Firewall Wizards mailing list archives

RE: Trojan detection and open ports

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 10 Sep 2001 13:06:56 +0200

look for a tool called fport. It is an equivalent to lsof on Unix hosts. It
can tell you what process is holding aport open on a Windows box.

0 $ ./fport
FPort v1.31 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Securing the dot com world
Pid   Process            Port  Proto Path                          
1192  nfrbof         ->  21    TCP   C:\Program Files\NFR\BackOfficer
Friendly\nfrbof.exe
728   sshd           ->  22    TCP   c:\cygwin\usr\sbin\sshd.exe   
1192  nfrbof         ->  23    TCP   C:\Program Files\NFR\BackOfficer
Friendly\nfrbof.exe
1192  nfrbof         ->  25    TCP   C:\Program Files\NFR\BackOfficer
Friendly\nfrbof.exe
1192  nfrbof         ->  80    TCP   C:\Program Files\NFR\BackOfficer
Friendly\nfrbof.exe
1192  nfrbof         ->  110   TCP   C:\Program Files\NFR\BackOfficer
Friendly\nfrbof.exe
376   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe 
8     System         ->  139   TCP                                 

(As a bonus, I answered your question regarding port 135 :-) DCE end point
mapper is a Windows System program)

Rogan



-----Original Message-----
From: Philip J. Koenig [mailto:pjklist () ekahuna com]
Sent: 07 September 2001 11:07
To: firewall-wizards () nfr com
Subject: [fw-wiz] Trojan detection and open ports


Have a client whose laptop was recently infected by the new Magistr.B 
virus.

In investigating this problem, I noticed that this machine (Win98SE) 
had some mysterious open ports, in particular:

135: TCP
5053: TCP
7000: TCP
7000: UDP

135 I remember from somewhere as normal (a NetBIOS thing?) but lists 
I have call it "DCE endpoint resolution" which doesn't make any sense 
to me.  None of the trojan port lists I reviewed showed anything on 
5053, and 7000 is used by SubSeven, among others.  Using a trojan 
scanner didn't turn up anything.

Anyone have any ideas what might be keeping those ports open?

Lastly - I was hoping to find some sort of tool that would scan for 
common open ports used by trojan programs, but the only anti-trojan 
tools I seem to be able to easily find are ones that run on the local 
PC.  Any pointers to something that works like the various DDoS 
zombie scanners or the eEye CodeRed scanner?

Thanks,


Phil



--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Trojan detection and open ports Philip J. Koenig (Sep 07)
- <Possible follow-ups>
- Trojan detection and open ports Thomas Ray (Sep 08)
- RE: Trojan detection and open ports Dawes, Rogan (ZA - Johannesburg) (Sep 12)