LISTENING, ESTABLISHED, CLOSE_WAIT TCP Ports & UDP Ports?

Discussion in 'Server Security' started by JediRockClimber, Dec 3, 2004.

  1. I'm running Windows Server 2003.
    Can somebody explain me why are all this ports opened, and how are they bein
    used, is this a security risk can somebody in the network or from the
    internet gain access to my server?
    what kind of messure do I need to take beside just to place a firewall?
    Thanks a lot...

    This is what i get when I run netstat -ano
    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:42 0.0.0.0:0 LISTENING
    wins.exe
    TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
    dns.exe
    TCP 0.0.0.0:88 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    svchost.exe
    TCP 0.0.0.0:389 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    System
    TCP 0.0.0.0:464 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
    svchost.exe
    TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    svchost.exe
    TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:2804 0.0.0.0:0 LISTENING
    IDUServ.exe
    TCP 0.0.0.0:3001 0.0.0.0:0 LISTENING
    ntfrs.exe
    TCP 0.0.0.0:3005 0.0.0.0:0 LISTENING
    wins.exe
    TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING
    dns.exe
    TCP 0.0.0.0:3012 0.0.0.0:0 LISTENING
    tcpsvcs.exe
    TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING
    lsass.exe
    TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
    svchost.exe
    TCP 127.0.0.1:389 127.0.0.1:1037 ESTABLISHED
    lsass.exe
    TCP 127.0.0.1:389 127.0.0.1:1038 ESTABLISHED
    lsass.exe
    TCP 127.0.0.1:389 127.0.0.1:1039 ESTABLISHED
    lsass.exe
    TCP 127.0.0.1:389 127.0.0.1:3007 ESTABLISHED
    lsass.exe
    TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING
    ccproxy.exe
    TCP 127.0.0.1:1037 127.0.0.1:389 ESTABLISHED
    ismserv.exe
    TCP 127.0.0.1:1038 127.0.0.1:389 ESTABLISHED
    ismserv.exe
    TCP 127.0.0.1:1039 127.0.0.1:389 ESTABLISHED
    ismserv.exe
    TCP 127.0.0.1:2804 127.0.0.1:3117 ESTABLISHED
    IDUServ.exe
    TCP 127.0.0.1:2804 127.0.0.1:4202 ESTABLISHED
    IDUServ.exe
    TCP 127.0.0.1:3007 127.0.0.1:389 ESTABLISHED
    dns.exe
    TCP 127.0.0.1:3082 0.0.0.0:0 LISTENING
    alg.exe
    TCP 127.0.0.1:3117 127.0.0.1:2804 ESTABLISHED
    iptray.exe
    TCP 127.0.0.1:4202 127.0.0.1:2804 ESTABLISHED
    iptray.exe
    TCP 192.168.1.10:139 0.0.0.0:0 LISTENING
    System
    TCP 192.168.1.10:139 192.168.1.50:2931 ESTABLISHED
    System
