I would use Nmap to do your scanning, and then use Process Explorer from sysinternals to find out which .exe has the port open.
BTW: GO PENN STATE NIT Champs: BSME PENN STATE 1996.. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 ________________________________ From: andy [mailto:afo...@psu.edu] Sent: Friday, April 10, 2009 8:47 AM To: NT System Admin Issues Subject: RE: Too to find what .exe has a port open I recently scanned some of my computers with a languard beta scanner that I have been using for years. And then scanned some computers on my subnet and then on other subnets. They all showed ports 25 and 110 open. Since I never got false results from my languard beta in years, I immediately suspected that all of these computers were infected with some type of spam bot. I picked out one machine and installed every type of free port monitor on it that I could find. All results showed that that the ports 25 and 110 are not open. I think our firewall guys, they just started installing and learning about firewalls, have it setup so that the firewall intercepts any telnet session to 25 or 110 and gives it a window. Is this possible? I have not tried moving my languard beta scanner outside the firewall to test the ports. On another note, a few years ago, I used the languard scanner to look for a trojan that was infecting computers and found a port open on a linux machine that corresponded to the port the trojan was infecting. Come to find out, the linux machine was using some type of proprietary software that used the same port as the trojan. We said, eh ok, you are clean, you can get back on the network. At 02:47 PM 4/9/2009, Derek Lidbom wrote: Are they UDP ports? Does it say immediately after it checks them that they are closed again? My guess would be Languard see the port number and immediately associates with Trojan, without checking to see if it is udp or tcp. From: David Lum [ mailto:david....@nwea.org <mailto:david....@nwea.org> ] Sent: Thursday, April 09, 2009 2:42 PM To: NT System Admin Issues Subject: RE: Too to find what .exe has a port open NETSTAT...I shoulda known Netstat -ano shows nothing in that range. Hey, if you have TCPView running when you also run a Nessus scan on same system...now that's funny right there... Nessus shows nothing, TCPView shows nothing, NETSTAT shows nothing...only Languard shows something at those ports... Dave From: Michael B. Smith [ mailto:mich...@owa.smithcons.com <mailto:mich...@owa.smithcons.com> ] Sent: Thursday, April 09, 2009 11:23 AM To: NT System Admin Issues Subject: RE: Too to find what .exe has a port open KISS "netstat -ano". The "o" gives you the process owning the port, which you can use TaskList or Task Manager to find. If it isn't in the list - you've been pwned. (probably) ________________________________ From: David Lum [david....@nwea.org] Sent: Thursday, April 09, 2009 2:22 PM To: NT System Admin Issues Subject: RE: Too to find what .exe has a port open Perfect thanks! Now I have something, or not...GFI Languard scanned a machine that says I have two KiLo ports open (6666,6667). TCPView shows nothing in that range....comments? Dave From: Jake Gardner [ mailto:jgard...@ttcdas.com <mailto:jgard...@ttcdas.com> ] Sent: Thursday, April 09, 2009 11:12 AM To: NT System Admin Issues Subject: RE: Too to find what .exe has a port open TCPView from SysInternals Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David Lum [ mailto:david....@nwea.org <mailto:david....@nwea.org> ] Sent: Thursday, April 09, 2009 2:09 PM To: NT System Admin Issues Subject: Too to find what .exe has a port open I have tools that tell me WHAT port is open, but nothing to tell me what app has the port open. What do you guys use? (yes probably discussed here before...) David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged.? If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies.? Thank you. ******************************************************************* ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Derek Lidbom Director of Technology and Interactive Development, Trone 336.812.2010 dlid...@trone.com Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. --------Andy-Ofalt---863-3449------405-Ag-Admin-Bldg------for more information go to http://ict.cas.psu.edu/Contacts.html <http://ict.cas.psu.edu/Contacts.html%A0> <http://ict.cas.psu.edu/Contacts.html%A0> ---------- My little blurb to eat up bandwidth and make your mail box even larger +++++++++++++++++++++++++++++++++++++++++++++++++++ The real problem is that IP, a connectionless protocol, was never developed to be the universal protocol. ATM was developed to serve that purpose and failed. +++++++++++++++++++++++++++++++++++++++++++++++++++ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
