Port Reference Question

Discussion in 'Trojan Defence Suite' started by EA6, Jun 23, 2003.

Thread Status:
Not open for further replies.
  1. EA6

    EA6 Guest

    The question below really isn't a PE question :D

    I have a quick question-not counting the preamble, which I hope has not already been asked (I searched, so I am assuming I have an all-clear).

    Using PE, I decided for fun to do a little homework on some of the running proccess and the ports they were connecting to and from. What I came up with using the port reference function in TDS-3 peaked my curiosity sufficiantly to drive me into the ethermost recesses of security forums. I need to find out if these are kosher connections or if there is something a bit more nefarious going on.

    Now for the important data:

    Environment:
    WinXP Pro box with NAV/NIS, TDS-3 connected to DSL through a firewall router (physically disconnected when not in use, releasing IP yadda yadda) and a LAN hub attached to another nic to which there are no other computers connected.
    All patches and software updates and definitions are applied and full NAV and TDS-3 scans were undertaken as part of the diagnostics. Further, TDS-3 was configured to scan with all options and drives selected, while machine was off-line.

    Port (local) refercene data in question:
    lsass.exe ports 500, 4500 (listening to port * IP *.*.*.*)
    svhost.exe ports 135, 3002, 3003 (connected to port 0 IP 0.0.0.0)
    alg.exe port 3001 (connected to port 0 IP 0.0.0.0)
    sagent2.exe ports 1026, 1025 (epson printer network interface connected to port 0 IP 0.0.0.0)

    One instance and known occurance of this was found as well:
    iexplore.exe ports loc. 4153, rem. 4153, local & remote addresses were loopback. Its status was "listening".


    As interpreted by TDS-3:
    14.37.05 [PortRef] 500: ISAKMP - sakmp
    14.37.20 [PortRef] 4500: SAE-URN - sae-urn
    14.37.35 [PortRef] 135: DCE endpoint resolution, RPC-LOCATOR - RPC (Remote Procedure Location Service
    14.38.14 [PortRef] 3002: EXLM-AGENT - EXLM Agent
    14.38.24 [PortRef] 3003: <Unassigned>
    14.38.36 [PortRef] 3001: REDWOOD-BROKER - Redwood Broker
    14.38.52 [PortRef] 1026: NTERM - nterm
    14.39.03 [PortRef] 1025: BLACKJACK - network blackjack, LISTEN - listen
    22.07.29 [PortRef] 4153: <Unassigned>


    It is generally my assumption that these are most likely duel-use ports and that IE just hung after I closed it, BUT just to be safe I seek the opinions of those strong in the Force.


    Thanks in advance,
    The Wombat
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Wombat
    be asured the references in the port reference lists in both TDS and PE are right, being about the largest bases i'm aware of, with default ports for trojans.

    As long as it's local, nothing wrong with outside connections as you can see in both PE and your netstat.
     
  3. EA6

    EA6 Guest

    Thank you for your speedy and thoughtful reply. I think though my question was whether the fact of ports in question being open indicated a positive ID of infection even if a system scan did not pick that up.

    Just because they are not currently connected to the outside, does not mean anything really. Especially that one would be safe, since the trojan could burst during other communication, even piggybacking on apps such as Application Layer Gateway, &c.

    [glow=red,2,300]I did notice that nmain.exe [/glow] (NIS when it is opened in full-mode) began frequent trysts with this IP block, but especially this singular address: 198.49.161.200. The IPs point to a webserver that has a directory listing of scripts and other such files available for download. It is not associated with Symmantec. I subsequently blocked that IP and put and end to it, but you see now reason for the heightened curiosity. They may be completely unrelated and perhaps NIS has a hardwired secred lover, its still good to have the ports accounted for. :cool:

    Best wishes from the marsupial formally known as Wombat
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    EA6, Is this your ISP or something like that?

    IP 198.49.161.200
    Registrant:

    VeriSign, Inc. (VERISIGN-DOM)
    487 East Middlefield Road
    Mountain View, CA 94043
    US

    Domain Name: VERISIGN.COM

    Administrative Contact, Technical Contact:
    VeriSign, Inc. (KISYRULTXO) vshostmaster@VERISIGN.COM
    487 E MIDDLEFIELD RD
    MOUNTAIN VIEW, CA 94043-4047
    US
    650-961-7500 fax: 650-961-8870

    Record expires on 03-Jun-2013.
    Record created on 20-Aug-2002.
    Database last updated on 24-Jun-2003 12:38:38 EDT.

    Domain servers in listed order:

    BAY-W1-INF5.VERISIGN.NET 216.168.254.20
    NS1.CRSNIC.NET 198.41.3.39
    GOLDENGATE-W2-INF6.VERISIGN.NET 216.16
     
  5. EA6

    EA6 Guest

    That is what I came up with as well, Pilly. I forgot to mention that all-important part due to lacking proper allocations of java (the caffinated variety).

    I will say that since I have blocked that site, I have had absolutely no problems with updating or using NIS and that it did not connect to the site while doing updates, rather only when the main box was opened. Nevertheless, that is probably something for a symmantec forum...and im not that desparate ;).

