Netstat Ports

[jiffyprogasm]

Once again all:
In reference to my earlier Q, netstat, I have the following showing, do I have a virus/backdoor? Sys win 98se...
tcp **********:1028 0.0.0.0:0 listening
tcp **********:6666 0.0.0.0:0 list..
tcp **********:6667 0.0.0.0:0 list..
tcp **********:6668 0.0.0.0:0 list..
tcp **********:5190 0.0.0.0:0 list..
tcp **********:1028 berp-da06.dial.aol.com:18465 Estb...
tcp **********:137 0.0.0.0:0 list
tcp **********:138 list
tcp **********:nbsession 0.0.0.0:0 list
tcp **********:1029 0.0.0.0:0 list
tcp **********: 137 0.0.0.0:0 list
tcp **********: 138 0.0.0.0:0 list
tcp **********: nbsession 0.0.0.0:0 list
udp **********:6666 *:*
udp **********:5190 *:*
udp **********:nbname *:*
udp ***********:nbdatagram *:*
udp ***********: 1029 *:*
udp ***********:nbname *:*
udp **********:nbdatagram *:*


PHEW......

Is port 1028 being used as a backdoor or is this an alternative for aol?? I have neohapsis ports list and cannot find 1028???
I also see that 6666 6667 6668 are used some time by trojans. I am sure that the only port being used is 1028, can some one also explain the berp-da06 function in this app??
Can someone also explain the *:* as used here?

Sorry for it not being as neat as possible, but hey! Any info would be greatly appreciated.

[psi0nic]

Once again all:
In reference to my earlier Q, netstat, I have the following showing, do I have a virus/backdoor? Sys win 98se...
tcp **********:1028 0.0.0.0:0 listening <- rpc
tcp **********:6666 0.0.0.0:0 list.. <- irc
tcp **********:6667 0.0.0.0:0 list.. <- irc
tcp **********:6668 0.0.0.0:0 list.. <- irc
tcp **********:5190 0.0.0.0:0 list.. <- aim
tcp **********:1028 berp-da06.dial.aol.com:18465 Estb... <- rpc
tcp **********:137 0.0.0.0:0 list <- netbios
tcp **********:138 list <- netbios
tcp **********:nbsession 0.0.0.0:0 list <- netbios
tcp **********:1029 0.0.0.0:0 list <- rpc

tcp **********: 137 0.0.0.0:0 list <- netbios
tcp **********: 138 0.0.0.0:0 list <- netbios
tcp **********: nbsession 0.0.0.0:0 list <- netbios
udp **********:6666 *:* <- irc
udp **********:5190 *:* <- aim

udp **********:nbname *:* <- netbios
udp ***********:nbdatagram *:* <- netbios
udp ***********: 1029 *:* <- rpc

udp ***********:nbname *:* <- netbios
udp **********:nbdatagram *:* <- netbios


What this tells me is that you had AOL Instant Messanger (aim) open, you had an irc client open and had just connected to at least one server (or perhaps you have and irc server on your machine).
And you have at least two shares on your C:\, probably IPC$ and Admin$, but maybe C$ and all of your netbios features are turned on and talking to the internet.

One way to do a quick check on these shares is to open internet explorer and type \\computername\admin$ in the address bar. (also \\computername\c$ and \\computername\IPC$). You will see a list of your folders come up if the share is enabled.

Do the smart thing and get Zone Alarm or Tiny Personal Firewall, turn off all of those shares, and turn off netbios.

Hope this helped.

[psi0nic]

Oh, and by the way, yes you do have a backdoor. It is called crappy Micrsoft Windows default security settings.

A.K.A NetBIOS and Internet Sharing

..hmmmm make all of your data available to the public by default. Does this tell us that M$ does not understand security perhaps?

[jiffyprogasm]

Thanks Psi! By the way I do have zone alarm, I will review my settings though, and follow your explorer checks, thanks once again.
I followed your instructions and all seems fine, using markusjansson.net as a source I was able to secure up the box, had to dig to find the vnbt.386 file though, they do hide these things don't they???

[psi0nic]

Great, glad to hear it.

[Tedob1]

yours
tcp **********:1028 berp-da06.dial.aol.com:18465 Estb... <- rpc

mine
iel:2207 berp-co06.dial.aol.com:13784 ESTABLISHED

i don't have any kind of IM and mIRC has not been started since last boot-up

i believe this berp guy is the proxy/"buddys list" server.

1028 would be rpc in nt, but it could be inetinfo.exe, installed with personal web server. i see however you don't hace it turned on

[Rewandythal]

Specifically block ports 135, 137-139 and 445 in ZoneAlarm in the Internet Zone to stop people on the net accessing your NetBIOS shares, but to still allow a local network to access them (if you have a local network, that is)

[Rewandythal]

That is, ports 135, 137-139 and 445 inbound TCP and UDP
I'd also recommend blocking inbound access to port 80/tcp as well, in case you have a web server you didn't know about sending personal information all over the internet!