Re: possible hacking on my network
- From: "Henrik" <hear01@xxxxxxxxxxx>
- Date: Mon, 7 Jan 2008 22:55:26 +0100
blackice icecap is a firewall system made by www.iss.net ... You
somehow have port 8081 open and 8081 is used for ice-cap remote
administration I believe.. so it probably "thinks" that it's icecap....
do netstat and see what's using that port ..
--
Henrik Arenblad, MCP SBS,
http://support.microsoft.com/kb/q555375 http://www.google.com/
Windows Small Business Server 2003 Technical Library
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/07fe109b-1421-4052-acc2-d2898afc0d951033.mspx?mfr=true
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:O7QtFQXUIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
Mike Webb wrote:
Used a new tool just now to look at my server (Look@Lan), as our internetThat's not hugely different from normal. A quick look with nmap at an SBS
access is very slow the last 2 hours. Here's what I got on ports,
services and service names:
7 echo -
9 discard sink null
13 daytime -
17 qotd Quote of the Day
19 chargen ttytst source Character Generator
21 ftp File Transfer [Control]
25 smtp Simple Mail Transfer
42 nameserver Host Name Server
53 domain Domain Name Server
80 http World Wide Web HTTP
88 kerberos-sec Kerberos (v5)
135 loc-srv NCS local location broker
139 netbios-ssn NETBIOS Session Service
389 ldap Lightweight Directory Access Protocol
464 kpasswd5 Kerberos (v5)
548 afpovertcp AFP over TCP
554 rtsp Real Time Stream Control Protocol
593 http-rpc-epmap HTTP RPC Ep Map
636 ldapssl LDAP over SSL
691 resvc The Microsoft Exchange 2000 Server Routing Service
1026 nterm remote_login network_terminal
1353 relief Relief Consulting
1433 ms-sql-s Microsoft-SQL-Server
1471 csdmbase -
3389 msrdp Micro$oft Remote Display Protocol
6001 X11:1 X Window server
6002 X11:2 X Window server
6004 X11:4 X Window server
6106 isdninfo i4lmond
8080 http-proxy Common HTTP proxy/second web server port
8081 blackice-icecap ICECap user console
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
Some of these look BAD. Any comments/recommendations?
Standard shows mostly the same ports, though I wouldn't really expect to
see those below 21 on a Windows machine. Possibly someone asked for the
additional TCP/IP services on installation. I wouldn't run any of those,
even on a *nix machine.
Note that the service names are those known to your scanner which most
commonly use those ports, and do not necessarily have anything to do with
what is actually using them. X11 is, for example, the older *nix GUI
server, which is unlikely to be found on a Windows machine. Unless Bill is
a little more Open Source friendly than he has us believe...
Open a command prompt and enter netstat -ab which will list the
executables using the ports. Clearly any malware will attempt to disguise
itself, but it can't use the same executable name as a real Windows
program, and a bit of Googling should identify any unfamiliar names. You
may find the list too long for your CLI box, and it's easier to pipe it
into a file for careful examination.
Also check the RAM usage. Contrary to opinions I have seen expressed here,
SBS is quite happy to thrash, using swap heavily without any of the
programs which have 'borrowed' lots of RAM for disc caching being willing
to return it. A few third-party programs are alleged to have RAM leaks.
.
- Follow-Ups:
- Re: possible hacking on my network
- From: Mike Webb
- Re: possible hacking on my network
- References:
- possible hacking on my network
- From: Mike Webb
- Re: possible hacking on my network
- From: Joe
- possible hacking on my network
- Prev by Date: Re: Remote office logon script - Long Delay
- Next by Date: Re: Remote office logon script - Long Delay
- Previous by thread: Re: possible hacking on my network
- Next by thread: Re: possible hacking on my network
- Index(es):
Relevant Pages
|
Loading
