cpatte7372
asked on
TCP Port Question from GFI Audit
Hello Experts,
I learning how to intepret results from network audits performed using GFI Languard. The report below is taken directly from the 'Network & Software Audit' on my own pc. As you can see, it states in over again that because GFI doesn't recognise the port its possilbe I could be currently infected by a Trogan. So I went on http://www.honeypots.net/misc/services to understand for example if port 1170 or 990 (see below) was an actual service or could well be a trojan.
The website simply gave me the same information that GFI gives.
Therefore, is there a way I can check to see if for example port 1170 was a service or whether it actually is a trojan?
I would really appreciate your help with this one.
Cheers guys
Carlton
1170 [Description: LNSS attendant, If this service is not installed beware could be trojan:Psyber Stream Server , Voice / Service: Unknown]
1031 [Description: InetInfo, If this service is not installed beware could be trojan: KWM, Little Witch, Xanadu, Xot / Service: Unknown]
1035 [Description: Inet, SQL, If this service is not installed beware could be trojan: Dosh, KWM, RemoteNC, Truva Atl / Service: Unknown]
990 [Description: FTPS Protocol (control): FTP over TLS/SSL / Service: Unknown]
1169 [Description: Tripwire / Service: Unknown]
25 [Description: Simple Mail Transfer Protocol (SMTP) / Service: SMTP (Simple Mail Transfer Protocol)]
80 [Description: Hypertext Transfer Protocol (HTTP) / Service: HTTP (Hyper Text Transfer Protocol)]
135 [Description: DCE endpoint resolution / Service: Unknown]
443 [Description: Hypertext Transfer Protocol over TLS/SSL (HTTPS) / Service: Unknown]
445 [Description: Microsoft-DS Active Directory, Windows shares / Service: Unknown]
139 [Description: NetBIOS NetBIOS Session Service / Service: Unknown]
2103 [Description: zephyr-clt Project Athena Zephyr Notification Service serv-hm connection / Service: Unknown]
2105 [Description: IBM MiniPay / Service: Unknown]
I learning how to intepret results from network audits performed using GFI Languard. The report below is taken directly from the 'Network & Software Audit' on my own pc. As you can see, it states in over again that because GFI doesn't recognise the port its possilbe I could be currently infected by a Trogan. So I went on http://www.honeypots.net/misc/services to understand for example if port 1170 or 990 (see below) was an actual service or could well be a trojan.
The website simply gave me the same information that GFI gives.
Therefore, is there a way I can check to see if for example port 1170 was a service or whether it actually is a trojan?
I would really appreciate your help with this one.
Cheers guys
Carlton
1170 [Description: LNSS attendant, If this service is not installed beware could be trojan:Psyber Stream Server , Voice / Service: Unknown]
1031 [Description: InetInfo, If this service is not installed beware could be trojan: KWM, Little Witch, Xanadu, Xot / Service: Unknown]
1035 [Description: Inet, SQL, If this service is not installed beware could be trojan: Dosh, KWM, RemoteNC, Truva Atl / Service: Unknown]
990 [Description: FTPS Protocol (control): FTP over TLS/SSL / Service: Unknown]
1169 [Description: Tripwire / Service: Unknown]
25 [Description: Simple Mail Transfer Protocol (SMTP) / Service: SMTP (Simple Mail Transfer Protocol)]
80 [Description: Hypertext Transfer Protocol (HTTP) / Service: HTTP (Hyper Text Transfer Protocol)]
135 [Description: DCE endpoint resolution / Service: Unknown]
443 [Description: Hypertext Transfer Protocol over TLS/SSL (HTTPS) / Service: Unknown]
445 [Description: Microsoft-DS Active Directory, Windows shares / Service: Unknown]
139 [Description: NetBIOS NetBIOS Session Service / Service: Unknown]
2103 [Description: zephyr-clt Project Athena Zephyr Notification Service serv-hm connection / Service: Unknown]
2105 [Description: IBM MiniPay / Service: Unknown]
ASKER
Neil,
I hear what you're saying, and I will go ahead do what you suggested. However, this question is also to find the answer to what services are using the ports suggested by GFI and if indeed I have a virus?
Its part of a learning curve.
Regards
Carlton
I hear what you're saying, and I will go ahead do what you suggested. However, this question is also to find the answer to what services are using the ports suggested by GFI and if indeed I have a virus?
Its part of a learning curve.
Regards
Carlton
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Neilsr
Thanks man....
Carlton
Thanks man....
Carlton
ASKER
Thanks
"Therefore, is there a way I can check to see if for example port 1170 was a service or whether it actually is a trojan?"
An actual answer to this question would is:
Run the following from the command line:
netstat -ano
to see listening port numbers and their associated process ID (PID). Using task manager, look-up the process ids to find the actual listening process.
You can also use:
netstat -ab
which will also show you the process names associated with a listening port - in fact it shows the sequence of components involved in creating a connection or listening port. For instance this output:
UDP somename:ntp *:*
c:\windows\system32\WS2_32 .dll
c:\windows\system32\w32tim e.dll
ntdll.dll
-- unknown component(s) --
[svchost.exe]
shows that this machine ("somename") is using the ntp port (UDP 123) - note that this is a UDP port so there is no concept of "listening" or "connected" as there is for TCP ports - it simply means that a process is bound to that port and can use it whenever necessary.