    TCP 192.168.1.10:139 192.168.1.56:1267 ESTABLISHED
    System
    TCP 192.168.1.10:389 192.168.1.10:3099 ESTABLISHED
    lsass.exe
    TCP 192.168.1.10:1025 192.168.1.10:3103 ESTABLISHED
    lsass.exe
    TCP 192.168.1.10:1025 192.168.1.10:3105 ESTABLISHED
    lsass.exe
    TCP 192.168.1.10:1025 192.168.1.10:3902 ESTABLISHED
    lsass.exe
    TCP 192.168.1.10:1025 192.168.1.10:4742 ESTABLISHED
    lsass.exe
    TCP 192.168.1.10:3099 192.168.1.10:389 ESTABLISHED
    ntfrs.exe
    TCP 192.168.1.10:3103 192.168.1.10:1025 ESTABLISHED
    ntfrs.exe
    TCP 192.168.1.10:3105 192.168.1.10:1025 ESTABLISHED
    ntfrs.exe
    TCP 192.168.1.10:3389 66.245.216.179:10215 ESTABLISHED
    svchost.exe
    TCP 192.168.1.10:3832 192.168.1.10:389 CLOSE_WAIT
    svchost.exe
    TCP 192.168.1.10:3902 192.168.1.10:1025 ESTABLISHED
    lsass.exe
    TCP 192.168.1.10:4204 192.168.1.10:389 CLOSE_WAIT
    mmc.exe
    TCP 192.168.1.10:4339 192.168.1.10:389 CLOSE_WAIT
    mmc.exe
    TCP 192.168.1.10:4455 192.168.1.10:389 CLOSE_WAIT
    mmc.exe
    TCP 192.168.1.10:4478 192.168.1.10:389 CLOSE_WAIT
    mmc.exe
    TCP 192.168.1.10:4742 192.168.1.10:1025 ESTABLISHED
    lsass.exe
    UDP 0.0.0.0:42 *:*
    wins.exe
    UDP 0.0.0.0:445 *:*
    System
    UDP 0.0.0.0:500 *:*
    lsass.exe
    UDP 0.0.0.0:1030 *:*
    svchost.exe
    UDP 0.0.0.0:1031 *:*
    svchost.exe
    UDP 0.0.0.0:1035 *:*
    dns.exe
    UDP 0.0.0.0:1036 *:*
    ismserv.exe
    UDP 0.0.0.0:3002 *:*
    ntfrs.exe
    UDP 0.0.0.0:3004 *:*
    wins.exe
    UDP 0.0.0.0:3006 *:*
    dns.exe
    UDP 0.0.0.0:3068 *:*
    lsass.exe
    UDP 0.0.0.0:3086 *:*
    winlogon.exe
    UDP 0.0.0.0:3419 *:*
    spoolsv.exe
    UDP 0.0.0.0:3587 *:*
    dfssvc.exe
    UDP 0.0.0.0:3831 *:*
    svchost.exe
    UDP 0.0.0.0:3908 *:*
    llssrv.exe
    UDP 0.0.0.0:4199 *:*
    winlogon.exe
    UDP 0.0.0.0:4203 *:*
    mmc.exe
    UDP 0.0.0.0:4338 *:*
    mmc.exe
    UDP 0.0.0.0:4500 *:*
    lsass.exe
    UDP 127.0.0.1:53 *:*
    dns.exe
    UDP 127.0.0.1:123 *:*
    svchost.exe
    UDP 127.0.0.1:1034 *:*
    dns.exe
    UDP 127.0.0.1:3129 *:*
    iexplore.exe
    UDP 192.168.1.10:53 *:*
    dns.exe
    UDP 192.168.1.10:67 *:*
    tcpsvcs.exe
    UDP 192.168.1.10:68 *:*
    tcpsvcs.exe
    UDP 192.168.1.10:88 *:*
    lsass.exe
    UDP 192.168.1.10:123 *:*
    svchost.exe
    UDP 192.168.1.10:137 *:*
    System
    UDP 192.168.1.10:138 *:*
    System
    UDP 192.168.1.10:389 *:*
    lsass.exe
    UDP 192.168.1.10:464 *:*
    lsass.exe
    UDP 192.168.1.10:2535 *:*
    tcpsvcs.exe
     
