Port being used but no process 'owns' up to it.

Archived from groups: microsoft.public.win2000.security (More info?)

I have a 2000 server that has had an FTP server installed. You get to
it via port 8899 or 999. A nmap of the server shows those ports.
However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
does NOT show those ports, let alone the process that has it. I have
looked around for an answer but I cannot find the offending process.

I have seen on another server where there was a process running and it
blocked visibility of files, processes, registry keys, services, etc.
However remotely connected revealed these.

I am stumped on this port problem. Any ideas?

Roger
email: larock 'at' mail.com
4 answers Last reply
More about port process owns
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    If the process is not running at the time you run one of those tools, it will not
    show a port mapped to it. Did you try Process Explorer also which shows processes in
    more detail, not just those used for networking, and shows the ports a process
    listens on in properties/tcp-ip. I would also scan for processes running remotely
    from another computer using something like PsList. If you have a root kit compromise,
    the rouge process may not be apparent from local tools run on the compromised
    computer. Autoruns is also good to use to show what processes are run as startup from
    many places within the operating system. --- Steve

    http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
    http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

    "larock" <abc@abc.com> wrote in message
    news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
    > I have a 2000 server that has had an FTP server installed. You get to
    > it via port 8899 or 999. A nmap of the server shows those ports.
    > However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
    > does NOT show those ports, let alone the process that has it. I have
    > looked around for an answer but I cannot find the offending process.
    >
    > I have seen on another server where there was a process running and it
    > blocked visibility of files, processes, registry keys, services, etc.
    > However remotely connected revealed these.
    >
    > I am stumped on this port problem. Any ideas?
    >
    > Roger
    > email: larock 'at' mail.com
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    "larock" <abc@abc.com> wrote in message
    news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
    > I have a 2000 server that has had an FTP server installed. You get to
    > it via port 8899 or 999. A nmap of the server shows those ports.
    > However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
    > does NOT show those ports, let alone the process that has it. I have
    > looked around for an answer but I cannot find the offending process.
    >
    > I have seen on another server where there was a process running and it
    > blocked visibility of files, processes, registry keys, services, etc.
    > However remotely connected revealed these.

    That would be a Windows root kit. Use the same method [connecting remotely]
    to detect this. Scan the hard drive with an anti-virus scanner and/or
    inspect the parts of the registry that start up processes whe Windows
    starts, as well as the part of the registry that starts up services.
    Searching google for RKDetect might be useful as well.

    Don't forget to figure out what you neglected to do to properly secure this
    system. Probably missing patches, firewall and/or anti-virus.

    http://securityadmin.info/faq.asp#harden
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "larock" <abc@abc.com> wrote in message
    news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
    > I have a 2000 server that has had an FTP server installed. You get to
    > it via port 8899 or 999. A nmap of the server shows those ports.
    > However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
    > does NOT show those ports, let alone the process that has it. I have
    > looked around for an answer but I cannot find the offending process.
    >
    > I have seen on another server where there was a process running and it
    > blocked visibility of files, processes, registry keys, services, etc.
    > However remotely connected revealed these.

    BTW for Windows root kits like Hacker Defender, you can often rename CMD.EXE
    to one of the file names being hidden [such as HXDEFCMD.EXE , or
    SERVCMD.EXE] to bypass the root kit. The file will disappear, but you can
    still launch it by clicking Start, Run and typing in the full path and file
    name where the now hidden file is. Once you do that, anything you run or
    launch from that command window, such as fport, should be able to see the
    hidden files and ports.

    See here for some other suggestions and comments about removing hacker
    defender:

    http://bagpuss.swan.ac.uk/comms/hxdef.htm
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Hey Larock,

    Go to regedit!
    do a search on "powerful"
    Then see what the reference is! If you have any more questions shoot me an email.

    L8R,
    Joe

    larock <abc@abc.com> wrote in message news:<hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com>...
    > I have a 2000 server that has had an FTP server installed. You get to
    > it via port 8899 or 999. A nmap of the server shows those ports.
    > However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
    > does NOT show those ports, let alone the process that has it. I have
    > looked around for an answer but I cannot find the offending process.
    >
    > I have seen on another server where there was a process running and it
    > blocked visibility of files, processes, registry keys, services, etc.
    > However remotely connected revealed these.
    >
    > I am stumped on this port problem. Any ideas?
    >
    > Roger
    > email: larock 'at' mail.com
Ask a new question

Read More

Security Microsoft Servers Windows