• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

strange windows services trying to use port 110, suspected virus/trojan

Hi all,

I keep getting firewall notifications of windows services trying to connect out to port 110 of my hosting companies pop server from a seemingly random port in the high range (over 20000). The services involved dont strike me as the type that have anything to do with pop.

I am running a small business server 2003 that handles our internet connection, file and printer shares and exchange server getting its email from our hosting company that hold our domain name. I am running NAV corp 7 for antivirus and it shows no infection. I have sygate pro for a firewall, latest mayjor version but not the laterst build. checking my firewalls traffic logs shows the strange connections dont happen everyday. they have only happened once in the 1 month period that has been logged (I have now increased the log time to 3 months). please see the included log extract for a list of affected services.

does anybody know whats going on here. i cant help thinking a malicous program is slowly infecting important windows components and its trying to break out and attack my hosing companies mail server. either that or there is a bad missreporting bug with sygate...

eitherway i'd like to hear from the guru's to see what you all make of it.

feel free to request any extra information or ask me to run some tests for you

thanks in advance,

alex



below is an extract from the log with every connection using port 110: (you might want to copy and past it to see it on one line per incident)

-----------------------------------------------------------------------------------------------------------------------------------------

Time      Action      Direction      Protocol      Remote Host      Remote Port      Local Host      Local Port      Application Name      Occurences      Begin Time      End Time
11/15/2004 10:16:33      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      37208      C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdlvr.exe      7      11/15/2004 10:15:19      11/15/2004 10:15:30
11/15/2004 10:31:48      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      37315      C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdlvr.exe      7      11/15/2004 10:30:40      11/15/2004 10:30:43
11/15/2004 10:47:26      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      37445      C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdownl.exe      7      11/15/2004 10:45:56      11/15/2004 10:46:23
11/15/2004 11:01:40      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      37537      C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdownl.exe      7      11/15/2004 11:00:34      11/15/2004 11:00:36
11/15/2004 11:06:17      Allowed      Incoming      TCP      192.168.16.103      1499      194.73.88.32      110      C:\WINDOWS\system32\DRIVERS\raspppoe.sys      1      11/15/2004 11:05:12      11/15/2004 11:05:12
11/15/2004 11:06:17      Allowed      Incoming      TCP      192.168.16.103      1499      194.73.88.32      110      C:\WINDOWS\system32\drivers\ipnat.sys      1      11/15/2004 11:05:12      11/15/2004 11:05:12
11/15/2004 11:06:17      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      1499      C:\WINDOWS\system32\drivers\ipnat.sys      1      11/15/2004 11:05:12      11/15/2004 11:05:12
11/15/2004 11:16:53      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      37650      C:\Program Files\Internet Explorer\IEXPLORE.EXE      7      11/15/2004 11:15:44      11/15/2004 11:15:48
11/15/2004 11:23:57      Allowed      Incoming      TCP      192.168.16.103      1581      194.73.88.32      110      C:\WINDOWS\system32\DRIVERS\raspppoe.sys      1      11/15/2004 11:22:56      11/15/2004 11:22:56
11/15/2004 11:23:57      Allowed      Incoming      TCP      192.168.16.103      1581      194.73.88.32      110      C:\WINDOWS\system32\drivers\ipnat.sys      1      11/15/2004 11:22:56      11/15/2004 11:22:56
11/15/2004 11:23:57      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      1581      C:\WINDOWS\system32\drivers\ipnat.sys      1      11/15/2004 11:22:56      11/15/2004 11:22:56
11/15/2004 11:32:02      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      37768      C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdlvr.exe      7      11/15/2004 11:30:55      11/15/2004 11:30:58
11/15/2004 11:46:10      Allowed      Outgoing      TCP      194.73.88.32      110      10.2.10.4      37851      C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdownl.exe      7      11/15/2004 11:45:05      11/15/2004 11:45:08
11/15/2004 11:49:20      Blocked      Outgoing      TCP      194.73.88.32      110      10.2.10.4      21919      C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\OWSTIMER.EXE      7      11/15/2004 11:49:08      11/15/2004 11:49:08

