Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Port being used but no process 'owns' up to it.

Port being used but no process 'owns' up to it.

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Port being used but no process 'owns' up to it.

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   08-08-2004 at 04:00:49 AM

Archived from groups: microsoft.public.win2000.security (More info?)

 

I have a 2000 server that has had an FTP server installed. You get to
it via port 8899 or 999. A nmap of the server shows those ports.
However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
does NOT show those ports, let alone the process that has it. I have
looked around for an answer but I cannot find the offending process.

I have seen on another server where there was a process running and it
blocked visibility of files, processes, registry keys, services, etc.
However remotely connected revealed these.

I am stumped on this port problem. Any ideas?

Roger
email: larock 'at' mail.com

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   08-09-2004 at 03:08:01 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

If the process is not running at the time you run one of those tools, it will not
show a port mapped to it. Did you try Process Explorer also which shows processes in
more detail, not just those used for networking, and shows the ports a process
listens on in properties/tcp-ip. I would also scan for processes running remotely
from another computer using something like PsList. If you have a root kit compromise,
the rouge process may not be apparent from local tools run on the compromised
computer. Autoruns is also good to use to show what processes are run as startup from
many places within the operating system. --- Steve

http://www.sysinternals.com/ntw2k/ [...] list.shtml
http://www.sysinternals.com/ntw2k/ [...] runs.shtml

"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com
>
>

Reply to Anonymous
Anonymous   08-09-2004 at 07:10:32 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.

That would be a Windows root kit. Use the same method [connecting remotely]
to detect this. Scan the hard drive with an anti-virus scanner and/or
inspect the parts of the registry that start up processes whe Windows
starts, as well as the part of the registry that starts up services.
Searching google for RKDetect might be useful as well.

Don't forget to figure out what you neglected to do to properly secure this
system. Probably missing patches, firewall and/or anti-virus.

http://securityadmin.info/faq.asp#harden

Reply to Anonymous
Anonymous   08-09-2004 at 07:47:13 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.

BTW for Windows root kits like Hacker Defender, you can often rename CMD.EXE
to one of the file names being hidden [such as HXDEFCMD.EXE , or
SERVCMD.EXE] to bypass the root kit. The file will disappear, but you can
still launch it by clicking Start, Run and typing in the full path and file
name where the now hidden file is. Once you do that, anything you run or
launch from that command window, such as fport, should be able to see the
hidden files and ports.

See here for some other suggestions and comments about removing hacker
defender:

http://bagpuss.swan.ac.uk/comms/hxdef.htm

Reply to Anonymous
Joe   08-20-2004 at 01:04:43 PM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

Hey Larock,

Go to regedit!
do a search on "powerful"
Then see what the reference is! If you have any more questions shoot me an email.

L8R,
Joe

larock <abc@abc.com> wrote in message news:<hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com>...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com

Reply to Joe
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Port being used but no process 'owns' up to it.
Go to:

There are 1045 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.270 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?