[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

Re: firewalling

Subject: Re: firewalling
From: "Robert Holmgren" holmgren@xxxxxxxx
Date: Tue, 13 Dec 2005 05:11:36 -0500

** Reply to message from flash  on Tue, 13 Dec 2005 08:41:25
+0100

Flash:

> root-partition(usually c:)\winnt\system32\drivers\etc\services
> ...This file contains
> the list of applications currently installed on your machine and what
> port numbers they reserve for networking functions.

I thought this was just the default list, not the active list? On my NT5
system, this file is dated 2001. Anyway, what's to prevent any trojan from
using an ordinarily kosher port, as long as your app isn't using it?

> which ports are being used at any given moment. To see THAT,
> open a DOS window and type: netstat -a. That shows you which ports/appls
> are actually online at any given moment.

You really need more info, though. At least under XP+, "netstat -ao" gives you
the PID of the program that is LISTENING or ESTABLISHED, so that you can kill
it in TaskMan (or, way better, Process Explorer). However, since you write
"c:\winnt\system32...", you're probably not using XP (neither do I, mostly) and
so the -o param won't work. PULIST from the ResKit (free from M$) will give
useful additional info
("pulist | sort | more"), but you still can't get the crucial nexus between the
local calling program and the port number, in order to kill suspicious
connections.

I think the two most useful (freeware) utils for this purpose are the CurrPorts
program by Nir Sofer and its associated IPNetInfo
 http://www.nirsoft.net/utils/cports.html
and
 http://www.nirsoft.net/utils/ipnetinfo.html
These are itsy-bitsy phenomenal GUI progs (~40Kb each) that tell you everything
you can possibly know about your current connections. CPorts is the main
program. If you see an established connection with an IP address that can't be
resolved to a hostname with DNS, highlight it and hit Ctrl-I and bam! --
complete WHOIS information about the address -- you can't do much better than
that! You may well find that it is just something like AcroRead looking for
another bloated update, but... When I see my computer communicating furiously
with somebody/something somewhere, and I want to know what's going on, these
are my steady companions. (Sofir also has some amazing password sniffers.)

None of this stuff works well in the toy operating systems -- NT only.

-----------------------------
Robert Holmgren
holmgren@xxxxxxxx
-----------------------------

Prev by Date: Re: Stopping USB drives from XY4
Next by Date: Re: Stopping USB drives from XY4
Previous by thread: firewalling
Next by thread: Re: firewalling
Index(es):
- Date
- Subject