It's hard to tell just looking at the netstat info below. The port is a little unusual, but is definitely not uncommon. Many legitimate programs open up high port numbers. If the netstat trace showed it connecting to a remote Internet host, then I'd be more suspicious. The key to any unknown port opening is to trace it back to the program, process, or service that is opening the port and then doing research on the found cause (just as you are asking to do). There are several "port enumerators" that will tie back the program to the port. If you have Windows XP, you can do it using netstat command-line parameters (I think it is -o or -p)...which ties the open port to a process ID (PID) that can then be traced back to the program (using Task Manager) or a lot of other PID-listing tools. If you don't have XP, consider Foundstone's F-port or www.sysinternals.com' TCPView (although I get a lot of blue screens after installing it).
Be advised there are many ways for a malicious program to hide from port viewers, although they tend to be the exception rather than the rule. Good luck. Roger **************************************************************************** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: [EMAIL PROTECTED] *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode **************************************************************************** ************* ----- Original Message ----- From: "Hyperion" <[EMAIL PROTECTED]> To: "Security Basics Mailing List" <[EMAIL PROTECTED]> Sent: Monday, June 30, 2003 12:52 PM Subject: What is this port? is it a trojan? > Hello all :) > > I have been taking a more detailed interest in my pc's security of late, > and security for computers in general, and I am learning at quite a fast > rate, although there is a great, great deal of information to learn out > there. > > Just recently I have taken to doing regular, netstat - probes on my machine > to see the different connections that arise and so forth. > Today I found a rather mysterious port with the number, 44334 and I have > copied/paste the results of the netstat -an below for people to look at. > Is the port in question, -44334- a Trojan? it strikes me as a rather > suspicious port and a rather large port number. > Could anyone tell me how I can find out what's running behind the port in > question, and also what to do about it if it is a port. > I have run my virus software, but it did not find any viruses or Trojans > installed on my machine, so I am at a loss as to what to do. > I am also very limited in my security knowledge, so I am basically stuck for > the necessary ideas or solutions on what to do in order to find out what's > behind this port. > Any and all help is greatly appreciated thanks. > > Details of netstat below:: > > Active Connections > > Proto Local Address Foreign Address State > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1038 0.0.0.0:0 LISTENING > TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING > TCP 127.0.0.1:110 0.0.0.0:0 LISTENING > TCP 127.0.0.1:1279 127.0.0.1:110 TIME_WAIT > TCP 217.135.174.224:1280 195.92.193.154:110 TIME_WAIT > UDP 0.0.0.0:445 *:* > UDP 0.0.0.0:500 *:* > UDP 0.0.0.0:1036 *:* > UDP 0.0.0.0:44334 *:* > UDP 127.0.0.1:123 *:* > UDP 127.0.0.1:1900 *:* > UDP 217.135.174.224:123 *:* > UDP 217.135.174.224:1900 *:* > > > My Regards > Hyperion > > > -------------------------------------------------------------------------- - > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------------------- -- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------