Re: Weird UDP trafic

From: Captain James T Kirk (Captain_Kirkat_private)
Date: Wed Jul 11 2001 - 14:15:44 PDT

  • Next message: sarnoldat_private: "Re: Weird UDP trafic"

    Here's a list of known ports:
    
    Known ports from 0 to 1023
    
    25
     tcp, udp smtp Simple Mail Transfer; alias=mail
    
    80
     tcp udp WWW World Wide Web HTTP
    
    135
     tcp udp loc-srv / epmap Location Service / DCE endpoint resolution
    
    137
     tcp udp netbios-ns NetBIOS Name Service
    
    138
     tcp udp netbios-dgm NetBIOS Datagram Service
    
    139
     tcp udp netbios-ssn NetBIOS Session Service
    
    445
     tcp udp microsoft-ds Microsoft-DS
    
    500
     tcp udp isakmp internet Secuirty Association and Key management protocol
    
    Registered ports from 1024 to 49151
    
    1025
     tcp listen listener RFS remote_file_sharing
    
    1026
     tcp nterm remote_login network_terminal
    
    1031 & 1032
     tcp udp iad3 BBN IAD @timeplex.com
    
    1433
     tcp, udp ms-sql-s Microsoft-SQL-Server
    
    1434
     tcp, udp ms-sql-m Microsoft-SQL-Monitor @microsoft.com
    
    3372
     tcp, udp tip2 loc252.tandem.com
    
    3456
     tcp udp vat VAT default data ee.lbl.gov
    
    10000
     tcp udp ndmp Network Data Management Protocol netapp.com
    
    Looks like you have a web server listening on port 80 (Microsoft Personal
    Web Server perhaps?), a Microsoft SQL Server listening to port 1433 (using
    a database for your web pages?), you are checking your mail on port 25,
    ports 135 to 139 are being used for your dial-up connection (or whatever)
    and it looks like you have File and Print sharing enabled and turned on.
    
    check out http://www.iana.org/assignments/port-numbers
    
    On Tue, 10 Jul 2001, Jacques Exelrud wrote:
    
    > 	I'm using ZoneAlarm on a machine. Starting some days ago the alert log
    > started to show a UDP connection from my machine to my machine (denied by
    > ZoneAlamr)
    > 	The UDP port is 10000.
    > 	After check netstat -n -a I lso found some weird ports:
    >
    >   TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1032           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
    >   TCP    1.0.0.1:1433           0.0.0.0:0              LISTENING
    >   TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
    >   TCP    192.168.64.1:139       0.0.0.0:0              LISTENING
    >   TCP    192.168.64.1:1433      0.0.0.0:0              LISTENING
    >   UDP    0.0.0.0:135            *:*
    >   UDP    0.0.0.0:445            *:*
    >   UDP    0.0.0.0:500            *:*
    >   UDP    0.0.0.0:1028           *:*
    >   UDP    0.0.0.0:1031           *:*
    >   UDP    0.0.0.0:1434           *:*
    >   UDP    0.0.0.0:3456           *:*
    >   UDP    0.0.0.0:10000          *:*
    >   UDP    192.168.64.1:137       *:*
    >   UDP    192.168.64.1:138       *:*
    >
    > 	Some of the are known but other are, at least, suspicious.
    >
    > 	Any sugestions on how to find who owns those ports ? ZoneAlarm does not
    > bother me with them so I suspect that who owns them is services.exe or other
    > Win200 program that have been allowed to act like a server.
    >
    > 	Thanks in advance,
    > 	Jacques
    >
    >
    >
    >
    > ----------------------------------------------------------------------------
    >
    >
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    >
    > http://aris.securityfocus.com
    >
    >
    >
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 16:36:37 PDT