    My main concern is still that the port numbers currently in use as outlined in my original posts are in use purely for normal OS activity, but if no one knows I'm sure I can dig it up somewhere. At any rate, it is good conversation :).

    Signed,
    The Wombatiated One
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Wombat,

    It's kinda awkward judging on those ports without seeing the PE output, you may want to consider posting a screenshot with your name and homeIP edited out of the PIC. I will try to give a best guess though I am not comfortable with XP.

    lsass is the security subsystem and it uses port 500 for handling Kerberos logins so that is okay. Port 4500 rings a bell as legitimate but I could not positively identify it. I think this may be a common XP port but you should get more definitive input on this one.

    Port 135 TCP & UDP are some of the NetBIOS ports and are legitimate. (Here and elsewhere in this synopsis, legitimate means that it is normal to see it listening but to see active traffic over it to a public IP is definitely another thing altogether!)

    ports 3001-3003 are I believe XP related (specifically relating, I believe, to the integrated ICF firewall) but you should get better confirmation of this.

    ports 1025, 1026 are ephemeral ports and are legitimate (keeping in mind the previously stated proviso). When Windows attempts communication with an outside host on a defined service port on the outside host it will usually use a randomly chosen port on the local side and these randomly chosen local ports start from 1025 and increment from there. As you may have noticed in the port refs, many trojan makers take advantage of this fact and statically set there trojans to listen on these ports so here, again, you have to monitor the activity to be sure it is legitimate.

    the 4153 port is interesting. I don't recall ever seeing IE use the socket with the same local/remote port ina loopback fashion. Maybe I misunderstood your interpretation.

    HTH

    Dan
     
  7. EA6

    EA6 Guest

    Indeed a good synopsis thus far. And a good idea about the screenshot. Not sure how to get one uploaded here though. May need the shortbus on this one ;)
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi,

    You need to be registerd and logged in to submit images or attachments. If you are wondering how to edit the image, a real good free solution is IrfanView

    http://www.irfanview.com/
     
  9. e2P9

    e2P9 Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    6
    Alrighty now...
    Below you should see the screenshot I took at the time. FYI, "Horchend" means listening and "Verbinden" means connected. Everything else should be clear to those familiar with PE. :D
     
  10. e2P9

    e2P9 Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    6
    Okay, the pic upload didnt work. I hate it when you have to chase the rabbits to get the eggs to feed farmer who milks the cow that fertilizes the ground that lets the grass grow so the rabbits can hide. :eek:
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    lol, keep in mind that there is a 100KB limit on the upload file. If you saved it as a jpeg it is likely too big. You should convert it to gif and (if necessary) adjust the image properties to be able to fit under that limit. (You can do all of that with IrfanView)

    HTH
     
  12. e2P9

    e2P9 Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    6
    I did, I promise! LOL. I kept that baby under 100kb, 89k to be exact. I believe you about Infranview, but I was able to accomplish it with Photoshop 7 (ok, so I borrowed it). Anyway, it was an 89k jpeg that couldnt bear to leave home. I will try it again here, but I dont think it will work (now watch it work...maybe reverse psychology will do the job). Maybe I need better karma to upload pix? What a can of worms. I liked Worms better when I was in France...
     

    Attached Files:

  13. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Congratulations on successfuly surpassing this first hurdle! You just got a karma cookie.

    I did a search and found confirmation that 3001 used by alg.exe is legimately used to provide Application Level Gateway services associated with ICS. 3002, 3003 are also associated with ICS. See the two links below

    http://www.securityfocus.com/archive/88/292585

    http://www.derkeiler.com/Newsgroups/comp.security.firewalls/2002-12/2807.html

    This leaves 4153 UDP as the only unknown

    I found a link showing this behaviour (on a different ephemeral port and stating this is normal but without any real reason stated. In any event, as the analyst stated this is going to and from a loopback address:port so it is not traffic anyone can use.

    This link is

    http://ntsecurity.nu/toolbox/inzider/why.php

    While the local loopback on IE seems weird I can't see how it can be a problem and it won't be the first time I got stumped on how MS does stuff.

    Regards,

    Dan
     
  14. e2P9

    e2P9 Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    6
    Thanks for all of your help...and the karma cookie :D. As I munch on this, I for now am content to theorise that IE simply had a blowout--something I think I have only seen happen a couple of times in recent years on different machines. It appears as if it just failed to unload all of its modules on exit. It has not happened again since.

    Your references were fantastic. While I generally suspected all was on the up-and-up with ALG, Its good to have independant confirmation from outside the peanut gallery that all appears normal.

    At any rate, I be happy to be an ever-learning padawombat in this matter.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Padawombat, you might like to spy on that IE process in PE and see those are 1 byte data packets each time.
    And you'll probably see one with the IE icon and one as a netstat socket:
    i see now IE icon on UDP local 1028 to local 1028 sent 10069/10069 recvd 10069/10069
    and netstat TCP local 1028 to local 0 ---- ----
     
Thread Status:
Not open for further replies.