Netstat Ports
Results 1 to 8 of 8

Thread: Netstat Ports

  1. #1
    Member
    Join Date
    Sep 2001
    Posts
    81

    Question Netstat Ports

    Once again all:
    In reference to my earlier Q, netstat, I have the following showing, do I have a virus/backdoor? Sys win 98se...
    tcp **********:1028 0.0.0.0:0 listening
    tcp **********:6666 0.0.0.0:0 list..
    tcp **********:6667 0.0.0.0:0 list..
    tcp **********:6668 0.0.0.0:0 list..
    tcp **********:5190 0.0.0.0:0 list..
    tcp **********:1028 berp-da06.dial.aol.com:18465 Estb...
    tcp **********:137 0.0.0.0:0 list
    tcp **********:138 list
    tcp **********:nbsession 0.0.0.0:0 list
    tcp **********:1029 0.0.0.0:0 list
    tcp **********: 137 0.0.0.0:0 list
    tcp **********: 138 0.0.0.0:0 list
    tcp **********: nbsession 0.0.0.0:0 list
    udp **********:6666 *:*
    udp **********:5190 *:*
    udp **********:nbname *:*
    udp ***********:nbdatagram *:*
    udp ***********: 1029 *:*
    udp ***********:nbname *:*
    udp **********:nbdatagram *:*


    PHEW......

    Is port 1028 being used as a backdoor or is this an alternative for aol?? I have neohapsis ports list and cannot find 1028???
    I also see that 6666 6667 6668 are used some time by trojans. I am sure that the only port being used is 1028, can some one also explain the berp-da06 function in this app??
    Can someone also explain the *:* as used here?

    Sorry for it not being as neat as possible, but hey! Any info would be greatly appreciated.
    KNOWLEDGE IS OF TWO KINDS: We know a subject ourselves or we know where to find information upon it. SAMUEL JOHNSON
    Share on Google+

  2. #2
    Member
    Join Date
    Oct 2001
    Posts
    88

    Re: Once again all:

    Once again all:
    In reference to my earlier Q, netstat, I have the following showing, do I have a virus/backdoor? Sys win 98se...
    tcp **********:1028 0.0.0.0:0 listening <- rpc
    tcp **********:6666 0.0.0.0:0 list.. <- irc
    tcp **********:6667 0.0.0.0:0 list.. <- irc
    tcp **********:6668 0.0.0.0:0 list.. <- irc
    tcp **********:5190 0.0.0.0:0 list.. <- aim
    tcp **********:1028 berp-da06.dial.aol.com:18465 Estb... <- rpc
    tcp **********:137 0.0.0.0:0 list <- netbios
    tcp **********:138 list <- netbios
    tcp **********:nbsession 0.0.0.0:0 list <- netbios
    tcp **********:1029 0.0.0.0:0 list <- rpc

    tcp **********: 137 0.0.0.0:0 list <- netbios
    tcp **********: 138 0.0.0.0:0 list <- netbios
    tcp **********: nbsession 0.0.0.0:0 list <- netbios
    udp **********:6666 *:* <- irc
    udp **********:5190 *:* <- aim

    udp **********:nbname *:* <- netbios
    udp ***********:nbdatagram *:* <- netbios
    udp ***********: 1029 *:* <- rpc

    udp ***********:nbname *:* <- netbios
    udp **********:nbdatagram *:* <- netbios


    What this tells me is that you had AOL Instant Messanger (aim) open, you had an irc client open and had just connected to at least one server (or perhaps you have and irc server on your machine).
    And you have at least two shares on your C:\, probably IPC$ and Admin$, but maybe C$ and all of your netbios features are turned on and talking to the internet.

    One way to do a quick check on these shares is to open internet explorer and type \\computername\admin$ in the address bar. (also \\computername\c$ and \\computername\IPC$). You will see a list of your folders come up if the share is enabled.

    Do the smart thing and get Zone Alarm or Tiny Personal Firewall, turn off all of those shares, and turn off netbios.

    Hope this helped.
    Share on Google+

  3. #3
    Member
    Join Date
    Oct 2001
    Posts
    88
    Oh, and by the way, yes you do have a backdoor. It is called crappy Micrsoft Windows default security settings.

    A.K.A NetBIOS and Internet Sharing

    ..hmmmm make all of your data available to the public by default. Does this tell us that M$ does not understand security perhaps?
    Share on Google+

  4. #4
    Member
    Join Date
    Sep 2001
    Posts
    81

    Thumbs up

    Thanks Psi! By the way I do have zone alarm, I will review my settings though, and follow your explorer checks, thanks once again.
    I followed your instructions and all seems fine, using markusjansson.net as a source I was able to secure up the box, had to dig to find the vnbt.386 file though, they do hide these things don't they???
    KNOWLEDGE IS OF TWO KINDS: We know a subject ourselves or we know where to find information upon it. SAMUEL JOHNSON
    Share on Google+

  5. #5
    Member
    Join Date
    Oct 2001
    Posts
    88
    Great, glad to hear it.
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    yours
    tcp **********:1028 berp-da06.dial.aol.com:18465 Estb... <- rpc

    mine
    iel:2207 berp-co06.dial.aol.com:13784 ESTABLISHED

    i don't have any kind of IM and mIRC has not been started since last boot-up

    i believe this berp guy is the proxy/"buddys list" server.

    1028 would be rpc in nt, but it could be inetinfo.exe, installed with personal web server. i see however you don't hace it turned on
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    677
    Specifically block ports 135, 137-139 and 445 in ZoneAlarm in the Internet Zone to stop people on the net accessing your NetBIOS shares, but to still allow a local network to access them (if you have a local network, that is)
    One Ring to rule them all, One Ring to find them.
    One Ring to bring them all and in the darkness bind them.
    (The Lord Of The Rings)
    http://www.bytekill.net
    Share on Google+

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    677

    Cool

    That is, ports 135, 137-139 and 445 inbound TCP and UDP
    I'd also recommend blocking inbound access to port 80/tcp as well, in case you have a web server you didn't know about sending personal information all over the internet!
    One Ring to rule them all, One Ring to find them.
    One Ring to bring them all and in the darkness bind them.
    (The Lord Of The Rings)
    http://www.bytekill.net
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •