Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 6 Mar 2003 13:56:54 -0800 (PST)
Robbert,

Have you tried running this on another machine?  I'm
sure you'll find the exact same thing.  When I run
netstat like you did, I get something similar.  The
important point is the STATE of the connection.  In
your case, and mine, the STATE is "LISTENING".  That
doesn't mean that there's a connection..."ESTABLISHED"
does.

Regarding ports 1025-1028...those are documented by
Microsoft as being used for RPC.  If you're REALLY
paranoid, run fport from Foundstone to see what's
bound to those ports.

--- Robbert Helling <robjeh () wanadoo nl> wrote:

If i look at my 2 first entries i see:
Active Connections

   Proto  Local Address          Foreign Address    
   State
   TCP    nack:epmap             nack:0             
   LISTENING
   TCP    nack:microsoft-ds      nack:0             
   LISTENING

The Foreign Address shows my own host name, i'm not
sure why its listed 
this way. But i guess you have to find your problem
locally.


At 18:59 5-3-2003, H C wrote:

I'm not entirely sure what you mean by "foreign
address listening to ports..."...netstat shows you
what the local machine is listening on, and which
endpoints the foreign addresses are connected to.

Have you tried running Foundstone's fport yet?



Running netstat -a , I found a foreign address
"GirlNextDoor_" listening to ports TCP

1025/1028.


Can someone explain me what is going on this

desktop ?


It's a Win2k/SP2 workstation with Mcafee

antivirus

and

ZoneAlarm.

Also, can you explain me the second set of
connections, foreign address "*:*" ?

Thanks for your help,
Sal.






-------------------------------------------------------

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>netstat -a

Active Connections

  Proto  Local Address          Foreign

Address



State
  TCP    p4win2k:epmap         

Girlnextdoor_:0



LISTENING
  TCP    p4win2k:microsoft-ds  

Girlnextdoor_:0



LISTENING
  TCP    p4win2k:1025          

Girlnextdoor_:0



LISTENING
  TCP    p4win2k:1028          

Girlnextdoor_:0



LISTENING
  TCP    p4win2k:netbios-ssn   

Girlnextdoor_:0



LISTENING
  UDP    p4win2k:epmap          *:*
  UDP    p4win2k:microsoft-ds   *:*
  UDP    p4win2k:1027           *:*
  UDP    p4win2k:1030           *:*
  UDP    p4win2k:netbios-ns     *:*
  UDP    p4win2k:netbios-dgm    *:*
  UDP    p4win2k:isakmp         *:*

C:\>





-------------------------------------------------------




__________________________________________________

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips,

more

http://taxes.yahoo.com/






----------------------------------------------------------------------------


<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border

Guard.</Pre>

<A

href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>



--
The Virgin BOFH...
Linux Registered User #288905
Public GnuPG Key B760A432 available at
http://www.ines.ro/public_keys/jay.gpg




ATTACHMENT part 2 application/pgp-signature

name=signature.asc



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/



----------------------------------------------------------------------------


<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border

Guard.</Pre>

<A href="http://www.securityfocus.com/stillsecure";>



http://www.securityfocus.com/stillsecure </A>





----------------------------------------------------------------------------


<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>





__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]