Log in

View Full Version : port stuff


naides
January 10th, 2004, 08:54
This is of course off topic, and has to do with network and security.
I ran a port scanner on my own computer and found 2 to three ports open with numbers between 1000 and 2000 (they change more or less randomly every time I restart the machine). I am unclear about who and why opened them.
The question to you is:

How can I find out which thread, file, service, virus, trojan etc opened and is listening to the ports?
The portscanner reports some info about well known and legitimate ports, but nothing about them.
the antivirus and firewall (Norton) report nothing out of the ordinary.
Symantec Security test site says every thing is fine, but I still don't know what those bloody ports are doing.
Thanks

disavowed
January 10th, 2004, 11:15
http://www.codeproject.com/internet/enetstatasp.asp#xx668954xx ("http://www.codeproject.com/internet/enetstatasp.asp#xx668954xx")

There are GUI versions of this too. Next time use Google :\

Kayaker
January 10th, 2004, 17:24
Yeah that's it, thrash him soundly in and around the nether regions with a wet towel for not searching

I still have to test this myself, but there's a utility linked within a link to the link I gave in the Windows Forensics: Have I been Hacked? post that might do the job - Vision v1.0.

http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm

-------------------------
Vision v1.0
Reports all open TCP and UDP ports and maps them to the owning process or application.

Vision, a host based Forensic Utility is the GUI successor to the well-known freeware tool, Fport. This innovative new product from Foundstone shows all of the open TCP and UDP ports on a machine, displays the service that is active on each port, and maps the ports to their respective applications. Vision allows users to access a large amount of supplementary information that is useful for determining host status by displaying detailed system information, applications running, as well as processes and ports in use.

Key Features

Interrogate ports and identify potential "Trojan" services by using the "Port Probe" command in the port mapper. Using "Port Probe", Vision will enable you to send a customized string of information to the port. Based on the response from the port, a determination can be made to either kill the port, using the "Kill" command, or leave it as is.

View system events by sorting by application, process, service, port, remote IP, and device drivers in ascending or descending order.

Identify and review detailed information about Services and Devices to determine if they are Running or Stopped.
---------------------------------

(Oh, and a little bit of cold cream will reduce the red welts...)

Cheers,
Kayaker

Woodmann
January 10th, 2004, 18:42
Will not netstat show the same information ?

Woodmann

nikolatesla20
January 10th, 2004, 20:20
netstat only shows open ports and port types, not which process they belong to

UrgeOverKill
January 10th, 2004, 21:35
check out this site....hxxp://www.networksorcery.com/enp/protocol/ip/ports00000.htm

naides
January 10th, 2004, 22:19
Quote:
[Originally Posted by disavowed]http://www.codeproject.com/internet/enetstatasp.asp#xx668954xx ("http://www.codeproject.com/internet/enetstatasp.asp#xx668954xx")

There are GUI versions of this too. Next time use Google :\


Auuch!!!

Next time, instead of seeing a doctor, I will read an Internal Medicine (Geriatric Internal Medicine in my case) textbook instead.

esther
January 10th, 2004, 22:31
Yeah flame him . Hmm strange,they should delete disavowed posts >

Quote:
[Originally Posted by naides]Auuch!!!

Next time, instead of seeing a doctor, I will read an Internal Medicine (Geriatric Internal Medicine in my case) textbook instead.

dELTA
January 11th, 2004, 00:06
The following is another excellent free tool from our friends at sysinternals too:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Kayaker
January 11th, 2004, 00:57
Quote:
[Originally Posted by naides]This is of course off topic, and has to do with network and security.


Need this be off topic? I wouldn't mind seeing more network and security discussions, like RCE it's all part of a total understanding of computer software, hardware and operating issues. There seem to be a number of people here with at least some knowledge of network operations, and a few lively discussions of some aspect of things we don't usually discuss might make for interesting reading. (What, you don't find unpacking Asprotect interesting enough, you treasonous bastid!!?)

dELTA had mentioned at one point about starting a Networking forum, might there be enough interest to make something like that viable? Just thought I'd bring that up for discussion...

