Sign in with
Sign up | Sign in
Your question

Suspicious ports being open...

Tags:
  • Firewalls
  • Networking
Last response: in Networking
Share
April 19, 2004 1:22:26 PM

Archived from groups: comp.security.firewalls (More info?)

Hi everyone,

I have recently (last 2 days) noticed the following behaviour on my machine.
If someone could shed some light it would be appreciated:

Ports reported in netstat:

I have some random ports on my machine (1064, 2923, 3189) connecting to a
couple of remote IPs (69.50.165.237 and 200.222.29.108) on their (remote)
port 6667.

I also appear to SYN_SENT on ports 139 and 445 of a number of other public
IPs but never ESTABLISHED.

Many thanks in advance.

Jose

More about : suspicious ports open

Anonymous
April 19, 2004 4:25:45 PM

Archived from groups: comp.security.firewalls (More info?)

Jose <jmariazolozabal@sorrynoreply.com> wrote:
> I have recently (last 2 days) noticed the following behaviour on my
> machine. If someone could shed some light it would be appreciated:
>
> Ports reported in netstat:
>
> I have some random ports on my machine (1064, 2923, 3189) connecting
> to a couple of remote IPs (69.50.165.237 and 200.222.29.108) on their
> (remote) port 6667.

Are you running an IRC client? If not, possible you have a trojan on your PC
connecting to IRC servers to send data.

> I also appear to SYN_SENT on ports 139 and 445 of a number of other
> public IPs but never ESTABLISHED.

Sounds like your PC trying to connect to shares over the internet. Windows
PCs often try this, although a software firewall would let you prevent it.
Could also be something malicious on your machine trying to connect to
shares.

Get Active Ports, that will let you see what programs are connecting to
those ports and help you to decide if it's malicious or if it's just Windows
doing a bit of searching.

Dan
Anonymous
April 19, 2004 4:26:36 PM

Archived from groups: comp.security.firewalls (More info?)

Hello.

I'm going to make an assumption and say your computer is contacting
those IPs to connect to port 6667.

I say it's your computer initiating the connection and not them
contacting you because when a Windows based computer initates a TCP/IP
connection to another computer it chooses the next available temp port
in the range of 1024-5000. This is usually so but there are
exceptions. Your 1064, 2923, 3189 ports fall into that range.

And port 6667 falls outside of that range. But let say for arguements
sake it was the other end initiating the connection then there would
be more then one port used at the other end. Each originating
connectiong needs it's own temp port. So to have only 1 port used at
the other end is just very unlikely.

So I am going to guess and say your computer is talking to them. What
is it saying? Well that depends on what port 6667 is used for.

Well the most benign use for port 6667 is irc or Internet Relay Chat.
Did you just install a new irc client and have it auto run when
windows boots up? This would probably account for it.

I'm going to assume you said no to that. What other programs use port
6667, a few and none of them are benign. Far from it. Here's the
list...

tcp DarkFTP [trojan] Dark FTP
tcp EGO [trojan] EGO
tcp kaitex Kaitex Trojan
tcp Maniacrootkit [trojan] Maniac rootkit
tcp Moses [trojan] Moses
tcp ScheduleAgent [trojan] ScheduleAgent
tcp ScheduleAgent [trojan] ScheduleAgent
tcp Subseven2.1.4DefCon8 [trojan] Subseven 2.1.4 DefCon 8
tcp SubSeven [trojan] SubSeven
tcp TheThing [trojan] The Thing (modified)
tcp Trinity [trojan] Trinity
tcp WinSatan [trojan] WinSatan

If it's not irc then you need to run your Antivirus software and clean
them out. And running a spyware removal program wouldn't hurt either.

mr_simpleton

"Jose" <jmariazolozabal@sorrynoreply.com> wrote in message news:<b%Lgc.54$ua.43@newsr2.u-net.net>...
> Hi everyone,
>
> I have recently (last 2 days) noticed the following behaviour on my machine.
> If someone could shed some light it would be appreciated:
>
> Ports reported in netstat:
>
> I have some random ports on my machine (1064, 2923, 3189) connecting to a
> couple of remote IPs (69.50.165.237 and 200.222.29.108) on their (remote)
> port 6667.
>
> I also appear to SYN_SENT on ports 139 and 445 of a number of other public
> IPs but never ESTABLISHED.
>
> Many thanks in advance.
>
> Jose
Related resources
April 19, 2004 5:03:08 PM

Archived from groups: comp.security.firewalls (More info?)

