Suspicious ports being open...

Archived from groups: comp.security.firewalls (More info?)

Hi everyone,

I have recently (last 2 days) noticed the following behaviour on my machine.
If someone could shed some light it would be appreciated:

Ports reported in netstat:

I have some random ports on my machine (1064, 2923, 3189) connecting to a
couple of remote IPs (69.50.165.237 and 200.222.29.108) on their (remote)
port 6667.

I also appear to SYN_SENT on ports 139 and 445 of a number of other public
IPs but never ESTABLISHED.

Many thanks in advance.

Jose
6 answers Last reply
More about suspicious ports open
  1. Archived from groups: comp.security.firewalls (More info?)

    Jose <jmariazolozabal@sorrynoreply.com> wrote:
    > I have recently (last 2 days) noticed the following behaviour on my
    > machine. If someone could shed some light it would be appreciated:
    >
    > Ports reported in netstat:
    >
    > I have some random ports on my machine (1064, 2923, 3189) connecting
    > to a couple of remote IPs (69.50.165.237 and 200.222.29.108) on their
    > (remote) port 6667.

    Are you running an IRC client? If not, possible you have a trojan on your PC
    connecting to IRC servers to send data.

    > I also appear to SYN_SENT on ports 139 and 445 of a number of other
    > public IPs but never ESTABLISHED.

    Sounds like your PC trying to connect to shares over the internet. Windows
    PCs often try this, although a software firewall would let you prevent it.
    Could also be something malicious on your machine trying to connect to
    shares.

    Get Active Ports, that will let you see what programs are connecting to
    those ports and help you to decide if it's malicious or if it's just Windows
    doing a bit of searching.

    Dan
  2. Archived from groups: comp.security.firewalls (More info?)

    Hello.

    I'm going to make an assumption and say your computer is contacting
    those IPs to connect to port 6667.

    I say it's your computer initiating the connection and not them
    contacting you because when a Windows based computer initates a TCP/IP
    connection to another computer it chooses the next available temp port
    in the range of 1024-5000. This is usually so but there are
    exceptions. Your 1064, 2923, 3189 ports fall into that range.

    And port 6667 falls outside of that range. But let say for arguements
    sake it was the other end initiating the connection then there would
    be more then one port used at the other end. Each originating
    connectiong needs it's own temp port. So to have only 1 port used at
    the other end is just very unlikely.

    So I am going to guess and say your computer is talking to them. What
    is it saying? Well that depends on what port 6667 is used for.

    Well the most benign use for port 6667 is irc or Internet Relay Chat.
    Did you just install a new irc client and have it auto run when
    windows boots up? This would probably account for it.

    I'm going to assume you said no to that. What other programs use port
    6667, a few and none of them are benign. Far from it. Here's the
    list...

    tcp DarkFTP [trojan] Dark FTP
    tcp EGO [trojan] EGO
    tcp kaitex Kaitex Trojan
    tcp Maniacrootkit [trojan] Maniac rootkit
    tcp Moses [trojan] Moses
    tcp ScheduleAgent [trojan] ScheduleAgent
    tcp ScheduleAgent [trojan] ScheduleAgent
    tcp Subseven2.1.4DefCon8 [trojan] Subseven 2.1.4 DefCon 8
    tcp SubSeven [trojan] SubSeven
    tcp TheThing [trojan] The Thing (modified)
    tcp Trinity [trojan] Trinity
    tcp WinSatan [trojan] WinSatan

    If it's not irc then you need to run your Antivirus software and clean
    them out. And running a spyware removal program wouldn't hurt either.

    mr_simpleton

    "Jose" <jmariazolozabal@sorrynoreply.com> wrote in message news:<b%Lgc.54$ua.43@newsr2.u-net.net>...
    > Hi everyone,
    >
    > I have recently (last 2 days) noticed the following behaviour on my machine.
    > If someone could shed some light it would be appreciated:
    >
    > Ports reported in netstat:
    >
    > I have some random ports on my machine (1064, 2923, 3189) connecting to a
    > couple of remote IPs (69.50.165.237 and 200.222.29.108) on their (remote)
    > port 6667.
    >
    > I also appear to SYN_SENT on ports 139 and 445 of a number of other public
    > IPs but never ESTABLISHED.
    >
    > Many thanks in advance.
    >
    > Jose
  3. Archived from groups: comp.security.firewalls (More info?)

    Hi Daniel,

    thanks for this.

