TCP Port Question from GFI Audit

Hello Experts,

I learning how to intepret results from network audits performed using GFI Languard. The report below is taken directly from the 'Network & Software Audit' on my own pc. As you can see, it states in over again that because GFI doesn't recognise the port its possilbe I could be currently infected by a Trogan. So I went on http://www.honeypots.net/misc/services to understand for example if port 1170 or 990 (see below) was an actual service or could well be a trojan.

The website simply gave me the same information that GFI gives.

Therefore, is there a way I can check to see if for example port 1170 was a service or whether it actually is a trojan?

I would really appreciate your help with this one.

Cheers guys

Carlton


1170 [Description: LNSS attendant, If this service is not installed beware could be trojan:Psyber Stream Server , Voice / Service: Unknown]
 
1031 [Description: InetInfo, If this service is not installed beware could be trojan: KWM, Little Witch, Xanadu, Xot / Service: Unknown]
 
1035 [Description: Inet, SQL, If this service is not installed beware could be trojan: Dosh, KWM, RemoteNC, Truva Atl / Service: Unknown]
 
990 [Description: FTPS Protocol (control): FTP over TLS/SSL / Service: Unknown]
 
1169 [Description: Tripwire / Service: Unknown]
 
25 [Description: Simple Mail Transfer Protocol (SMTP) / Service: SMTP (Simple Mail Transfer Protocol)]
 
80 [Description: Hypertext Transfer Protocol (HTTP) / Service: HTTP (Hyper Text Transfer Protocol)]
 
135 [Description: DCE endpoint resolution / Service: Unknown]
 
443 [Description: Hypertext Transfer Protocol over TLS/SSL (HTTPS) / Service: Unknown]
 
445 [Description: Microsoft-DS Active Directory, Windows shares / Service: Unknown]
 
139 [Description: NetBIOS NetBIOS Session Service / Service: Unknown]
 
2103 [Description: zephyr-clt Project Athena Zephyr Notification Service serv-hm connection / Service: Unknown]
 
2105 [Description: IBM MiniPay / Service: Unknown]
 
cpatte7372Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neil RussellTechnical Development LeadCommented:
Use your firewall, block ALL ports inbound and then ONLY open the ones YOU know you need. Does your desktop PC need port 80 open? Port 443? etc...
Better lock it down and have 1 service fail for a short time than get infected.
0
cpatte7372Author Commented:
Neil,

I hear what you're saying, and I will go ahead do what you suggested. However, this question is also to find the answer to what services are using the ports suggested by GFI and if indeed I have a virus?

Its part of a learning curve.

Regards

Carlton
0
Neil RussellTechnical Development LeadCommented:
Thats why i said lock it all down. If its a valid service that you SHOULD be running then you'll notice when it stops working. If not then its time to run a full malware check, use MALWAREBYTES in the first instance.
You should be doing so anyway on a semi regular basis, to supliment your standard AV.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

cpatte7372Author Commented:
Neilsr

Thanks man....

Carlton
0
cpatte7372Author Commented:
Thanks
0
jahboiteCommented:
"Therefore, is there a way I can check to see if for example port 1170 was a service or whether it actually is a trojan?"

An actual answer to this question would is:

Run the following from the command line:

netstat -ano

to see listening port numbers and their associated process ID (PID).  Using task manager, look-up the process ids to find the actual listening process.
You can also use:

netstat -ab

which will also show you the process names associated with a listening port - in fact it shows the sequence of components involved in creating a connection or listening port.  For instance this output:

UDP    somename:ntp    *:*
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
-- unknown component(s) --
[svchost.exe]

shows that this machine ("somename") is using the ntp port (UDP 123) - note that this is a UDP port so there is no concept of "listening" or "connected" as there is for TCP ports - it simply means that a process is bound to that port and can use it whenever necessary.
So then there's 4 processes involved in creating this socket, svchost, ntdll, w32time and WS2_32 - The important ones to note are WS2_32 which is the Winsock2 library and w32time which is the windows time library.  We can deduce that this is the windows time service which is resident in svchost and has called a Winsock2 function (e.g. bind(), or connect() ) on that port.

Hope that answers your question.  May I suggest next time you wait a bit before accepting an answer - especially those that don't answer the question.
0
cpatte7372Author Commented:
jahboite

You're the best. This is exactly the answer I needed.

I wish I could re-assign you the points

Cheers mate.

Carlton
0
jahboiteCommented:
Glad to be of assistance! Forget the points, the important thing is that future people who come along with the same question as you are able to find the answer they need.

Did you also know you can scan ports with nmap ( http://nmap.org ) and it will try to tell you the service listening on that port:

nmap -sTV -p 1170 -Pn -n <IP_address>

-sTV  instructs nmap to perfom a TCP connect scan (T) and a service/version scan (V)
-p1170  designates the port 1170 to be scanned (you can scan 1 port, a range of ports, multiple ranges of ports, the top 1000 commonly open ports, the top 100 ports commonly open, all ports...)
-Pn  is 'don't ping the host before scanning it'
-n  is don't try reverse name resolution of the target

Note that this will scan TCP port 1170 - if you want to scan UDP port 1170 too, you can:

nmap -sSUV -p 1170 -Pn -n <IP_address>

but you can't scan yourself with this command on a windows box - only other boxes. Here -sSUV means
S - SYN scan - a much faster TCP scan type than a connect scan
U - UDP scan
V - service/version scan.

An example - netstat gives me this for TCP 3389:

TCP    0.0.0.0:3389
-- unknown component(s) --
C:\WINDOWS\system32\RPCRT4.dll
-- unknown component(s) --
[svchost.exe]

which isn't telling me a lot, the process id is for svchost...

nmap -sTV -p3389 -Pn -n localhost

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-18 12:12 GMT Daylight Time
Nmap scan report for localhost (127.0.0.1)
Host is up (1.0s latency).
PORT     STATE SERVICE       VERSION
3389/tcp open  microsoft-rdp Microsoft Terminal Service
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.33 seconds

which tells me the port may be for Microsoft Terminal Service and it's a fair bet it's the remote desktop service!
0
cpatte7372Author Commented:
Thanks again mate.

That will make my suggestion to potential clients much more credible when I carry out a vulnerability assessment on their computer systems.

Thats great mate.

Carlton
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.