-
February 8th, 2006, 05:51 PM
#1
Member
Help needed (port 1040 open)
Hi all!
Well, I was trying to secure my box, and I ran netstat -a -n and found the tcp port 1040 open (among other ports which I know why are they there for).
I tried to find information on how could this happen, and the most likely is that I have a virus. Well, I have the avast with the latest db and no virus was found.
I looked at the programs that are being started during windows start and I didn't find anything unusual.
I'd like to diagnose why this port is open, and then I'd like to fix the problem
What would you suggest me to do?
Thanks in advance!!!
-
February 8th, 2006, 06:06 PM
#2
Hey Hey,
Go to http://www.foundstone.com/index.htm?...desc/fport.htm run that utility and see what it comes back with..
Netstat is nice but doesn't link the information very well.. it doesn't tie everything together.
Peace,
HT
-
February 8th, 2006, 07:02 PM
#3
Netarx has the "lease" for port 1040 both TCP and UDP - does it ring any bells for you?
Try netstat -ano , the "o" switch brings up a PID column, take a look at the PID of what had the port open, the CTL ALT DEL to the task manager, if the PID isnt there go View > Select Columns and then tick the PID box.
Take a look at what application has the port open and then post it here if you are not sure what it is!
gl
-
February 8th, 2006, 07:56 PM
#4
Member
Hi HT!
Thanks for your really prompt answer! I went there and downloaded the tool. This is now part of my list of favourite tools!
What I found is that the process listening to that port was the IIS. I couldn't find anything related to this port in the IIS configuration. My OS is Windows XP SP2. I have the default web site listening on port 80.
There may be something wrong with my IIS.
Now that I know that this is served by the IIS, I am more relaxed. However I still have to investigate why this could be happenning.
Once again, thanks!!
-
February 8th, 2006, 08:03 PM
#5
Is it possible you are being hacked by the IRS? It is tax season and the port is 1040. I dont think it is a coincidence!
j/k!
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
February 8th, 2006, 08:03 PM
#6
Member
Hi Nokia!
Thanks for answering!
Netarx has the "lease" for port 1040 both TCP and UDP - does it ring any bells for you?
Well, it doesn't ring any bells, unfortunately.
Try netstat -ano , the "o" switch brings up a PID column, take a look at the PID of what had the port open, the CTL ALT DEL to the task manager, if the PID isnt there go View > Select Columns and then tick the PID box.
I wasn't aware of the 'o' flag for netstat. My fault. I should have read more carefully the documentation
Before reading your post, I used the Fport tool and it told me that the process was the IIS. I don't know how this could be, since my website is running on port 80.
After reading your post, I double checked and the netstat says the same thing: on port 1040 is running the IIS (inetinfo.exe).
I will try to find deeper information on IIS to see how this may happen.
Once again, thanks a lot!!!
Cheers
-
February 8th, 2006, 08:09 PM
#7
Member
Hi Deeboe!!
Is it possible you are being hacked by the IRS? It is tax season and the port is 1040. I dont think it is a coincidence!
Well... I didn't supply them with my IP in the last fiscal year!
Cheers !!!
-
February 8th, 2006, 08:17 PM
#8
Your very welcome!
Process File: inetinfo or inetinfo.exe
Process Name: IIS Admin Service Helper
Description:
inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. This program is important for the stable and secure running of your computer and should not be terminated.
Note: inetinfo.exe is also a process which is registered as the Trojan.W32.RONTOKBRO. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
Determining whether this process is a virus or a Windows process depends on the directory location it executes or runs from in WinTasks.
C+P'd from here:
http://www.liutilities.com/products/...rary/inetinfo/
-
February 8th, 2006, 08:27 PM
#9
Well it could also be an internal port. Fport doesn't distinguish between ports used for internal communications, and external ports. Make sure your firewall logs all activity through that port. If the source Ip of all packets is 127.0.0.1 then its internal.
-
February 9th, 2006, 02:27 AM
#10
originally posted by yogurtu
I wasn't aware of the 'o' flag for netstat. My fault. I should have read more carefully the documentation
You can use 'netstat -a -b' where the '-b' option will display the executable involved in opening the connection... just a thought.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|