So then there's 4 processes involved in creating this socket, svchost, ntdll, w32time and WS2_32 - The important ones to note are WS2_32 which is the Winsock2 library and w32time which is the windows time library. We can deduce that this is the windows time service which is resident in svchost and has called a Winsock2 function (e.g. bind(), or connect() ) on that port.
Hope that answers your question. May I suggest next time you wait a bit before accepting an answer - especially those that don't answer the question.
An actual answer to this question would is:
Run the following from the command line:
netstat -ano
to see listening port numbers and their associated process ID (PID). Using task manager, look-up the process ids to find the actual listening process.
You can also use:
netstat -ab
which will also show you the process names associated with a listening port - in fact it shows the sequence of components involved in creating a connection or listening port. For instance this output:
UDP somename:ntp *:*
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
-- unknown component(s) --
[svchost.exe]
shows that this machine ("somename") is using the ntp port (UDP 123) - note that this is a UDP port so there is no concept of "listening" or "connected" as there is for TCP ports - it simply means that a process is bound to that port and can use it whenever necessary.
So then there's 4 processes involved in creating this socket, svchost, ntdll, w32time and WS2_32 - The important ones to note are WS2_32 which is the Winsock2 library and w32time which is the windows time library. We can deduce that this is the windows time service which is resident in svchost and has called a Winsock2 function (e.g. bind(), or connect() ) on that port.
Hope that answers your question. May I suggest next time you wait a bit before accepting an answer - especially those that don't answer the question.
ASKER
jahboite
You're the best. This is exactly the answer I needed.
I wish I could re-assign you the points
Cheers mate.
Carlton
You're the best. This is exactly the answer I needed.
I wish I could re-assign you the points
Cheers mate.
Carlton
Glad to be of assistance! Forget the points, the important thing is that future people who come along with the same question as you are able to find the answer they need.
Did you also know you can scan ports with nmap ( http://nmap.org ) and it will try to tell you the service listening on that port:
nmap -sTV -p 1170 -Pn -n <IP_address>
-sTV instructs nmap to perfom a TCP connect scan (T) and a service/version scan (V)
-p1170 designates the port 1170 to be scanned (you can scan 1 port, a range of ports, multiple ranges of ports, the top 1000 commonly open ports, the top 100 ports commonly open, all ports...)
-Pn is 'don't ping the host before scanning it'
-n is don't try reverse name resolution of the target
Note that this will scan TCP port 1170 - if you want to scan UDP port 1170 too, you can:
nmap -sSUV -p 1170 -Pn -n <IP_address>
but you can't scan yourself with this command on a windows box - only other boxes. Here -sSUV means
S - SYN scan - a much faster TCP scan type than a connect scan
U - UDP scan
V - service/version scan.
An example - netstat gives me this for TCP 3389:
TCP 0.0.0.0:3389
-- unknown component(s) --
C:\WINDOWS\system32\RPCRT4 .dll
-- unknown component(s) --
[svchost.exe]
which isn't telling me a lot, the process id is for svchost...
nmap -sTV -p3389 -Pn -n localhost
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-18 12:12 GMT Daylight Time
Nmap scan report for localhost (127.0.0.1)
Host is up (1.0s latency).
PORT STATE SERVICE VERSION
3389/tcp open microsoft-rdp Microsoft Terminal Service
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.33 seconds
which tells me the port may be for Microsoft Terminal Service and it's a fair bet it's the remote desktop service!
Did you also know you can scan ports with nmap ( http://nmap.org ) and it will try to tell you the service listening on that port:
nmap -sTV -p 1170 -Pn -n <IP_address>
-sTV instructs nmap to perfom a TCP connect scan (T) and a service/version scan (V)
-p1170 designates the port 1170 to be scanned (you can scan 1 port, a range of ports, multiple ranges of ports, the top 1000 commonly open ports, the top 100 ports commonly open, all ports...)
-Pn is 'don't ping the host before scanning it'
-n is don't try reverse name resolution of the target
Note that this will scan TCP port 1170 - if you want to scan UDP port 1170 too, you can:
nmap -sSUV -p 1170 -Pn -n <IP_address>
but you can't scan yourself with this command on a windows box - only other boxes. Here -sSUV means
S - SYN scan - a much faster TCP scan type than a connect scan
U - UDP scan
V - service/version scan.
An example - netstat gives me this for TCP 3389:
TCP 0.0.0.0:3389
-- unknown component(s) --
C:\WINDOWS\system32\RPCRT4
-- unknown component(s) --
[svchost.exe]
which isn't telling me a lot, the process id is for svchost...
nmap -sTV -p3389 -Pn -n localhost
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-18 12:12 GMT Daylight Time
Nmap scan report for localhost (127.0.0.1)
Host is up (1.0s latency).
PORT STATE SERVICE VERSION
3389/tcp open microsoft-rdp Microsoft Terminal Service
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.33 seconds
which tells me the port may be for Microsoft Terminal Service and it's a fair bet it's the remote desktop service!
ASKER
Thanks again mate.
That will make my suggestion to potential clients much more credible when I carry out a vulnerability assessment on their computer systems.
Thats great mate.
Carlton
That will make my suggestion to potential clients much more credible when I carry out a vulnerability assessment on their computer systems.
Thats great mate.
Carlton
Better lock it down and have 1 service fail for a short time than get infected.