-----------------------------------------------------------------------------------------------------------------------------------------

i have also included the latest detail notification from sygate, this is the first time this particular service has attempted to use port 110:

-----------------------------------------------------------------------------------------------------------------------------------------

File Version :            11.0.5510
File Description :      SharePoint Timer Service (OWSTIMER.EXE)
File Path :            C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\OWSTIMER.EXE
Process ID :            0x45C (Heximal) 1116 (Decimal)

Connection origin :      local initiated
Protocol :            TCP
Local Address :       10.2.10.4
Local Port :            21907
Remote Name :                  
Remote Address :      194.73.88.32
Remote Port :             110 (POP3 - Post Office Protocol - Version 3)

Ethernet packet details:
Ethernet II (Packet Length: 76)
      Destination:       00-01-30-bb-5b-f0
      Source:       00-10-5a-6b-a6-da
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
            .1.. = Don't fragment: Set
            ..0. = More fragments: Not set
      Fragment offset:0
      Time to live: 64
      Protocol: 0x6 (TCP - Transmission Control Protocol)
      Header checksum: 0xa114 (Correct)
      Source: 10.2.10.4
      Destination: 194.73.88.32
Transmission Control Protocol (TCP)
      Source port: 21907
      Destination port: 110
      Sequence number: 506842225
      Acknowledgment number: 0
      Header length: 28
      Flags:
            0... .... = Congestion Window Reduce (CWR): Not set
            .0.. .... = ECN-Echo: Not set
            ..0. .... = Urgent: Not set
            ...0 .... = Acknowledgment: Not set
            .... 0... = Push: Not set
            .... .0.. = Reset: Not set
            .... ..1. = Syn: Set
            .... ...0 = Fin: Not set
      Checksum: 0x7d4 (Correct)
      Data (0 Bytes)

Binary dump of the packet:
0000:  00 01 30 BB 5B F0 00 10 : 5A 6B A6 DA 08 00 45 00 | ..0.[...Zk....E.
0010:  00 30 F7 B7 40 00 40 06 : 14 A1 0A 02 0A 04 C2 49 | .0..@.@........I
0020:  58 20 55 93 00 6E 1E 35 : CC 71 00 00 00 00 70 02 | X U..n.5.q....p.
0030:  40 00 D4 07 00 00 02 04 : 05 B4 01 01 04 02 45 45 | @.............EE
0040:  50 45 4E 43 41 43 41 43 : 41 43 41 43             | PENCACACACAC    
0
ReapeRalex
Asked:
ReapeRalex
  • 10
  • 8
1 Solution
 
RevelationCSCommented:
looks like someone on the network has software installed to check on a POP3 connetion...

see the general topic of this thread - http://www.mcse.ms/message951534.html

0
 
ReapeRalexAuthor Commented:
hmm, its a possibility... but i work in a small office and i cant imagin anyone installing something like that. they tend to pass that sort of work onto me :)

and besides, why would a pop3 connector be using different windows services to do its work? seems like a new one each month its trying to connect out...

any more ideas? cos its really got me spooked
0
 
RevelationCSCommented:
well, try some of the following online scanners to see if it picks anything up... you might want to do this on all of the PCs on the network just to be cautious:

Trend Antivirus Online Scanner - http://housecall.trendmicro.com
Stinger - http://vil.nai.com/vil/stinger

Also, the following will help locate and remove spyware that might be causing the problem
Adaware - http://www.lavasoftusa.com/software/adaware/
Spybot S&D - http://www.safer-networking.org/en/download/index.html
CoolWebShredder - http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop - http://www.mvps.org/sramesh2k/toolbarcop.htm

I would also recommend looking into a hardware firewall over a software firewall... just a personal preference there, but hardware tends to be more reliable when it comes to stopping attacks... Do you need to allow access to port 110? If not, block it with the firewall and see if that resolves the issue... I took a look at the information from the firewall further and the destination is in Amsterdam, NL - most likely a porn site or a hacker attempting to compromise your system...

