Re: Weird UDP trafic

From: Rajeev Kumar (rajeevat_private)
Date: Thu Jul 12 2001 - 08:38:57 PDT

  • Next message: adam: "Re: Recent IRC attacks"

    If you have a tool like lsof. You can use following command to see which
    file is responsible for those oprn ports.
    
    Under Linux (Login as root):
    
    # lsof -i UDP   (will show all UDP open ports)
    
    Rajeev
    
    Jacques Exelrud wrote:
    > 
    >         I'm using ZoneAlarm on a machine. Starting some days ago the alert log
    > started to show a UDP connection from my machine to my machine (denied by
    > ZoneAlamr)
    >         The UDP port is 10000.
    >         After check netstat -n -a I lso found some weird ports:
    > 
    >   TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1032           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
    >   TCP    1.0.0.1:1433           0.0.0.0:0              LISTENING
    >   TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
    >   TCP    192.168.64.1:139       0.0.0.0:0              LISTENING
    >   TCP    192.168.64.1:1433      0.0.0.0:0              LISTENING
    >   UDP    0.0.0.0:135            *:*
    >   UDP    0.0.0.0:445            *:*
    >   UDP    0.0.0.0:500            *:*
    >   UDP    0.0.0.0:1028           *:*
    >   UDP    0.0.0.0:1031           *:*
    >   UDP    0.0.0.0:1434           *:*
    >   UDP    0.0.0.0:3456           *:*
    >   UDP    0.0.0.0:10000          *:*
    >   UDP    192.168.64.1:137       *:*
    >   UDP    192.168.64.1:138       *:*
    > 
    >         Some of the are known but other are, at least, suspicious.
    > 
    >         Any sugestions on how to find who owns those ports ? ZoneAlarm does not
    > bother me with them so I suspect that who owns them is services.exe or other
    > Win200 program that have been allowed to act like a server.
    > 
    >         Thanks in advance,
    >         Jacques
    > 
    > ----------------------------------------------------------------------------
    > 
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    > 
    > http://aris.securityfocus.com
    
    -- 
    ********************************************************************
    	Rajeev Kumar (rajeevat_private)
    		http://www.rajeevnet.com
    ********************************************************************
    -- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:34:57 PDT