Re: Weird UDP trafic

From: Rajeev Kumar (rajeevat_private)
Date: Thu Jul 12 2001 - 08:38:57 PDT

Next message: adam: "Re: Recent IRC attacks"

Previous message: vlimaat_private: "Denial of service attack on port 6667"
In reply to: Jacques Exelrud: "Weird UDP trafic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you have a tool like lsof. You can use following command to see which
file is responsible for those oprn ports.

Under Linux (Login as root):

# lsof -i UDP   (will show all UDP open ports)

Rajeev

Jacques Exelrud wrote:
> 
>         I'm using ZoneAlarm on a machine. Starting some days ago the alert log
> started to show a UDP connection from my machine to my machine (denied by
> ZoneAlamr)
>         The UDP port is 10000.
>         After check netstat -n -a I lso found some weird ports:
> 
>   TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:1032           0.0.0.0:0              LISTENING
>   TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
>   TCP    1.0.0.1:1433           0.0.0.0:0              LISTENING
>   TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
>   TCP    192.168.64.1:139       0.0.0.0:0              LISTENING
>   TCP    192.168.64.1:1433      0.0.0.0:0              LISTENING
>   UDP    0.0.0.0:135            *:*
>   UDP    0.0.0.0:445            *:*
>   UDP    0.0.0.0:500            *:*
>   UDP    0.0.0.0:1028           *:*
>   UDP    0.0.0.0:1031           *:*
>   UDP    0.0.0.0:1434           *:*
>   UDP    0.0.0.0:3456           *:*
>   UDP    0.0.0.0:10000          *:*
>   UDP    192.168.64.1:137       *:*
>   UDP    192.168.64.1:138       *:*
> 
>         Some of the are known but other are, at least, suspicious.
> 
>         Any sugestions on how to find who owns those ports ? ZoneAlarm does not
> bother me with them so I suspect that who owns them is services.exe or other
> Win200 program that have been allowed to act like a server.
> 
>         Thanks in advance,
>         Jacques
> 
> ----------------------------------------------------------------------------
> 
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
> 
> http://aris.securityfocus.com

-- 
********************************************************************
	Rajeev Kumar (rajeevat_private)
		http://www.rajeevnet.com
********************************************************************
-- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: adam: "Re: Recent IRC attacks"
Previous message: vlimaat_private: "Denial of service attack on port 6667"
In reply to: Jacques Exelrud: "Weird UDP trafic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:34:57 PDT