Discussion:
dns.exe and listening ports - Trojans?
(too old to reply)
Andy
2006-05-14 11:48:37 UTC
Permalink
Hi

I've got a dns server up and running in a small network. Today I've been
doing variouse portscans of this server. I've noticed several ports that I
don't know but somehow they seem to be related to dns.exe.
The ports in question is 1050, and 1395.
When I stop the DNS server, the open ports disapear. But when DNS server is
restarted the ports reapear. My first thought was that the dns.exe on port
1050 was the minicommand trojan, but it doesn't seem so now.
I've also verified by using both netstat -ano and by using tcpipview from
sysinternals that the listening ports are related to dns.exe.

The server in question functions as both DNS and DC for our small domain. It
is fairly new, and only been used with Windowsupdate for http traffic.

Please help

/A.
Dheeraj Chawla
2006-05-14 12:43:01 UTC
Permalink
Dear Andy,
I would like to inform you that it could be possible that
your dns server could be contacting other dns servers or the name servers on
internet. When you stop the dns service, the ports do disappear from the port
scan. try to type netstat|more on the command prompt and post the results
here while the service is on and off. This command will give you the number
of connections going in and out from your server. Also go to the task
manager. This can be done by right clicking on the Taskbar and click on task
Manager. Click on Processes and take a look on all the processes make sure
that you don't find any funny names that are started either by the System or
the user.

Do let me know if my answer could be helpful

Thanks & Regards
Dheeraj Chawla
--
ITNETADMIN.COM
WE BRING TECHNOLOGY TO YOU
Post by Andy
Hi
I've got a dns server up and running in a small network. Today I've been
doing variouse portscans of this server. I've noticed several ports that I
don't know but somehow they seem to be related to dns.exe.
The ports in question is 1050, and 1395.
When I stop the DNS server, the open ports disapear. But when DNS server is
restarted the ports reapear. My first thought was that the dns.exe on port
1050 was the minicommand trojan, but it doesn't seem so now.
I've also verified by using both netstat -ano and by using tcpipview from
sysinternals that the listening ports are related to dns.exe.
The server in question functions as both DNS and DC for our small domain. It
is fairly new, and only been used with Windowsupdate for http traffic.
Please help
/A.
Andy
2006-05-14 13:53:32 UTC
Permalink
Post by Dheeraj Chawla
Dear Andy,
I would like to inform you that it could be possible that
your dns server could be contacting other dns servers or the name servers on
internet. When you stop the dns service, the ports do disappear from the port
scan. try to type netstat|more on the command prompt and post the results
here while the service is on and off. This command will give you the number
of connections going in and out from your server. Also go to the task
manager. This can be done by right clicking on the Taskbar and click on task
Manager. Click on Processes and take a look on all the processes make sure
that you don't find any funny names that are started either by the System or
the user.
Do let me know if my answer could be helpful
When I run the command before and after I stop the DNS server this is the
output I get:

Active Connections

Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:ldap technics.multizite.local:1177 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:1177 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1268 TIME_WAIT
TCP technics:ldap technics.multizite.local:1269 TIME_WAIT
TCP technics:microsoft-ds technics.multizite.local:1270 ESTABLISHED
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1179 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1169 technics.multizite.local:1025 TIME_WAIT
TCP technics:1178 technics.multizite.local:epmap TIME_WAIT
TCP technics:1179 technics.multizite.local:1025 ESTABLISHED
TCP technics:1270 technics.multizite.local:microsoft-ds
ESTABLISHED
TCP technics:3389 172.16.0.16:3265 ESTABLISHED

DNS stopped:

Active Connections

Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1268 TIME_WAIT
TCP technics:ldap technics.multizite.local:1269 TIME_WAIT
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1179 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1169 technics.multizite.local:1025 TIME_WAIT
TCP technics:1178 technics.multizite.local:epmap TIME_WAIT
TCP technics:1179 technics.multizite.local:1025 ESTABLISHED
TCP technics:1270 technics.multizite.local:microsoft-ds
TIME_WAIT
TCP technics:3389 172.16.0.16:3265 ESTABLISHED

As you can se I do not have any pport 1050 open. I've also installed NOD32
virus scanner from Esat now, and it didn't detect any viruses on the
machine.
Any idea?

