- What are these tcp ports?
- Posted by Doug Fox on October 16th, 2005
Did an internal port scan on a number of Windows Server 2003 and found the
following ports, but they seems weired. Any
comments/suggestions/information are thankful.
85 (MIT ML Device)
264 (BGMP)
039 (Streamlined Blackhole)
1041 (AK2 Product)
1043 (BONIC Client Control)
$1051 (Optima VNET)
1052 (Dynamic DNS Tools)
1074 (FASTechnologies License Manager)
1098 (RMI Activation)
1106 (ISOIPSIGPORT-1)
1119 (Battle.net Chat/Game Protocol)
1208 (SEAGULL AIS)
1264 (PRAT)
1302 (Cl3-Software-2)
1360 (MIMER)
1366 (Novell NetWare Comm Service Platform) - We don't have Novell stuff on
our network!!
1378 Elan License Manager
4000 (Terabase)
5998 (Asp module for Apache servers(
6001 (Rainbow SuperPro Net network Services)
6071 (SSDTP)
6502 (BoKS Servm)
6503 (BoKS Clntd)
6504 ??
Best regards,
- Posted by Chuck on October 17th, 2005
On Sun, 16 Oct 2005 19:24:49 -0400, "Doug Fox" <dfox138-no-spam@hotmail.com>
wrote:
Doug,
Suspecting a malware problem, why not start by checking for malware.
<http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html>
Knowing that malware will use any ports that it considers convenient, not
according to registration, look at those ports using TCPView (free) from
<http://www.sysinternals.com/ntw2k/source/tcpview.shtml>
Once you identify the process(es) that have opened those ports, find the
relevant program modules, and submit them for analysis to Jotti and VirusTotal.
Find all components of those processes using Process Explorer (also free), and
run interesting components thru Jottia dn VirusTotal too.
<http://virusscan.jotti.org/>
<http://www.virustotal.com/flash/index_en.html>
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>
--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.
- Posted by Winged on October 17th, 2005
Doug Fox wrote:
ports to be opened specifically. What software is installed on system?
I see battlenet which indicates at least 1 game service. It is
running BOINC which is a distributed computing platform.
The novell stuff is required for IPX. there is a virtual net installed
on system.
All of the nfo can be googled. Seems pretty straight forward to me.
This appears to be someones game server, I suspect perhaps battlenet
itself, though I haven't checked. But there are some pricey toys
installed on system, seems like one who administered such a system would
know what was there.
Winged
- Posted by Hairy One Kenobi on October 17th, 2005
"Doug Fox" <dfox138-no-spam@hotmail.com> wrote in message
news:2oGdnZruKfejfM_eRVn-ug@rogers.com...
<snip>
http://www.codecutters.org/resources/knownports.html
http://www.codecutters.org/resources/regports.html
and their lik are the official lists: I would have half-suspected a mix-up
with ephermeral posts, but for that glaring port 85.
A few seconds in Google found this:
http://www.doshelp.com/Ports/Trojan_Ports.htm
There's a new -b parameter in XP's netstat - not sure if that's in 2003
(although I'd have thought so). systinternals.com provide duplicate
functionality, if you'd care to download.
HTH
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!
