Re: possible hacking on my network
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Mon, 07 Jan 2008 21:26:50 +0000
Mike Webb wrote:
Used a new tool just now to look at my server (Look@Lan), as our internet access is very slow the last 2 hours. Here's what I got on ports, services and service names:That's not hugely different from normal. A quick look with nmap at an SBS Standard shows mostly the same ports, though I wouldn't really expect to see those below 21 on a Windows machine. Possibly someone asked for the additional TCP/IP services on installation. I wouldn't run any of those, even on a *nix machine.
7 echo -
9 discard sink null
13 daytime -
17 qotd Quote of the Day
19 chargen ttytst source Character Generator
21 ftp File Transfer [Control]
25 smtp Simple Mail Transfer
42 nameserver Host Name Server
53 domain Domain Name Server
80 http World Wide Web HTTP
88 kerberos-sec Kerberos (v5)
135 loc-srv NCS local location broker
139 netbios-ssn NETBIOS Session Service
389 ldap Lightweight Directory Access Protocol
464 kpasswd5 Kerberos (v5)
548 afpovertcp AFP over TCP
554 rtsp Real Time Stream Control Protocol
593 http-rpc-epmap HTTP RPC Ep Map
636 ldapssl LDAP over SSL
691 resvc The Microsoft Exchange 2000 Server Routing Service
1026 nterm remote_login network_terminal
1353 relief Relief Consulting
1433 ms-sql-s Microsoft-SQL-Server
1471 csdmbase -
3389 msrdp Micro$oft Remote Display Protocol
6001 X11:1 X Window server
6002 X11:2 X Window server
6004 X11:4 X Window server
6106 isdninfo i4lmond
8080 http-proxy Common HTTP proxy/second web server port
8081 blackice-icecap ICECap user console
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
Some of these look BAD. Any comments/recommendations?
Note that the service names are those known to your scanner which most commonly use those ports, and do not necessarily have anything to do with what is actually using them. X11 is, for example, the older *nix GUI server, which is unlikely to be found on a Windows machine. Unless Bill is a little more Open Source friendly than he has us believe...
Open a command prompt and enter netstat -ab which will list the executables using the ports. Clearly any malware will attempt to disguise itself, but it can't use the same executable name as a real Windows program, and a bit of Googling should identify any unfamiliar names. You may find the list too long for your CLI box, and it's easier to pipe it into a file for careful examination.
Also check the RAM usage. Contrary to opinions I have seen expressed here, SBS is quite happy to thrash, using swap heavily without any of the programs which have 'borrowed' lots of RAM for disc caching being willing to return it. A few third-party programs are alleged to have RAM leaks.
.
- Follow-Ups:
- Re: possible hacking on my network
- From: Mike Webb
- Re: possible hacking on my network
- From: Henrik
- Re: possible hacking on my network
- References:
- possible hacking on my network
- From: Mike Webb
- possible hacking on my network
- Prev by Date: Re: Remote office logon script - Long Delay
- Next by Date: Re: Remote office logon script - Long Delay
- Previous by thread: possible hacking on my network
- Next by thread: Re: possible hacking on my network
- Index(es):
Relevant Pages
|
Loading
