Home page logo

basics logo Security Basics mailing list archives

Re: What does this mean?
From: Adnan Ali <call_ret () yahoo com>
Date: Wed, 28 Apr 2004 05:56:16 -0700 (PDT)

--- Dedric Ramsey - Ramsey Consulting Svcs
<ramseycs () bellsouth net> wrote:

Adnan Ali wrote:

Active Connections:
Proto  Local Addr    Foreign Addr     State 


This is used for NetBIOS



So is this port.

smb used for filesharing?



These two seem normal as well, the same with ports
shown below.

Let me say I feel uncomfortabel about these open ports
as these are unpriviledged ports listening for 
connection requests. Using tcpview I found that one
them is being used by lsass.exe (IPSec?) alongwith
port 500. That's alright, what about the other port?

Let me give you my output from tcpview today:
(Some ports have changed, lsass.exe is now listening
on a different port. 500 is standard, but above 1023
it is picking up any port at random. Should have been
assigned a fixed port!)

lsass.exe:228   UDP    *:*             

lsass.exe:228   UDP *:*

-----Fine, being used by lsass.exe (ISAKMP). 


MsgSys.EXE:828  UDP   *:*             

-----As you said, this is AMS.

MSTask.exe:612  TCP LISTENING     

-----Another of MS autostartup applications

services.exe:216UDP    *:*             

------What this should be?

svchost.exe:388 TCP       LISTENING       

svchost.exe:388 UDP     *:*             

System:8        TCP       LISTENING       

System:8        UDP     *:*             

------alright as you said.

winlogon.exe:184UDP    *:*             

-----windows logon ?

System:8        TCP       LISTENING       

------Now what about this port? I just can't figure 
out what is this being used for? Any explanations.

UDP            *:*                 
UDP            *:*                 
UDP           *:*                 
UDP          *:*

As for this port, Google led me to this site 

which says:

Msgsys is an Alert Management System (AMS) process
for generating and 
sending configured AMS alerts. Msgsys communications
uses port 38037 and 
38292 for both TCP and UDP communication.

Are you running any Symantec Products, specifically
one of their AV 
lines, or Firewalls?

UDP        *:*                 

This is used for ISAKMP (Internet Security
Association and Key 
Management Protocol), so there shouldnt be anything
to worry about there 
either.  Its just there since Windows 2000 supports

I get this output even when I am running no
application on the machine.

Of course, this all seems quite suspicious. 

Can somebody please help me figure out what is
on? At least find the respective applications
on various ports.??

Thanks and best regards,

So to me, with just the information you've provided,
nothing is out of 
the ordinary.  Of course, if it makes you feel
better, point Nmap or 
something similar at it and see what you find.  Same
with your AV 
scanner of choice. (Trend Micro has a nice web based
one on their site, 
as does Panda, although Ive never used theirs)

Take care,

Dedric Ramsey
Ramsey Consulting Services

Thanks for all your help.


Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]