Hosting Provided By

Re: What is this port? is it a trojan?

From: Roger A. Grimes <rogerg(at)cox.net>
Date: Mon Jun 30 2003 - 18:18:11 EDT

It's hard to tell just looking at the netstat info below. The port is a little unusual, but is definitely not uncommon. Many legitimate programs open up high port numbers. If the netstat trace showed it connecting to a remote Internet host, then I'd be more suspicious. The key to any unknown port opening is to trace it back to the program, process, or service that is opening the port and then doing research on the found cause (just as you are asking to do). There are several "port enumerators" that will tie back the program to the port. If you have Windows XP, you can do it using netstat command-line parameters (I think it is -o or -p)...which ties the open port to a process ID (PID) that can then be traced back to the program (using Task Manager) or a lot of other PID-listing tools. If you don't have XP, consider Foundstone's F-port or www.sysinternals.com' TCPView (although I get a lot of blue screens after installing it).

Be advised there are many ways for a malicious program to hide from port viewers, although they tend to be the exception rather than the rule.

Good luck.

Roger

*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg@cox.net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*
http://www.oreilly.com/catalog/malmobcode
****************************************************************************
*************

Original Message ----- From: "Hyperion" <nemesis@croasdalepreston.fsnet.co.uk> To: "Security Basics Mailing List" <security-basics@securityfocus.com> Sent: Monday, June 30, 2003 12:52 PM Subject: What is this port? is it a trojan?

> Hello all :)
machine
> to see the different connections that arise and so forth.
for
> the necessary ideas or solutions on what to do in order to find out what's
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!

--

>



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: 
http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Received on Wed Jul 2 11:55:42 2003

This message: [ Message body ]
Next message: compguruman(at)mail.comcast.net: "Re: Ten least secure programs"
Previous message: isox: "Re: Digital Evidence Question - What is an effective Windows hard -disk search tool?"
In reply to Hyperion: "What is this port? is it a trojan?"
Next in thread: Kylus: "Re: What is this port? is it a trojan?"
Reply: Kylus: "Re: What is this port? is it a trojan?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:05:20 EDT