    JediRockClimber, Dec 3, 2004
    #1
    1. Advertisements

  2. Domain controllers offer a lot of networking services to domain
    users/computers. It is not unusual to see a LOT of ports listening or
    connected. What I do is to use some free tools from SysInternals to see
    exactly what all those processes are. You can use TCPView and Process
    Explorer in particular to view port to process/executable mapping and
    detailed info on processes. With Process Explorer you can examine the
    properties of a process and it will show you what tcp/ip ports and services
    [if any] that the process is associated with. Of course regular virus scans
    with malware definitions updated the day of the scan should also be used to
    check for malware. Offhand I recognize almost all of those processes as
    being legitimate Windows process names. A firewall is of course necessary.
    Beyond that I suggest you read the Windows 2003 Server Security Guide to see
    how to lockdown your server, though by default Windows 2003 Servers are
    fairly secure - much more than a default installation of Windows 2000 which
    installed and enabled IIS in every install. The Windows 2003 Server Security
    Guide will give guidance on services, security options, user rights, and
    much more info. I highly recommend that you not install any Security
    Templates to the default domain or domain controller Group Policy and to
    create a "rollback" template BEFORE you do apply any. The links below are to
    the tools and Windows 2003 Server Security Guide. The MBSA tool is also free
    from Microsoft and can be used to scan computers for basic
    vulnerabilities.--- Steve

    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
    http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
    http://www.microsoft.com/technet/security/prodtech/win2003/default.mspx --
    W2003 Security Center
    http://www.microsoft.com/technet/security/tools/mbsahome.mspx -- MBSA.
     
    Steven L Umbach, Dec 3, 2004
    #2
    1. Advertisements

  3. Danger Will Robinson!

    Google found zero hits explaining what IDUServ.exe is, and only two hits in
    french explaining what IPTray.exe is. This is usually a very bad thing,
    because legitimate file names pretty much always show up in google. [Note
    that the reverse is not true - if you find a file name in google, you still
    can't be sure if your file named that is good or bad just from the google
    results alone.]

    ccproxy.exe is used by Norton Internet Security, which includes a firewall,
    but if you don't have this installed on your server, then that would be
    suspicious too.

    Based on this, unless you know what these file names are and do, you may
    want to inspect your system for signs of hacking. Some ways to do this:

    http://securityadmin.info/faq.asp#hacked

    Also, RKDETECT from www.google.com and Silent Runners from
    www.silentrunners.org can be useful.

    If you want to know what those other files do, search Google for the file
    names. If your copy is legitimate, what you find in google will explain
    what it is exactly.

    The following entry appears to show your IP address using Terminal Services
    to remotely control your server at the time. This IP matches the IP you
    appeared to use to post this message.
    There weren't any other entries that appeared to show an attacker on the
    Internet using TCP to connect to your server. However, do note that windows
    root kits do have the ability to hide some port activity like listening
    ports from you, if a windows root kit was installed.

    Windows root kits conceal themselves from locally run programs and local
    users, but you can potentially see them if you do things across the network
    through Windows networking, such as running a virus scan on a mapped drive
    letter from another computer, or inspecting the startup locations in the
    registry from another computer. I don't know whether a windows root kit is
    installed here, I just mention it as a possibility to keep in mind as you
    look for things.

    What you've done below doesn't show you outbound traffic coming from
    malware. Checking your firewall logs and/or running Ethereal will show you
    this. Some firewall logs like www.kerio.com and www.sygate.com will tell
    you what .EXE file generated each outbound traffic stream, which is useful.
     
    Karl Levinson, mvp, Dec 4, 2004
    #3
  4. Thanks a lot for the Analysis,
    I found that both IDUServ.exe and IPTray.exe are part of the Intel Desktop
    Utilities, specifically Temperature Monitor and Speed of fans utilities,
    what I don't understand is why are they're opening ports for listening.
    Weird, I guess I should contact Intel Support, he?
    Thanks a lot


     
    JediRockClimber, Dec 6, 2004
    #4
  5. Hmm, I'm very surprised they wouldn't show up in Google, and that they would
    have an open listening port. You could submit copies of those files to one
    or more anti-virus companies.

     
    Karl Levinson, mvp, Dec 7, 2004
    #5
  6. You could also check the properties of those files to see if they are
    digitally signed by Intel. If they are not however, that does not mean that
    they are necessarily bogus. Possibly those ports are open for remote
    monitoring. --- Steve


     
    Steven L Umbach, Dec 7, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.