(whois from netsol.com)
194.73.88.32
Record Type:   IP Address  
OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    Singel 258
Address:    1016 AB
City:       Amsterdam
StateProv:  
PostalCode:
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   194.0.0.0 - 194.255.255.255
CIDR:       194.0.0.0/8
NetName:    RIPE-CBLK2
NetHandle:  NET-194-0-0-0-1
Parent:    
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    1993-07-21
Updated:    2004-03-16

 
Pulling up the website, (http://194.73.88.32) shows a Dorset Internet WebMail Portal....

The information for the SharePoint Timer Service (as noted above) can be found here:
http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsk08.mspx

IMHO, you have a program installed that is attempting to access the internet over this port... Hope the above information helps...
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
RevelationCSCommented:
What is the status of this question, as it has been 45 days since the last post? If you have any questions on how to properly close a question, assistance can be found at http://www.experts-exchange.com/help.jsp#hs5
0
 
ReapeRalexAuthor Commented:
sorry I went quiet on you, had a few deadlines to meet :)

i've installed adaware, found a few things, mostly tracking cookies and Alexa data miner. but nothing to explain the port 110 usage. incidently, how does a pc get infected with alexa? the server isnt used as a descktop pc so its internet usage is very limited.

there is a hardware firewall between us and the internet, but ports such as 80 and 110 are open for our use, hence the software firewall to plug the gaps. we do need port 110 for the server to collect our mail from our pop3 boxes and put it into our exchange boxes. the ip address is the mail server we get our mail from, it belongs to our hosting company. the amsterdam bit is a bit missleading, they are based in the uk. but my home ip address falls in the german range so the system isnt fool proof (makes it a real pain when i try to use google and its all in german).

do you think its worth running any of the other scanners or will they do the same job adaware does?
0
 
RevelationCSCommented:
not all scanners work the same way or catch the same items.. I would suggest running all of the above listed scanners... what services or programs do you have running on this machine that would be accessing the POP3 or SMTP? it might be possible that this is nothing to worry about if that is your ISP and the location of their web server...
0
 
ReapeRalexAuthor Commented:
well the pc is a small business server 2003 running the pop connector manager to get our mail off our hosting companies pop mail server. So i do expect pop traffic, what concerns me is when the pc has been running for some length of time then decides another service needs access to the pop port. each time this happens i check the service in question to make sure it is a legitimate executable in the correct director and it always is. maybe its just the patching that causes the firewall to re-query things.

can you help me find out which of the following services need access to the pop port?

outgoing access:
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdlvr.exe
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdownl.exe
C:\WINDOWS\system32\drivers\ipnat.sys
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\OWSTIMER.EXE
incoming access:
C:\WINDOWS\system32\DRIVERS\raspppoe.sys
C:\WINDOWS\system32\drivers\ipnat.sys

in the mean time i will try the other scanners when i am able to reboot the box.

thanks for the help,

alex
0
 
ReapeRalexAuthor Commented:
p.s. the only 2 i expected to need pop access are the ones in the sbs pop3 directory
0
 
RevelationCSCommented:
ipnat.sys is a valid windows service (Windows IP Network Address Transalator) and the location is correct, however, I am not certain as to what port it uses, however, based on what I have seen in a few other forums, this might be the cause of the port being open...

