Re: possible hacking on my network

Then you realy, realy need to look into It, if you dont use it, dont know
how It got there (if you dont?), it shouldnt be there.
That goes for all third party apps on the server, dont install things that
you dont need or dont know what it is.

--
Henrik Arenblad, MCP SBS,
http://support.microsoft.com/kb/q555375 http://www.google.com/
Windows Small Business Server 2003 Technical Library
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/07fe109b-1421-4052-acc2-d2898afc0d951033.mspx?mfr=true




"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:uuJDW4fUIHA.5524@xxxxxxxxxxxxxxxxxxxxxxx
I'm not using BlackIce; don't really know what it is.

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:OYPYldYUIHA.476@xxxxxxxxxxxxxxxxxxxxxxx
Why are you using Black Ice on your server?

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OleJz2XUIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
Thanks!

"Henrik" <hear01@xxxxxxxxxxx> wrote in message
news:%23PXgEgXUIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
blackice icecap is a firewall system made by www.iss.net ... You
somehow have port 8081 open and 8081 is used for ice-cap remote
administration I believe.. so it probably "thinks" that it's icecap....
do netstat and see what's using that port ..


--
Henrik Arenblad, MCP SBS,
http://support.microsoft.com/kb/q555375 http://www.google.com/
Windows Small Business Server 2003 Technical Library
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/07fe109b-1421-4052-acc2-d2898afc0d951033.mspx?mfr=true


"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:O7QtFQXUIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
Mike Webb wrote:
Used a new tool just now to look at my server (Look@Lan), as our
internet access is very slow the last 2 hours. Here's what I got on
ports, services and service names:

7 echo -
9 discard sink null
13 daytime -
17 qotd Quote of the Day
19 chargen ttytst source Character Generator
21 ftp File Transfer [Control]
25 smtp Simple Mail Transfer
42 nameserver Host Name Server
53 domain Domain Name Server
80 http World Wide Web HTTP
88 kerberos-sec Kerberos (v5)
135 loc-srv NCS local location broker
139 netbios-ssn NETBIOS Session Service
389 ldap Lightweight Directory Access Protocol
464 kpasswd5 Kerberos (v5)
548 afpovertcp AFP over TCP
554 rtsp Real Time Stream Control Protocol
593 http-rpc-epmap HTTP RPC Ep Map
636 ldapssl LDAP over SSL
691 resvc The Microsoft Exchange 2000 Server Routing
Service
1026 nterm remote_login network_terminal
1353 relief Relief Consulting
1433 ms-sql-s Microsoft-SQL-Server
1471 csdmbase -
3389 msrdp Micro$oft Remote Display Protocol
6001 X11:1 X Window server
6002 X11:2 X Window server
6004 X11:4 X Window server
6106 isdninfo i4lmond
8080 http-proxy Common HTTP proxy/second web server port
8081 blackice-icecap ICECap user console
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server

Some of these look BAD. Any comments/recommendations?

That's not hugely different from normal. A quick look with nmap at an
SBS Standard shows mostly the same ports, though I wouldn't really
expect to see those below 21 on a Windows machine. Possibly someone
asked for the additional TCP/IP services on installation. I wouldn't
run any of those, even on a *nix machine.

Note that the service names are those known to your scanner which most
commonly use those ports, and do not necessarily have anything to do
with what is actually using them. X11 is, for example, the older *nix
GUI server, which is unlikely to be found on a Windows machine. Unless
Bill is a little more Open Source friendly than he has us believe...

Open a command prompt and enter netstat -ab which will list the
executables using the ports. Clearly any malware will attempt to
disguise itself, but it can't use the same executable name as a real
Windows program, and a bit of Googling should identify any unfamiliar
names. You may find the list too long for your CLI box, and it's
easier to pipe it into a file for careful examination.

Also check the RAM usage. Contrary to opinions I have seen expressed
here, SBS is quite happy to thrash, using swap heavily without any of
the programs which have 'borrowed' lots of RAM for disc caching being
willing to return it. A few third-party programs are alleged to have
RAM leaks.










.

Relevant Pages

  • Re: LISTENING, ESTABLISHED, CLOSE_WAIT TCP Ports & UDP Ports?
    ... properties of a process and it will show you what tcp/ip ports and services ... Beyond that I suggest you read the Windows 2003 Server Security Guide to see ...
    (microsoft.public.windows.server.security)
  • Re: Virtual Private Network - Beware its a Hackers Secret
    ... I don't think I've ever been on a Windows platform. ... > checked for open ports. ... since hackers love to install a bunch of their crap here. ... > Server, NNTP Server, SMTP Server, Web Server, SQL Server and a Virtual ...
    (alt.computer.security)
  • Re: Virtual Private Network - Beware its a Hackers Secret
    ... I don't think I've ever been on a Windows platform. ... > checked for open ports. ... since hackers love to install a bunch of their crap here. ... > Server, NNTP Server, SMTP Server, Web Server, SQL Server and a Virtual ...
    (microsoft.public.security)
  • Re: Virtual Private Network - Beware its a Hackers Secret
    ... I don't think I've ever been on a Windows platform. ... > checked for open ports. ... since hackers love to install a bunch of their crap here. ... > Server, NNTP Server, SMTP Server, Web Server, SQL Server and a Virtual ...
    (comp.security.firewalls)
  • Re: possible hacking on my network
    ... how It got there (if you dont?), ... Windows Small Business Server 2003 Technical Library ... SBS Standard shows mostly the same ports, ...
    (microsoft.public.windows.server.sbs)