Red Sockets!

Discussion in 'Port Explorer' started by Valkyri001, Aug 25, 2004.

Thread Status:
Not open for further replies.
  1. Valkyri001

    Valkyri001 Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    300
    Location:
    Friendswood Tx. 77546
    :eek: Are they always bad? If they are reported as a known process why would red be bad?
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    In a nutshell, a red socket belongs to a process that doesn't have any visible windows. In the Port Explorer helpfile please see the Interface | Socket Colors page for a full explanation of this. The Advanced | Hidden Server Detection page also has information on this that I think you'll find interesting.

    Best regards,
    Wayne
     
  3. Valkyri001

    Valkyri001 Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    300
    Location:
    Friendswood Tx. 77546
    ;) I'm not sure I understand all that. The bad guy is listening, I can take his packet and change it to work for me instead?
    o_O Also is it possible that what I'm seeing from here is my routers firewall.
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    No, a red socket (red FOREGROUND) simply means the process it belongs to is hidden. Trojans will nearly always show up as red, but there are also some legitimate programs that use sockets but aren't visible, so you can't just assume each red socket is a trojan but it's something to be aware of. A red BACKGROUND indicates that the socket belongs to a process that has just closed.

    Please take some time to read through the help file, as it should answer most if not all of your questions and will also enlighten you on some other interesting things that you might not be aware of.

    Best regards,
    Wayne
     
    Last edited: Aug 25, 2004
  5. Valkyri001

    Valkyri001 Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    300
    Location:
    Friendswood Tx. 77546
    :D Thanks Wayne, I'm reading! very nice help files! I'm looking at the color codes, but every now and then a whole line across will change color solid for the time that is checked. then flash back to norm. Is this the same meaning as the normal color code of the text in the line?
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    A red background on a socket means that socket is dead. Likewise, green background sockets mean that socket was just created. They are indicators so you can which sockets have been closed and opened.
     
  7. iamcelt00

    iamcelt00 Registered Member

    Joined:
    Oct 30, 2004
    Posts:
    1
    Location:
    USA
    Finally, I understand what they mean "no visible windows" is a process running in the lower right. I have several showing up under cli.exe. I did investigate them at the process level. I found some interesting data that was being sent over them. Some of it was personal. Ofcourse my progams that use these sockets will no longer work if I disable them from sending or receiveing and/kill them. I am left questioning if legitimate companies are allowing personal information to be freely shared through firewalls. If this is the case, then I guess we have to share or just not use thier programs. At any rate, I could be misinterpreting what I am seeing. After one session of collecting data my utilities governing spysockets progam became nonresponsive. This was tracked down to a change or error that occured in the regiistry of portexplorer after several attempts were made to uninstall and reinstall portexplorer to recover this utilities function. Only after using a powerful registry editor was I able to recover its function. This may just be a coincedence or a bug in my system. I will be more certain after further usage of the spyutitliy in portexplorer.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, this about your cli.exe
    http://www.liutilities.com/products/wintaskspro/processlibrary/cli/
    cli - cli.exe - Process Information
    Process File: cli or cli.exe
    Process Name: ATI Catalyst
    Description:
    cli.exe is installed alongside ATI's range of graphics cards with the Catalyst hardware driver range. Installs a easy-to-access taskbar icon for access to diagnostics features. This is a non-essential process. Disabling or enabling this is down to user preference

    Author: ATI Technologies
    Part Of: ATI Multimedia

    System Process: No
    Background Process: No
    Uses Network: No
    Hardware Related: Yes
    Common Errors: N/A

    Security Risk (0-5): 0
    Virus: No ( Remove )
    Spyware: No ( Remove )
    Trojan: No ( Remove )
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If there is any question, you are welcome to send a saved log to us ! Just Click FILE > SAVE AS to make a log and then email the log to support(at)diamondcs.com.au and I'll let you know if theres anything suspicious :)
     
Thread Status:
Not open for further replies.