Kayaker

+SplAj
January 11th, 2004, 04:10
Quote:
[Originally Posted by Kayaker]Need this be off topic? I wouldn't mind seeing more network and security discussions, like RCE it's all part of a total understanding of computer software, hardware and operating issues. There seem to be a number of people here with at least some knowledge of network operations, and a few lively discussions of some aspect of things we don't usually discuss might make for interesting reading. (What, you don't find unpacking Asprotect interesting enough, you treasonous bastid!!?)

dELTA had mentioned at one point about starting a Networking forum, might there be enough interest to make something like that viable? Just thought I'd bring that up for discussion...

Kayaker



Kayaker

the perfect solution :-

EssentialNetTools from Tamos........ is protected by ASP.......

disavowed
January 11th, 2004, 11:00
Quote:
[Originally Posted by Kayaker]dELTA had mentioned at one point about starting a Networking forum, might there be enough interest to make something like that viable?
networking does not fall under the topic of reverse software engineering (the theme of this set of forums), so i would not add it as a new forum

dELTA
January 11th, 2004, 19:47
Any posts regarding networking and security are welcome in the Advanced Reversing/Programming forum anyway (except for crypto stuff which will fit better in the cryptographics forum off course).

And there are many aspects of networking and security that are related to both reverse code engineering and even more reverse engineering in general, so if the post count of such related topics ever rise high enough in the Advanced R/P forum or the Off Topic forum we might very well consider starting a separate forum for these things.

evaluator
January 12th, 2004, 07:09
i'm against that forum.

dELTA
January 12th, 2004, 12:08
It feels good to hear your well-founded reasons for your opinion eval.

evaluator
January 12th, 2004, 13:13
because reason very simple, i not wrote nothing.
i think, that is not RCE-related.

your move, show if that is.


***
hot Q of day:
is as_ reversing RCE-related!? ~8-0

Fake51
January 13th, 2004, 04:35
AAtools and Kerio personal firewall will both do the trick. First is a target, second is free. Oh, and did I mention the added bonus of running a firewall?

Heh, and flames for not searching on this. The answer "firewall" should have been in your thoughts even before considering asking people around here.

Fake

dELTA
January 13th, 2004, 08:31
Yes, but it is often more appealing to have a light-weight tool to do such a thing, rather than the driver mess of a personal firewall, affecting a thousand other things in the system. Especially if you are perhaps already running another firewall without this feature.

Fake51
January 13th, 2004, 11:58
Quote:
[Originally Posted by dELTA]Yes, but it is often more appealing to have a light-weight tool to do such a thing, rather than the driver mess of a personal firewall, affecting a thousand other things in the system. Especially if you are perhaps already running another firewall without this feature.


A firewall that won't tell you what processes are running and doing net-stuff? Not worth running.
Anyway, thinking firewall should have set off a search that should easily bring up plenty tools alongside. Sure, just posting here is easier, but come on, this one is so easy.

Fake

naides
January 13th, 2004, 12:32
Quote:
[Originally Posted by Fake51]A firewall that won't tell you what processes are running and doing net-stuff? Not worth running.
Anyway, thinking firewall should have set off a search that should easily bring up plenty tools alongside. Sure, just posting here is easier, but come on, this one is so easy.

Fake



OK guys. Enough. My post was not completely clear, and I did not think it was important, so I let it go but:
I do have a firewall. Norton, in one computer, zone alert in others. They do list the processes, but the ports I was nervous about, did not show in Norton's list.
The Norton site was less than helpful. Their detector said everything was OK, but I am behind several layers of firewalls. I also know that a firewall, particularly a personal (cracked) one is not impenetrable, particularly if you have malicious code working from inside your computer

Posts like UrgeOverkill did point me in the right direction, explaining which ports are supposed to be open, which are exploits, and which are both.

I recognize I could have searched more thoroughly, an I give my apologies to anybody I importunated. My ignorance in networking and hacking is even greater than RCE, so I asked for some guidance.

evaluator
January 13th, 2004, 13:20
naides, +SPLAJ already pointed you to -www.tamos products,
keygened by him, kraked by mim?

disavowed
January 13th, 2004, 13:56
Quote:
[Originally Posted by naides]I give my apologies to anybody I importunated.

apology accepted

TOTEU
January 28th, 2004, 23:36
On a side note:

How about netsh ?

cmd
netsh
netsh>interface ip show

and for more see netsh on technet