Archived from groups: comp.security.firewalls (
More info?)
Leevi Kokko <no@mail.com> wrote in news:c5q1e2$pa$1@nyytiset.pp.htv.fi:
> Hi group,
>
> I have netstat running while online at home, and today one item started
> appearing on the TCP connections list:
>
> <MACHINE>:microsoft-ds, with varying port numbers (2000+), and with
> state ESTABLISHED or TIME_WAIT
Well, what IP(s) are connections being made to? You can find that out by
using Active Ports (free).
And if packets are leaving the machine to remote IP(s), you can install
Ethereal a packet sniffer to find out for sure if it is happening and
it's (free).
>
> What is this thing, should it appear and if not, how to get rid of it?
I don't know as *you* will have to start making some determinations as to
what is happening on your machine by using the tools mentioned above.
One thing you can do is install Active Ports and put a short-cut in the
Start-up folder to watch what connections are being made at system boot.
It will give you a clear picture if connections are being made.
>
> I've got Cable, PC w/ Win2k SP3 fully patched & ZoneAlarm 4.5.594.000 -
> updated all latest vulnerability patches today, and upgraded to the
> latest ZA version.
It doesn't mean a whole lot if a possible exploit is on the machine that
can beat ZA to the TCP/IP connection and do its thing before ZA can get
there to prevent it at system boot.
On top of that, any third party host based FW with some kind of outbound
application control can easily be defeated, in the first place.
The microsoft-ds could be some kind exploit on your machine as a search
on Google on *microsoft-ds* lead to the link.
http://isc.incidents.org/port_details.php?port=445
And that link lead me to the link.
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
You'll have to make the determination as to what it is about.
After you determine what is happening on the machine which you should
look around from time to time with a tool such as Active Ports, you
should consider *hardening* the Win 2K O/S to attack, if you have not
done so.
http://www.uksecurityonline.com/index5.php
I like to use the HOST as a prevention measure, which can be implemented
after you resolve your issues.
http://www.mvps.org/winhelp2002/hosts.htm
http://www.snapfiles.com/get/hoststoggle.html
HTH
Duane