Check which ports your computer has opened

z3r0aCc3Ss · Post by **z3r0aCc3Ss** » 05 Sep 2009, 07:16

Well, if you are infected by RAT, they as you know, they use specific ports other than 0-1024, to communicate with your machine.
So, how to identify which port is opened and which RAT or which service is running on your machine without your permission?

There are many tools or ideas available to identify infection or intrusion in our system.
I will post some.

Very basic is press Ctrl + Alt + Del and it will show you all the services currently running but it will not show you which ports are opened. Almost all the RATs bypass this and they get binded with some process.

There are couple of tools which have very good GUI and very easy to use.

1) Advanced port scanner

Download:-

Code: Select all

http://rapidshare.com/files/275961863/pscan13.rar

2) cports
This is a very nice tool available from nirsoft

This is the condition before running any RAT

I have used Cerberus for demo, this is after using RAT

[/b]

z3r0aCc3Ss · Post by **z3r0aCc3Ss** » 05 Sep 2009, 07:34

Also, if you find that a new port has opened, without your permission in cports, then you can easily close it by selecting that port and pressing Ctrl + T.

Post by **ayu** » 05 Sep 2009, 08:02

Virus total report

Code: Select all

http://www.virustotal.com/analisis/52c86fdd7adb6da7d27ddd74d8769c7cb6f673f01c56373c07487205a804a87d-1252159037

1/41

The positive match was: Trojan/GenteeKiller.b

I say clean, for now

z3r0aCc3Ss · Post by **z3r0aCc3Ss** » 05 Sep 2009, 08:07

Yep. its clean. Im using dat tool for months now.
I dunno why it shoed like that. Working correctly.
You can test that.

Post by **bad_brain** » 05 Sep 2009, 08:35

TCPview does the job too, it's kinda the "default tool" on suck-o for viewing the connections...can be found in the downloads...

Post by **DNR** » 05 Sep 2009, 12:04

Thanks for the headsup on the cport, I got the cportx64 for my Vista laptop - niiiice.

DNR

Post by **DNR** » 05 Sep 2009, 18:50

http://securityxploded.com/winservicemanager.php

I use process explorer to look for anomalies, since I watch it everytime, everyday - its easy to spot whats not supposed to be there.

The winservicemanager just displays the same information you would have in process explorer in a bit easier format to view and save. This might be a good tool for newbies to be able to send a helper a page view of all the processes running on his machine.

I suppose a newbie could setup his machine and then print out the service process list and save it for reference when checking his machine for infection at a later time - the list can be compared side by side.

BTW you can see why I made BB nervous when I got my modem:

Unknown 0 TCP 50064 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50065 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50068 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50069 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50073 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50074 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50075 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50076 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50080 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50081 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50082 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM
Unknown 0 TCP 50083 70.212.44.242 80 http 62.75.148.170 suck-o.com Time Wait N/A 9/5/2009 8:51:39 PM

My modem software uses multiple ports to quickly assemble the wepage I request, looking like a weak DoS attempt.

DNR

Post by **bad_brain** » 06 Sep 2009, 05:38

yeah DNR, that was a little problem on the first server suck-o was on, you opened that much connections that the system almost ran out of memory...

moudy · Post by **moudy** » 06 Sep 2009, 07:53

lest say I have port 1025 open ?
what can i know about it ?
and how exactly can I know that some thing is REALLY going wrong... since I don't monitor my connection a lot, so I don't know whats wrong, and whats not wrong...

Post by **DNR** » 06 Sep 2009, 08:00

moudy - you want to investigate what service is running on the port, so running tcpview, cport, (or in a more complex fashion - process explorer)

iexplore.exe 2960 UDP 65103 127.0.0.1 C:\Program Files (x86)\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Microsoft Corporation 9/6/2009 9:30:28 AM NOMAD_2\Owner A 9/6/2009 9:57:16 AM

This is from cport - it shows the service iexplore.exe protocol (UDP) port # (65103) connected host (127.0.0.1) and what program is controlling the service (C:\...) and priviledges.

Once you find the service then you can google it for reasons its used.

DNR

moudy · Post by **moudy** » 06 Sep 2009, 08:24

I think I'll get process explorer and experiment with it...
thanks for the reply DNR

Post by **DNR** » 06 Sep 2009, 11:50

ok, with process explorer you right click on a service running and view TCP/IP properties. I like it because you can view threads and strings used by the process. Replace Taskman with process explorer, put processexplorer.exe in the startup folder.
I have always used PE to baseline my machines.

DNR

moudy · Post by **moudy** » 06 Sep 2009, 16:12

I down loaded the app. I'll work with it for a while, and if I have any question I'll ask you