IEXPLORE.EXE - this is the executable for Internet Explorer

OWSTIMER.EXE - Sharepoint Timer Service (http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsg02.mspx)

raspppoe.sys - this is a PPPOE driver


try downloading the current version of HJT from http://www.spywareinfo.com/~merijn/files/hijackthis.zip, if you have any questions on the process of installing/running see http://www.spywareinfo.com/~merijn/faq.html

Once you have created the HJT log file, post the log here --> http://hijackthis.de/index.php?langselect=english and see if it comes up with anything that could be a potential issue....
0
 
ReapeRalexAuthor Commented:
yeah, they are all valid services in the right location. but i'm not sure if they should all be using the pop port.

just did a hijack this report, it complained about a few ie default pages but win sbs is full of strange default pages (company web etc) so they did not concern me. everything else was programs i had installed (eg temperature monitoring).

i dont suppose you know a group/forum that would know which services use which ports so i can do one final check and be sure the services i have picked up on are doing what they are supposed to do?
0
 
RevelationCSCommented:
most of the sites only list the ports and a common registered program for the port but is not inclusive of all of the other known applications that use the port.... I think the most likely culprit might be the ipnat.sys....

have you tried doing a netstat -a to see what that shows?
0
 
ReapeRalexAuthor Commented:
bleah, cant see the woods for the trees in that. does this netstat dump mean anything to you?


Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    fileserver:smtp        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:nameserver  fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:http        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:kerberos    fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:pop3        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:epmap       fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:ldap        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:https       fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:444         fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:microsoft-ds  fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:kpasswd     fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:593         fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:ldaps       fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:691         fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:995         fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:1026        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:1027        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:1029        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:1075        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:1076        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:1082        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:pptp        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3010        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3029        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3037        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3041        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3044        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3050        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3055        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3065        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3103        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3268        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3269        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:3389        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:5623        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:5800        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:5900        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:6001        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:6002        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:6004        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:8081        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:domain      fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:ldap        fileserver.wisdom.local:46578  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:54334  ESTABLISHED
  TCP    fileserver:3042        fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:3125        fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:46578       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:54334       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:domain      fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:epmap       fileserver.wisdom.local:54389  ESTABLISHED
  TCP    fileserver:netbios-ssn  fileserver.wisdom.local:0  LISTENING
  TCP    fileserver:netbios-ssn  jezgeforce.wisdom.local:1464  ESTABLISHED
  TCP    fileserver:netbios-ssn  davidxp.wisdom.local:2063  ESTABLISHED
  TCP    fileserver:netbios-ssn  tonyxp.wisdom.local:1746  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46403  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46404  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46407  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46408  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46409  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46429  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46569  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46572  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46573  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46574  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46575  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46592  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46635  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46636  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46637  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46652  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46653  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:46654  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:47079  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:47252  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:47267  ESTABLISHED
  TCP    fileserver:ldap        fileserver.wisdom.local:54390  ESTABLISHED
  TCP    fileserver:microsoft-ds  noakie.wisdom.local:1094  ESTABLISHED
  TCP    fileserver:microsoft-ds  alex2k.wisdom.local:1081  ESTABLISHED
  TCP    fileserver:691         fileserver.wisdom.local:3053  ESTABLISHED
  TCP    fileserver:691         fileserver.wisdom.local:3102  ESTABLISHED
  TCP    fileserver:691         fileserver.wisdom.local:46807  ESTABLISHED
  TCP    fileserver:1026        fileserver.wisdom.local:3049  ESTABLISHED
  TCP    fileserver:1026        fileserver.wisdom.local:3051  ESTABLISHED
  TCP    fileserver:1026        fileserver.wisdom.local:3144  ESTABLISHED
  TCP    fileserver:1026        fileserver.wisdom.local:3330  ESTABLISHED
  TCP    fileserver:1026        fileserver.wisdom.local:32352  ESTABLISHED
  TCP    fileserver:1026        noakie.wisdom.local:1166  ESTABLISHED
  TCP    fileserver:1026        noakie.wisdom.local:1170  ESTABLISHED
  TCP    fileserver:1026        jezgeforce.wisdom.local:3242  ESTABLISHED
  TCP    fileserver:1026        davidxp.wisdom.local:1568  ESTABLISHED
  TCP    fileserver:1026        martynxp.wisdom.local:1114  ESTABLISHED
  TCP    fileserver:1026        tonyxp.wisdom.local:1098  ESTABLISHED
  TCP    fileserver:1026        alex2k.wisdom.local:1094  ESTABLISHED
  TCP    fileserver:3009        fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:3049        fileserver.wisdom.local:1026  ESTABLISHED
  TCP    fileserver:3051        fileserver.wisdom.local:1026  ESTABLISHED
  TCP    fileserver:3053        fileserver.wisdom.local:691  ESTABLISHED
  TCP    fileserver:3061        fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:3102        fileserver.wisdom.local:691  ESTABLISHED
  TCP    fileserver:3103        noakie.wisdom.local:1184  ESTABLISHED
  TCP    fileserver:3103        noakie.wisdom.local:1747  ESTABLISHED
  TCP    fileserver:3103        jezgeforce.wisdom.local:3245  ESTABLISHED
  TCP    fileserver:3103        davidxp.wisdom.local:4976  ESTABLISHED
  TCP    fileserver:3103        martynxp.wisdom.local:1121  ESTABLISHED
  TCP    fileserver:3103        tonyxp.wisdom.local:1736  ESTABLISHED
  TCP    fileserver:3103        alex2k.wisdom.local:1098  ESTABLISHED
  TCP    fileserver:3144        fileserver.wisdom.local:1026  ESTABLISHED
  TCP    fileserver:3243        fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:3268        fileserver.wisdom.local:46263  ESTABLISHED
  TCP    fileserver:3268        fileserver.wisdom.local:46478  ESTABLISHED
  TCP    fileserver:3268        fileserver.wisdom.local:46552  ESTABLISHED
  TCP    fileserver:3268        fileserver.wisdom.local:46557  ESTABLISHED
  TCP    fileserver:3268        fileserver.wisdom.local:53444  ESTABLISHED
  TCP    fileserver:3268        noakie.wisdom.local:1748  ESTABLISHED