/A.
Andy
2006-05-14 13:57:03 UTC
Permalink
Post by Andy
Post by Dheeraj Chawla
Dear Andy,
I would like to inform you that it could be possible that
your dns server could be contacting other dns servers or the name servers on
internet. When you stop the dns service, the ports do disappear from the port
scan. try to type netstat|more on the command prompt and post the results
here while the service is on and off. This command will give you the number
of connections going in and out from your server. Also go to the task
manager. This can be done by right clicking on the Taskbar and click on task
Manager. Click on Processes and take a look on all the processes make sure
that you don't find any funny names that are started either by the System or
the user.
Do let me know if my answer could be helpful
When I run the command before and after I stop the DNS server this is the
Active Connections
Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:ldap technics.multizite.local:1177 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:1177 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1268 TIME_WAIT
TCP technics:ldap technics.multizite.local:1269 TIME_WAIT
TCP technics:microsoft-ds technics.multizite.local:1270 ESTABLISHED
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1179 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1169 technics.multizite.local:1025 TIME_WAIT
TCP technics:1178 technics.multizite.local:epmap TIME_WAIT
TCP technics:1179 technics.multizite.local:1025 ESTABLISHED
TCP technics:1270 technics.multizite.local:microsoft-ds
ESTABLISHED
TCP technics:3389 172.16.0.16:3265 ESTABLISHED
Active Connections
Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1268 TIME_WAIT
TCP technics:ldap technics.multizite.local:1269 TIME_WAIT
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1179 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1169 technics.multizite.local:1025 TIME_WAIT
TCP technics:1178 technics.multizite.local:epmap TIME_WAIT
TCP technics:1179 technics.multizite.local:1025 ESTABLISHED
TCP technics:1270 technics.multizite.local:microsoft-ds
TIME_WAIT
TCP technics:3389 172.16.0.16:3265 ESTABLISHED
As you can se I do not have any pport 1050 open. I've also installed NOD32
virus scanner from Esat now, and it didn't detect any viruses on the
machine.
Any idea?
Got this now:

Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:ldap technics.multizite.local:1365 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:1358 technics.multizite.local:microsoft-ds
TIME_WAIT
TCP technics:1365 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1360 TIME_WAIT
TCP technics:ldap technics.multizite.local:1361 TIME_WAIT
TCP technics:ldap technics.multizite.local:1452 TIME_WAIT
TCP technics:ldap technics.multizite.local:1453 TIME_WAIT
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1451 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1366 technics.multizite.local:epmap TIME_WAIT
TCP technics:1367 technics.multizite.local:1025 TIME_WAIT
TCP technics:1450 technics.multizite.local:epmap TIME_WAIT
TCP technics:1451 technics.multizite.local:1025 ESTABLISHED
TCP technics:1454 technics.multizite.local:microsoft-ds
TIME_WAIT
TCP technics:3389 PANASONIC:3265 ESTABLISHED
Dheeraj Chawla
2006-05-14 15:33:01 UTC
Permalink
Dear Andy,
All what i feel is that your network connections to the
server are fine and have no problems.Do you feel any slowness in the DNS Name
resolution or any other processing issue. Try to get the Symantec Version of
AV to scan you pc.