Hi Daniel,

thanks for this.

I have run Active Ports and I can see that the System process (PID 8) is
responsible for the Netbios scans
Are you aware of any worms that utilise this process to scan? I am clearly
scanning a whole range 1 by 1...

Many thanks,

Jose



"Daniel Crichton" <news@worldofspack.co.uk> wrote in message
news:4083b73a$0$8894$afc38c87@news.easynet.co.uk...
> Jose <jmariazolozabal@sorrynoreply.com> wrote:
> > I have recently (last 2 days) noticed the following behaviour on my
> > machine. If someone could shed some light it would be appreciated:
> >
> > Ports reported in netstat:
> >
> > I have some random ports on my machine (1064, 2923, 3189) connecting
> > to a couple of remote IPs (69.50.165.237 and 200.222.29.108) on their
> > (remote) port 6667.
>
> Are you running an IRC client? If not, possible you have a trojan on your
PC
> connecting to IRC servers to send data.
>
> > I also appear to SYN_SENT on ports 139 and 445 of a number of other
> > public IPs but never ESTABLISHED.
>
> Sounds like your PC trying to connect to shares over the internet. Windows
> PCs often try this, although a software firewall would let you prevent it.
> Could also be something malicious on your machine trying to connect to
> shares.
>
> Get Active Ports, that will let you see what programs are connecting to
> those ports and help you to decide if it's malicious or if it's just
Windows
> doing a bit of searching.
>
> Dan
>
>
Anonymous
April 20, 2004 1:08:45 PM

Archived from groups: comp.security.firewalls (More info?)

Jose <jmariazolozabal@sorrynoreply.com> wrote:

> I have run Active Ports and I can see that the System process (PID 8)
> is responsible for the Netbios scans
> Are you aware of any worms that utilise this process to scan? I am
> clearly scanning a whole range 1 by 1...

Possibly just Windows searching for machines on it's "local network" using
SMB. What version of Windows are you running? I'd recommend running a
software firewall to block these outgoing connections, or if you have a
router/hardware firewall then block all outbound connections to port 139 and
445 (and throw 135-138 UDP ports in too at a minimum). I don't know of
anything that hooks into the System process to do this, but I'm no expert.

Dan
May 11, 2004 10:34:23 AM

Archived from groups: comp.security.firewalls (More info?)

Did you happen to figure this out??

"Jose" <jmariazolozabal@sorrynoreply.com> wrote in message news:<b%Lgc.54$ua.43@newsr2.u-net.net>...
> Hi everyone,
>
> I have recently (last 2 days) noticed the following behaviour on my machine.
> If someone could shed some light it would be appreciated:
>
> Ports reported in netstat:
>
> I have some random ports on my machine (1064, 2923, 3189) connecting to a
> couple of remote IPs (69.50.165.237 and 200.222.29.108) on their (remote)
> port 6667.
>
> I also appear to SYN_SENT on ports 139 and 445 of a number of other public
> IPs but never ESTABLISHED.
>
> Many thanks in advance.
>
> Jose
Anonymous
May 11, 2004 8:40:14 PM

Archived from groups: comp.security.firewalls (More info?)

Hi Eric,

I used GFI's LAN guard scanner and it picked up those machines as having
compromised registries... I could have deleted the files and edited the
registry but instead I rebuilt the 5 machines from scratch as we need to be
100%.

J



"Eric" <eschlichte@idtdna.com> wrote in message
news:683bffeb.0405110534.21df32e6@posting.google.com...
> Did you happen to figure this out??
>
> "Jose" <jmariazolozabal@sorrynoreply.com> wrote in message
news:<b%Lgc.54$ua.43@newsr2.u-net.net>...
> > Hi everyone,
> >
> > I have recently (last 2 days) noticed the following behaviour on my
machine.
> > If someone could shed some light it would be appreciated:
> >
> > Ports reported in netstat:
> >
> > I have some random ports on my machine (1064, 2923, 3189) connecting to
a
> > couple of remote IPs (69.50.165.237 and 200.222.29.108) on their
(remote)
> > port 6667.
> >
> > I also appear to SYN_SENT on ports 139 and 445 of a number of other
public
> > IPs but never ESTABLISHED.
> >
> > Many thanks in advance.
> >
> > Jose
!