Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028

From: Harlan Carvey (keydet89at_private)
Date: Thu Mar 06 2003 - 13:56:54 PST

Next message: Salomao Barguil: "Solved !! "Girlnextdoor_" TCP Ports 1025/1028"

Previous message: Mike: "Re: SMTP username dictionary attack"
In reply to: Robbert Helling: "Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028"
Next in thread: Kevin Patz: "Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Robbert,

Have you tried running this on another machine?  I'm
sure you'll find the exact same thing.  When I run
netstat like you did, I get something similar.  The
important point is the STATE of the connection.  In
your case, and mine, the STATE is "LISTENING".  That
doesn't mean that there's a connection..."ESTABLISHED"
does.

Regarding ports 1025-1028...those are documented by
Microsoft as being used for RPC.  If you're REALLY
paranoid, run fport from Foundstone to see what's
bound to those ports.

--- Robbert Helling <robjehat_private> wrote:
> If i look at my 2 first entries i see:
> Active Connections
> 
>    Proto  Local Address          Foreign Address    
>    State
>    TCP    nack:epmap             nack:0             
>    LISTENING
>    TCP    nack:microsoft-ds      nack:0             
>    LISTENING
> 
> The Foreign Address shows my own host name, i'm not
> sure why its listed 
> this way. But i guess you have to find your problem
> locally.
> 
> 
> At 18:59 5-3-2003, H C wrote:
> >I'm not entirely sure what you mean by "foreign
> >address listening to ports..."...netstat shows you
> >what the local machine is listening on, and which
> >endpoints the foreign addresses are connected to.
> >
> >Have you tried running Foundstone's fport yet?
> >
> >
> > > > Running netstat -a , I found a foreign address
> > > > "GirlNextDoor_" listening to ports TCP
> 1025/1028.
> > > >
> > > > Can someone explain me what is going on this
> > > desktop ?
> > > >
> > > > It's a Win2k/SP2 workstation with Mcafee
> antivirus
> > > and
> > > > ZoneAlarm.
> > > >
> > > > Also, can you explain me the second set of
> > > > connections, foreign address "*:*" ?
> > > >
> > > > Thanks for your help,
> > > > Sal.
> > > >
> > > >
> > >
>
>-------------------------------------------------------
> > > > Microsoft Windows 2000 [Version 5.00.2195]
> > > > (C) Copyright 1985-2000 Microsoft Corp.
> > > >
> > > > C:\>netstat -a
> > > >
> > > > Active Connections
> > > >
> > > >   Proto  Local Address          Foreign
> Address
> > >
> > > > State
> > > >   TCP    p4win2k:epmap         
> Girlnextdoor_:0
> > >
> > > > LISTENING
> > > >   TCP    p4win2k:microsoft-ds  
> Girlnextdoor_:0
> > >
> > > > LISTENING
> > > >   TCP    p4win2k:1025          
> Girlnextdoor_:0
> > >
> > > > LISTENING
> > > >   TCP    p4win2k:1028          
> Girlnextdoor_:0
> > >
> > > > LISTENING
> > > >   TCP    p4win2k:netbios-ssn   
> Girlnextdoor_:0
> > >
> > > > LISTENING
> > > >   UDP    p4win2k:epmap          *:*
> > > >   UDP    p4win2k:microsoft-ds   *:*
> > > >   UDP    p4win2k:1027           *:*
> > > >   UDP    p4win2k:1030           *:*
> > > >   UDP    p4win2k:netbios-ns     *:*
> > > >   UDP    p4win2k:netbios-dgm    *:*
> > > >   UDP    p4win2k:isakmp         *:*
> > > >
> > > > C:\>
> > > >
> > >
>
>-------------------------------------------------------
> > > >
> > > >
> __________________________________________________
> > > > Do you Yahoo!?
> > > > Yahoo! Tax Center - forms, calculators, tips,
> more
> > > > http://taxes.yahoo.com/
> > > >
> > > >
> > >
>
>----------------------------------------------------------------------------
> > > >
> > > > <Pre>Lose another weekend managing your IDS?
> > > > Take back your personal time.
> > > > 15-day free trial of StillSecure Border
> > > Guard.</Pre>
> > > > <A
> > > href="http://www.securityfocus.com/stillsecure">
> > > http://www.securityfocus.com/stillsecure </A>
> > > >
> > > --
> > > The Virgin BOFH...
> > > Linux Registered User #288905
> > > Public GnuPG Key B760A432 available at
> > > http://www.ines.ro/public_keys/jay.gpg
> > >
> >
> > > ATTACHMENT part 2 application/pgp-signature
> >name=signature.asc
> >
> >
> >
> >__________________________________________________
> >Do you Yahoo!?
> >Yahoo! Tax Center - forms, calculators, tips, more
> >http://taxes.yahoo.com/
> >
>
>----------------------------------------------------------------------------
> >
> ><Pre>Lose another weekend managing your IDS?
> >Take back your personal time.
> >15-day free trial of StillSecure Border
> Guard.</Pre>
> ><A href="http://www.securityfocus.com/stillsecure">
> 
> >http://www.securityfocus.com/stillsecure </A>
> 
> 
>
----------------------------------------------------------------------------
> 
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure">
> http://www.securityfocus.com/stillsecure </A>
> 
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Salomao Barguil: "Solved !! "Girlnextdoor_" TCP Ports 1025/1028"
Previous message: Mike: "Re: SMTP username dictionary attack"
In reply to: Robbert Helling: "Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028"
Next in thread: Kevin Patz: "Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 07:47:19 PST