Weird UDP trafic

From: Jacques Exelrud (jacquesat_private)
Date: Tue Jul 10 2001 - 11:00:57 PDT

  • Next message: bludclotat_private: "Re: Weird UDP trafic"

    	I'm using ZoneAlarm on a machine. Starting some days ago the alert log
    started to show a UDP connection from my machine to my machine (denied by
    ZoneAlamr)
    	The UDP port is 10000.
    	After check netstat -n -a I lso found some weird ports:
    
      TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
      TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
      TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:1032           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
      TCP    1.0.0.1:1433           0.0.0.0:0              LISTENING
      TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
      TCP    192.168.64.1:139       0.0.0.0:0              LISTENING
      TCP    192.168.64.1:1433      0.0.0.0:0              LISTENING
      UDP    0.0.0.0:135            *:*
      UDP    0.0.0.0:445            *:*
      UDP    0.0.0.0:500            *:*
      UDP    0.0.0.0:1028           *:*
      UDP    0.0.0.0:1031           *:*
      UDP    0.0.0.0:1434           *:*
      UDP    0.0.0.0:3456           *:*
      UDP    0.0.0.0:10000          *:*
      UDP    192.168.64.1:137       *:*
      UDP    192.168.64.1:138       *:*
    
    	Some of the are known but other are, at least, suspicious.
    
    	Any sugestions on how to find who owns those ports ? ZoneAlarm does not
    bother me with them so I suspect that who owns them is services.exe or other
    Win200 program that have been allowed to act like a server.
    
    	Thanks in advance,
    	Jacques
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:31:40 PDT