microsoft-ds - what & why?

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hi group,

I have netstat running while online at home, and today one item started
appearing on the TCP connections list:

<MACHINE>:microsoft-ds, with varying port numbers (2000+), and with
state ESTABLISHED or TIME_WAIT

What is this thing, should it appear and if not, how to get rid of it?

I've got Cable, PC w/ Win2k SP3 fully patched & ZoneAlarm 4.5.594.000 -
updated all latest vulnerability patches today, and upgraded to the
latest ZA version.

Many thanks for any info.

-LK

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Leevi Kokko wrote:

> Hi group,
>
> I have netstat running while online at home, and today one item started
> appearing on the TCP connections list:
>
> <MACHINE>:microsoft-ds, with varying port numbers (2000+), and with
> state ESTABLISHED or TIME_WAIT
>
> What is this thing, should it appear and if not, how to get rid of it?
>
> I've got Cable, PC w/ Win2k SP3 fully patched & ZoneAlarm 4.5.594.000 -
> updated all latest vulnerability patches today, and upgraded to the
> latest ZA version.
>
> Many thanks for any info.
>
> -LK
>
>
>
Is it in your hosts file?


--
Super Mike
"Mi asno querría un enano y un yate, por favor."
[My donkey would like a midget and a yacht, please.]

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Leevi Kokko <no@mail.com> wrote in news:c5q1e2$pa$1@nyytiset.pp.htv.fi:

> Hi group,
>
> I have netstat running while online at home, and today one item started
> appearing on the TCP connections list:
>
> <MACHINE>:microsoft-ds, with varying port numbers (2000+), and with
> state ESTABLISHED or TIME_WAIT

Well, what IP(s) are connections being made to? You can find that out by
using Active Ports (free).

And if packets are leaving the machine to remote IP(s), you can install
Ethereal a packet sniffer to find out for sure if it is happening and
it's (free).

>
> What is this thing, should it appear and if not, how to get rid of it?

I don't know as *you* will have to start making some determinations as to
what is happening on your machine by using the tools mentioned above.

One thing you can do is install Active Ports and put a short-cut in the
Start-up folder to watch what connections are being made at system boot.
It will give you a clear picture if connections are being made.

>
> I've got Cable, PC w/ Win2k SP3 fully patched & ZoneAlarm 4.5.594.000 -
> updated all latest vulnerability patches today, and upgraded to the
> latest ZA version.

It doesn't mean a whole lot if a possible exploit is on the machine that
can beat ZA to the TCP/IP connection and do its thing before ZA can get
there to prevent it at system boot.

On top of that, any third party host based FW with some kind of outbound
application control can easily be defeated, in the first place.

The microsoft-ds could be some kind exploit on your machine as a search
on Google on *microsoft-ds* lead to the link.

http://isc.incidents.org/port_details.php?port=445

And that link lead me to the link.

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

You'll have to make the determination as to what it is about.

After you determine what is happening on the machine which you should
look around from time to time with a tool such as Active Ports, you
should consider *hardening* the Win 2K O/S to attack, if you have not
done so.

http://www.uksecurityonline.com/index5.php

I like to use the HOST as a prevention measure, which can be implemented
after you resolve your issues.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.snapfiles.com/get/hoststoggle.html

HTH

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Leevi Kokko <no@mail.com> wrote in news:c5rkum$8cg$1@nyytiset.pp.htv.fi:

> Duane,
>
> thank you for your post. I tried Active Ports as suggested, and got
> out these lines.
>
> Process PID Local IP Local Port Remote IP Remote
> Port State Protocol System 8 0.0.0.0 445
> LISTEN UDP System 8
> 127.0.0.1 445 127.0.0.1 1253 ESTABLISHED
> TCP
>
> So, every once in a while this TCP connection appears, but what
> puzzles me is that local and remote IPs are both localhosts. What does
> this mean?
>
> Thanks again,
>
> -LK
>
>

Well,

127.0.0.1 Is the Loopback IP and an Internet application such as IE will
use that IP to keep itself in a ready state. You can check it out by
starting IE and just let it set and do nothing for awhile. You will see IE
switch to the Loopback IP.

http://compnetworking.about.com/library/weekly/aa042400c.htm

Ports 137-138 UDP and 139 and (445 NT based O/S(s) only) TCP are the
Windows Networking Ports. These ports are used to share resources between
machines in closed Local Area Network environment.

So, if you don't have LAN situation or a Home Network in your home, then
these ports should not be active on your machine and you should close them
by uninstalling the MS File and Print Sharing Service from the Network
Interface Card (NIC), if possible. Then the above mention ports will not be
there.

I have to say that with port 445 hanging on the 127.0.0.1 all the time if
this is truly what is happening seems kind of suspicious, IMHO.

Some ISP(s) such as a dial-up ISP do require the machine to have MS File
and Print Sharhing Service active on the machine so that the user can logon
to the IPS's network. But since you have a cable connection, I don't think
you need the MFPS active on the machine. You'll have to check that out.

You may want to install a free packet sniffer to verify what traffic is
leaving your machine and to what remote IP(s) are being used.

http://netsecurity.about.com/cs/hackertools/a/aafreepacsniff.htm

You should *harden* the O/S to attack by securing it by removing services
and other things from the O/S that are not needed in a typical home
environment.

HTH

Duane