Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Trojan detection and open ports

From: "Magholder, Gunnar" <Gunnar.Magholder () ht hamburg de>
Date: Mon, 10 Sep 2001 08:22:15 +0200
Hi Thomas,

As far as I know, the ports 135 - 139 are for the NetBIOS over TCP/IP
traffic. Some people say, you can get rid of that as soon as you switch to a
native active directory, but I doubt that for nameresolution purposes.
So as long as your PC's are sharing information in an IP-based windows
network, you will have this ports open. These NBT ports are a severe
security threat if your machines are connected to the internet and if these
ports are visible to the net. On my installations, I will NEVER let NBT
traverse the firewall.

Hope this helps

Gunnar 

-----Ursprüngliche Nachricht-----
Von: Thomas Ray [mailto:thomas.ray () tcud state tx us] 
Gesendet: Freitag, 7. September 2001 20:07
An: firewall-wizards () nfr com; pjklist () ekahuna com
Betreff: [fw-wiz] Trojan detection and open ports


-I just ran Languard scanner on my box and network behind our Raptor and it
finds this:
    port 135 [epmap => DCE endpoint resolution]
 on our Domain server and on our webserver (both non-Firewall servers) that
both run NT4sp6. -It also finds it on my win2k box as well as on a win95
box. the only similarity between these 2 is that port 139 (NetBIOS) is also
open. I also run the only win2k box in our small office setup. all other
systems run win95. the other systems don't have port 135. this win95 box
acts as a "faxserver" which may explain the why it has port 135 open after
you read the following info -A quick search thru M$ Technet finds only the
following:

port 135 is a "well-known" port assigned by IANA (per M$)
it's service name is.......epmap
it's alias is............. loc-srv
uses TCP and UDP

searching on M-slug's website finds this paper:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/CNET/cnad_arc_plgn.h
tm
DCE = Distributed Computing Environment   (aka RPC - Remote Procedure Call)

If I check the description in Services for Remote Procedure Call, I find:
"Provides the endpoint mapper and other miscellaneous RPC services."


The other ports you mentioned are not shown in the list here -->
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnf
c_por_zqyu.asp

This website says this:
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html

135     tcp     epmap                   DCE endpoint resolution
135     tcp     loc-srv                 NCS local location broker
135     udp     epmap                   DCE endpoint resolution

port 5053 not listed

7000    tcp     ExploitTranslation      [trojan] Exploit Translation Server
7000    tcp     afs3-fileserver         file server itself  msdos
7000    udp     afs3-fileserver         file server itself

This website says this:
www.portsdb.org

port 135 (we already know)

port 5053 not listed

port 7000
http://www.portsdb.org/bin/portsdb.cgi?portnumber=7000&protocol=ANY&String=


Ports Prot Name Category 
Source or Submitter of the Port Details 
Details 
 
7000 - 7003 TCP EverQuest User
EverQuest MMORPG (Massive Multiplayer Online Role Playing Game)
 
7000 TCP Bricktrace Daemon System
Daemon running on a Bintec Brick router, which sends debugging
information(i.e. all data send over the bri-lines) to a client.
 
7000 TCP afs3-fileserver IANA
file server itself
 
7000 UDP Remote Grab Cracker
Remote Grab Trojan
 
7000 UDP afs3-fileserver IANA
file server itself



Hope this little bit of info helps,
tom




From: "Philip J. Koenig" <pjklist () ekahuna com>
To: firewall-wizards () nfr com
Date: Fri, 7 Sep 2001 02:06:57 -0700
Subject: [fw-wiz] Trojan detection and open ports

Have a client whose laptop was recently infected by the new Magistr.B
virus.

In investigating this problem, I noticed that this machine (Win98SE)
had some mysterious open ports, in particular:

135: TCP
5053: TCP
7000: TCP
7000: UDP

135 I remember from somewhere as normal (a NetBIOS thing?) but lists
I have call it "DCE endpoint resolution" which doesn't make any sense 
to me.  None of the trojan port lists I reviewed showed anything on 
5053, and 7000 is used by SubSeven, among others.  Using a trojan 
scanner didn't turn up anything.

Anyone have any ideas what might be keeping those ports open?

Lastly - I was hoping to find some sort of tool that would scan for
common open ports used by trojan programs, but the only anti-trojan 
tools I seem to be able to easily find are ones that run on the local 
PC.  Any pointers to something that works like the various DDoS 
zombie scanners or the eEye CodeRed scanner?

Thanks,
Phil


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: