.0:0 LISTENING

If I saw this on my computer, I would instantly know that I have (most likely) a webserver running off my machine (80 = http). Popular trojans have specific ports associated with them (subseven and whatnot).

Share this post


Link to post
Share on other sites
  • 0
configure    1

Thanks for the tips Vlad :)

Share this post


Link to post
Share on other sites
  • 0
Vlad    12

No problem. You use a firewall, configure?

Share this post


Link to post
Share on other sites
  • 0
configure    1

Vlad, I don't use any firewall. I don't need it, I'm on dialup, there's no need for it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.