do let me know

Regards
ITNETADMIN.COM
WE BRING TECHNOLOGY TO YOU
Post by Andy
Post by Andy
Post by Dheeraj Chawla
Dear Andy,
I would like to inform you that it could be possible that
your dns server could be contacting other dns servers or the name servers on
internet. When you stop the dns service, the ports do disappear from the port
scan. try to type netstat|more on the command prompt and post the results
here while the service is on and off. This command will give you the number
of connections going in and out from your server. Also go to the task
manager. This can be done by right clicking on the Taskbar and click on task
Manager. Click on Processes and take a look on all the processes make sure
that you don't find any funny names that are started either by the System or
the user.
Do let me know if my answer could be helpful
When I run the command before and after I stop the DNS server this is the
Active Connections
Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:ldap technics.multizite.local:1177 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:1177 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1268 TIME_WAIT
TCP technics:ldap technics.multizite.local:1269 TIME_WAIT
TCP technics:microsoft-ds technics.multizite.local:1270 ESTABLISHED
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1179 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1169 technics.multizite.local:1025 TIME_WAIT
TCP technics:1178 technics.multizite.local:epmap TIME_WAIT
TCP technics:1179 technics.multizite.local:1025 ESTABLISHED
TCP technics:1270 technics.multizite.local:microsoft-ds
ESTABLISHED
TCP technics:3389 172.16.0.16:3265 ESTABLISHED
Active Connections
Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1268 TIME_WAIT
TCP technics:ldap technics.multizite.local:1269 TIME_WAIT
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1179 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1169 technics.multizite.local:1025 TIME_WAIT
TCP technics:1178 technics.multizite.local:epmap TIME_WAIT
TCP technics:1179 technics.multizite.local:1025 ESTABLISHED
TCP technics:1270 technics.multizite.local:microsoft-ds
TIME_WAIT
TCP technics:3389 172.16.0.16:3265 ESTABLISHED
As you can se I do not have any pport 1050 open. I've also installed NOD32
virus scanner from Esat now, and it didn't detect any viruses on the
machine.
Any idea?
Proto Local Address Foreign Address State
TCP technics:ldap technics.multizite.local:1034 ESTABLISHED
TCP technics:ldap technics.multizite.local:1035 ESTABLISHED
TCP technics:ldap technics.multizite.local:1038 ESTABLISHED
TCP technics:ldap technics.multizite.local:1151 ESTABLISHED
TCP technics:ldap technics.multizite.local:1365 ESTABLISHED
TCP technics:1034 technics.multizite.local:ldap ESTABLISHED
TCP technics:1035 technics.multizite.local:ldap ESTABLISHED
TCP technics:1038 technics.multizite.local:ldap ESTABLISHED
TCP technics:1151 technics.multizite.local:ldap ESTABLISHED
TCP technics:1358 technics.multizite.local:microsoft-ds
TIME_WAIT
TCP technics:1365 technics.multizite.local:ldap ESTABLISHED
TCP technics:ldap technics.multizite.local:1047 ESTABLISHED
TCP technics:ldap technics.multizite.local:1143 ESTABLISHED
TCP technics:ldap technics.multizite.local:1360 TIME_WAIT
TCP technics:ldap technics.multizite.local:1361 TIME_WAIT
TCP technics:ldap technics.multizite.local:1452 TIME_WAIT
TCP technics:ldap technics.multizite.local:1453 TIME_WAIT
TCP technics:1025 technics.multizite.local:1049 ESTABLISHED
TCP technics:1025 technics.multizite.local:1451 ESTABLISHED
TCP technics:1047 technics.multizite.local:ldap ESTABLISHED
TCP technics:1049 technics.multizite.local:1025 ESTABLISHED
TCP technics:1143 technics.multizite.local:ldap ESTABLISHED
TCP technics:1366 technics.multizite.local:epmap TIME_WAIT
TCP technics:1367 technics.multizite.local:1025 TIME_WAIT
TCP technics:1450 technics.multizite.local:epmap TIME_WAIT
TCP technics:1451 technics.multizite.local:1025 ESTABLISHED
TCP technics:1454 technics.multizite.local:microsoft-ds
TIME_WAIT
TCP technics:3389 PANASONIC:3265 ESTABLISHED
Kevin D. Goodknecht Sr. [MVP]
2006-05-14 17:19:38 UTC
Permalink
Post by Andy
Hi
I've got a dns server up and running in a small network. Today I've
been doing variouse portscans of this server. I've noticed several
ports that I don't know but somehow they seem to be related to
dns.exe.
The ports in question is 1050, and 1395.
When I stop the DNS server, the open ports disapear. But when DNS
server is restarted the ports reapear. My first thought was that the
dns.exe on port 1050 was the minicommand trojan, but it doesn't seem
so now.
I've also verified by using both netstat -ano and by using tcpipview
I believe that Dheeraj has it correct, DNS uses random dynamic ephemeral
ports to make outbound queries to other DNS servers unless you have set the
send port in the registry.
Normally, there is no need to make this registry entry because most
firewalls and packet filters allow outbound connections from any port to a
specific port.
813965 - Description of DNS registry entries in Windows 2000 Server, part 3
of 3: http://support.microsoft.com/default.aspx?kbid=813965
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Andy
2006-05-15 18:03:10 UTC
Permalink
Post by Kevin D. Goodknecht Sr. [MVP]
Post by Andy
Hi
I've got a dns server up and running in a small network. Today I've
been doing variouse portscans of this server. I've noticed several
ports that I don't know but somehow they seem to be related to
dns.exe.
The ports in question is 1050, and 1395.
When I stop the DNS server, the open ports disapear. But when DNS
server is restarted the ports reapear. My first thought was that the
dns.exe on port 1050 was the minicommand trojan, but it doesn't seem
so now.
I've also verified by using both netstat -ano and by using tcpipview
I believe that Dheeraj has it correct, DNS uses random dynamic ephemeral
ports to make outbound queries to other DNS servers unless you have set the
send port in the registry.
Normally, there is no need to make this registry entry because most
firewalls and packet filters allow outbound connections from any port to a
specific port.
813965 - Description of DNS registry entries in Windows 2000 Server, part 3
of 3: http://support.microsoft.com/default.aspx?kbid=813965
Thanks for all the replies guys.
I've gone over all our firewall logs, and also done an extensive virus scan
of the machine. And It didn't locate anything funny. So, I feel I can sleep
well.

/A.

Loading...