Port being used but no process 'owns' up to it.
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
I have a 2000 server that has had an FTP server installed. You get to
it via port 8899 or 999. A nmap of the server shows those ports.
However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
does NOT show those ports, let alone the process that has it. I have
looked around for an answer but I cannot find the offending process.
I have seen on another server where there was a process running and it
blocked visibility of files, processes, registry keys, services, etc.
However remotely connected revealed these.
I am stumped on this port problem. Any ideas?
Roger
email: larock 'at' mail.com
I have a 2000 server that has had an FTP server installed. You get to
it via port 8899 or 999. A nmap of the server shows those ports.
However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
does NOT show those ports, let alone the process that has it. I have
looked around for an answer but I cannot find the offending process.
I have seen on another server where there was a process running and it
blocked visibility of files, processes, registry keys, services, etc.
However remotely connected revealed these.
I am stumped on this port problem. Any ideas?
Roger
email: larock 'at' mail.com
More about : port process owns
Archived from groups: microsoft.public.win2000.security (More info?)
If the process is not running at the time you run one of those tools, it will not
show a port mapped to it. Did you try Process Explorer also which shows processes in
more detail, not just those used for networking, and shows the ports a process
listens on in properties/tcp-ip. I would also scan for processes running remotely
from another computer using something like PsList. If you have a root kit compromise,
the rouge process may not be apparent from local tools run on the compromised
computer. Autoruns is also good to use to show what processes are run as startup from
many places within the operating system. --- Steve
http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
http://www.sysinternals.com/ntw2k/freeware/autoruns.sht...
"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com
>
>
If the process is not running at the time you run one of those tools, it will not
show a port mapped to it. Did you try Process Explorer also which shows processes in
more detail, not just those used for networking, and shows the ports a process
listens on in properties/tcp-ip. I would also scan for processes running remotely
from another computer using something like PsList. If you have a root kit compromise,
the rouge process may not be apparent from local tools run on the compromised
computer. Autoruns is also good to use to show what processes are run as startup from
many places within the operating system. --- Steve
http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
http://www.sysinternals.com/ntw2k/freeware/autoruns.sht...
"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com
>
>
Archived from groups: microsoft.public.win2000.security (More info?)
"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
That would be a Windows root kit. Use the same method [connecting remotely]
to detect this. Scan the hard drive with an anti-virus scanner and/or
inspect the parts of the registry that start up processes whe Windows
starts, as well as the part of the registry that starts up services.
Searching google for RKDetect might be useful as well.
Don't forget to figure out what you neglected to do to properly secure this
system. Probably missing patches, firewall and/or anti-virus.
http://securityadmin.info/faq.asp#harden
"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
That would be a Windows root kit. Use the same method [connecting remotely]
to detect this. Scan the hard drive with an anti-virus scanner and/or
inspect the parts of the registry that start up processes whe Windows
starts, as well as the part of the registry that starts up services.
Searching google for RKDetect might be useful as well.
Don't forget to figure out what you neglected to do to properly secure this
system. Probably missing patches, firewall and/or anti-virus.
http://securityadmin.info/faq.asp#harden
Archived from groups: microsoft.public.win2000.security (More info?)
"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
BTW for Windows root kits like Hacker Defender, you can often rename CMD.EXE
to one of the file names being hidden [such as HXDEFCMD.EXE , or
SERVCMD.EXE] to bypass the root kit. The file will disappear, but you can
still launch it by clicking Start, Run and typing in the full path and file
name where the now hidden file is. Once you do that, anything you run or
launch from that command window, such as fport, should be able to see the
hidden files and ports.
See here for some other suggestions and comments about removing hacker
defender:
http://bagpuss.swan.ac.uk/comms/hxdef.htm
"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
BTW for Windows root kits like Hacker Defender, you can often rename CMD.EXE
to one of the file names being hidden [such as HXDEFCMD.EXE , or
SERVCMD.EXE] to bypass the root kit. The file will disappear, but you can
still launch it by clicking Start, Run and typing in the full path and file
name where the now hidden file is. Once you do that, anything you run or
launch from that command window, such as fport, should be able to see the
hidden files and ports.
See here for some other suggestions and comments about removing hacker
defender:
http://bagpuss.swan.ac.uk/comms/hxdef.htm
Archived from groups: microsoft.public.win2000.security (More info?)
Hey Larock,
Go to regedit!
do a search on "powerful"
Then see what the reference is! If you have any more questions shoot me an email.
L8R,
Joe
larock <abc@abc.com> wrote in message news:<hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com>...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com
Hey Larock,
Go to regedit!
do a search on "powerful"
Then see what the reference is! If you have any more questions shoot me an email.
L8R,
Joe
larock <abc@abc.com> wrote in message news:<hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com>...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com
Related ressources:
- ForumThe process cannot access the file because it is being used by...
- ForumNew nvidia beta driver owns AMD again in BF3 and MOHWF.
- Forum25-30% of my RAM is being used at idle. HELP!
- ForumBlue screen of death; 0x000000F4; Vista stopcrack is infact being used
- ForumEVGA RMA. Rust considered physical damage? Being charged $40 for RMA
- ForumWho owns patents of DRAM, EDO RAM, SDRAM, DDR RAM, DDR2 RAM?
- ForumSystem process always using 25% of processor!
- ForumSuspicious ports being open...
- ForumIdle process using 100%, computer won't do anything
- ForumAnyone owns GTX 460?
- ForumI give up I can't play a console port (BOII) on a Core i3 + HD 7750?
- ForumSystem Process Killer Program Needed! Help!
- ForumMulti-cpu machine, ProcessorAffinity, and process spike on..
- ForumDifferent types of parallel port cables
- ForumUnkown Process Eating up RAM?
- ForumAsus RT-N56U router: USB port not being found
- ForumDedicated PhysX card not being used for Borderlands 2?
- ForumParallel and com ports not appearing in device manager
- ForumCan I manually close an open port?
- ForumForbid process by name
- More resources
!