    I have run Active Ports and I can see that the System process (PID 8) is
    responsible for the Netbios scans
    Are you aware of any worms that utilise this process to scan? I am clearly
    scanning a whole range 1 by 1...

    Many thanks,

    Jose


    "Daniel Crichton" <news@worldofspack.co.uk> wrote in message
    news:4083b73a$0$8894$afc38c87@news.easynet.co.uk...
    > Jose <jmariazolozabal@sorrynoreply.com> wrote:
    > > I have recently (last 2 days) noticed the following behaviour on my
    > > machine. If someone could shed some light it would be appreciated:
    > >
    > > Ports reported in netstat:
    > >
    > > I have some random ports on my machine (1064, 2923, 3189) connecting
    > > to a couple of remote IPs (69.50.165.237 and 200.222.29.108) on their
    > > (remote) port 6667.
    >
    > Are you running an IRC client? If not, possible you have a trojan on your
    PC
    > connecting to IRC servers to send data.
    >
    > > I also appear to SYN_SENT on ports 139 and 445 of a number of other
    > > public IPs but never ESTABLISHED.
    >
    > Sounds like your PC trying to connect to shares over the internet. Windows
    > PCs often try this, although a software firewall would let you prevent it.
    > Could also be something malicious on your machine trying to connect to
    > shares.
    >
    > Get Active Ports, that will let you see what programs are connecting to
    > those ports and help you to decide if it's malicious or if it's just
    Windows
    > doing a bit of searching.
    >
    > Dan
    >
    >
  4. Archived from groups: comp.security.firewalls (More info?)

    Jose <jmariazolozabal@sorrynoreply.com> wrote:

    > I have run Active Ports and I can see that the System process (PID 8)
    > is responsible for the Netbios scans
    > Are you aware of any worms that utilise this process to scan? I am
    > clearly scanning a whole range 1 by 1...

    Possibly just Windows searching for machines on it's "local network" using
    SMB. What version of Windows are you running? I'd recommend running a
    software firewall to block these outgoing connections, or if you have a
    router/hardware firewall then block all outbound connections to port 139 and
    445 (and throw 135-138 UDP ports in too at a minimum). I don't know of
    anything that hooks into the System process to do this, but I'm no expert.

    Dan
  5. Archived from groups: comp.security.firewalls (More info?)

    Did you happen to figure this out??

    "Jose" <jmariazolozabal@sorrynoreply.com> wrote in message news:<b%Lgc.54$ua.43@newsr2.u-net.net>...
    > Hi everyone,
    >
    > I have recently (last 2 days) noticed the following behaviour on my machine.
    > If someone could shed some light it would be appreciated:
    >
    > Ports reported in netstat:
    >
    > I have some random ports on my machine (1064, 2923, 3189) connecting to a
    > couple of remote IPs (69.50.165.237 and 200.222.29.108) on their (remote)
    > port 6667.
    >
    > I also appear to SYN_SENT on ports 139 and 445 of a number of other public
    > IPs but never ESTABLISHED.
    >
    > Many thanks in advance.
    >
    > Jose
  6. Archived from groups: comp.security.firewalls (More info?)

    Hi Eric,

    I used GFI's LAN guard scanner and it picked up those machines as having
    compromised registries... I could have deleted the files and edited the
    registry but instead I rebuilt the 5 machines from scratch as we need to be
    100%.

    J


    "Eric" <eschlichte@idtdna.com> wrote in message
    news:683bffeb.0405110534.21df32e6@posting.google.com...
    > Did you happen to figure this out??
    >
    > "Jose" <jmariazolozabal@sorrynoreply.com> wrote in message
    news:<b%Lgc.54$ua.43@newsr2.u-net.net>...
    > > Hi everyone,
    > >
    > > I have recently (last 2 days) noticed the following behaviour on my
    machine.
    > > If someone could shed some light it would be appreciated:
    > >
    > > Ports reported in netstat:
    > >
    > > I have some random ports on my machine (1064, 2923, 3189) connecting to
    a
    > > couple of remote IPs (69.50.165.237 and 200.222.29.108) on their
    (remote)
    > > port 6667.
    > >
    > > I also appear to SYN_SENT on ports 139 and 445 of a number of other
    public
    > > IPs but never ESTABLISHED.
    > >
    > > Many thanks in advance.
    > >
    > > Jose
Ask a new question

Read More

Firewalls Networking