  TCP    fileserver:3275        fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:3330        fileserver.wisdom.local:1026  ESTABLISHED
  TCP    fileserver:5900        alex2k.wisdom.local:1758  ESTABLISHED
  TCP    fileserver:20540       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:21666       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:21667       fileserver.wisdom.local:3268  CLOSE_WAIT
  TCP    fileserver:31490       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:32352       fileserver.wisdom.local:1026  ESTABLISHED
  TCP    fileserver:46263       fileserver.wisdom.local:3268  ESTABLISHED
  TCP    fileserver:46403       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46404       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46407       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46408       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46409       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46429       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46478       fileserver.wisdom.local:3268  ESTABLISHED
  TCP    fileserver:46552       fileserver.wisdom.local:3268  ESTABLISHED
  TCP    fileserver:46557       fileserver.wisdom.local:3268  ESTABLISHED
  TCP    fileserver:46569       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46572       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46573       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46574       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46575       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46576       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:46592       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46635       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46636       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46637       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46652       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46653       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46654       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:46807       fileserver.wisdom.local:691  ESTABLISHED
  TCP    fileserver:46982       fileserver.wisdom.local:3268  CLOSE_WAIT
  TCP    fileserver:46983       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:47079       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:47252       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:47267       fileserver.wisdom.local:ldap  ESTABLISHED
  TCP    fileserver:52908       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:53444       fileserver.wisdom.local:3268  ESTABLISHED
  TCP    fileserver:53859       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:53891       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:53892       fileserver.wisdom.local:3268  CLOSE_WAIT
  TCP    fileserver:53994       fileserver.wisdom.local:3268  CLOSE_WAIT
  TCP    fileserver:54284       fileserver.wisdom.local:ldap  CLOSE_WAIT
  TCP    fileserver:54389       fileserver.wisdom.local:epmap  ESTABLISHED
  TCP    fileserver:54390       fileserver.wisdom.local:ldap  ESTABLISHED
  UDP    fileserver:nameserver  *:*                    
  UDP    fileserver:epmap       *:*                    
  UDP    fileserver:microsoft-ds  *:*                    
  UDP    fileserver:isakmp      *:*                    
  UDP    fileserver:1025        *:*                    
  UDP    fileserver:1067        *:*                    
  UDP    fileserver:1068        *:*                    
  UDP    fileserver:1072        *:*                    
  UDP    fileserver:1073        *:*                    
  UDP    fileserver:1077        *:*                    
  UDP    fileserver:l2tp        *:*                    
  UDP    fileserver:3008        *:*                    
  UDP    fileserver:3013        *:*                    
  UDP    fileserver:3038        *:*                    
  UDP    fileserver:3045        *:*                    
  UDP    fileserver:3046        *:*                    
  UDP    fileserver:3056        *:*                    
  UDP    fileserver:3057        *:*                    
  UDP    fileserver:3092        *:*                    
  UDP    fileserver:3097        *:*                    
  UDP    fileserver:3104        *:*                    
  UDP    fileserver:3108        *:*                    
  UDP    fileserver:3116        *:*                    
  UDP    fileserver:3126        *:*                    
  UDP    fileserver:3134        *:*                    
  UDP    fileserver:3145        *:*                    
  UDP    fileserver:3146        *:*                    
  UDP    fileserver:3274        *:*                    
  UDP    fileserver:3338        *:*                    
  UDP    fileserver:3456        *:*                    
  UDP    fileserver:3457        *:*                    
  UDP    fileserver:4213        *:*                    
  UDP    fileserver:4500        *:*                    
  UDP    fileserver:4813        *:*                    
  UDP    fileserver:6767        *:*                    
  UDP    fileserver:9231        *:*                    
  UDP    fileserver:12668       *:*                    
  UDP    fileserver:12688       *:*                    
  UDP    fileserver:30489       *:*                    
  UDP    fileserver:38037       *:*                    
  UDP    fileserver:46847       *:*                    
  UDP    fileserver:kerberos    *:*                    
  UDP    fileserver:389         *:*                    
  UDP    fileserver:kpasswd     *:*                    
  UDP    fileserver:domain      *:*                    
  UDP    fileserver:1071        *:*                    
  UDP    fileserver:3132        *:*                    
  UDP    fileserver:3133        *:*                    
  UDP    fileserver:3456        *:*                    
  UDP    fileserver:3457        *:*                    
  UDP    fileserver:11157       *:*                    
  UDP    fileserver:domain      *:*                    
  UDP    fileserver:bootps      *:*                    
  UDP    fileserver:bootpc      *:*                    
  UDP    fileserver:kerberos    *:*                    
  UDP    fileserver:netbios-ns  *:*                    
  UDP    fileserver:netbios-dgm  *:*                    
  UDP    fileserver:389         *:*                    
  UDP    fileserver:kpasswd     *:*                    
  UDP    fileserver:2535        *:*                    
  UDP    fileserver:bootps      *:*                    
  UDP    fileserver:kerberos    *:*                    
  UDP    fileserver:389         *:*                    
  UDP    fileserver:kpasswd     *:*                    
0
 
RevelationCSCommented:
TCP    fileserver:pop3        fileserver.wisdom.local:0  LISTENING

you have something that is listening for POP3 traffic (port 110)... most likely some software that is installed as part of your mail system for pulling the mail from your ISP...
0
 
RevelationCSCommented:
to go further... I do not think that it would be malicious as malicious uses of the port should (at least theoretically) show up differently under the netstat... Listening means that it is idle, but holding the port for use by POP3...  If if were being used, the netstat should say "Established"
0
 
ReapeRalexAuthor Commented:
ok, so at this point is there naything you are suspicous about or do you think the server is running normally?
0
 
RevelationCSCommented:
I would say from the looks of it, I do not see anything suspicious and everything appears to be just fine...
0
 
ReapeRalexAuthor Commented:
bit of feedback:

thanks for all the help, your been very patient and informative :)
0
 
RevelationCSCommented:
a pleasure to help
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now