SEO Blog

Well, I saw this title in one of our analytics &I have not had the pleasure of writing about computer security related topics for awhile. So, I think its time for one. This question came directly from a major search engine & some how this person landed on my blog. I will be coving ‘weird connections to TCP/IP ports’, while, this spans all operating systems that have some sort of connection to other computers over any distance(excluding Firewire, USB, parallel ports.) What you will need to know is first some basic information on TCP packet and IP(extremely basic nothing to indepth about headers as it will go beyond the scope of the article). Secondly, how to check up on what is happening with some cool, built in commands everyone should know that owns a computer. Finally, we will figure out if anything fishy is happening on the local computer in regards to worms, trojens etc. by an examination of the ports that are showing as opened and/or listening.

First thing is first. TCP/IP is implemented on every computer that can connect to the internet. Its just that basic, its the protocol that tells the computer how communication is to be handled between the computers. There are two main differences that in TCP vs IP, first: TCP is connection oriented. Meaning in order for a computer to talk with another computer via a TCP a connection must be established as soon as communication is to cease the connection is torn down(sometimes in a polite manor & sometimes abruptly), meaning no further communication can happen. When a computer decides it wants to talk with another computer it will say ‘hello. can You ACKnowledge me wanting to talk with you & say hello too? I want to talk about a web page, is port 80 ok?’. A nice hello & acknowledgment of that computers wanting to talk is sent back to the other computer and asks ‘hello, I got your request to chat. Do you still want to chat? The other computer sends back an acknowledgment saying ‘Yes, I want to talk. Connection is now established’. This sums up in laymen terms of the three way handshake which is SYN SYN/ACK ACK packets being sent back and forth establishing a connection data stream if you will.

Next, you have what basically amounts to a non-stateful connection. The IP packet, Mr. IP packet is very simplistic, Mr. IP packet is a worthless employee, because he makes no guarantees of him getting to a location, you can send him out in a suit & may show up at the client in flip-flops & Hawaiian shirt, hell he might even show up twice to the same location even though he was only required to show up once. The only integrity he does maintain is he will show up saying he came from you. It basically has mundane details about the computers such as its address & holds other information too, but, goes beyond the scope of this article. Its basically used for networking & has to do with TCP on a routing level.

<h2>About Ports</h2>

Lets move onto ports and what they do. Ports are sorta the port holes(pun intended) into the PC communication. Each port is normally associated with a given function, for example when a computer talks to a web server & wants to talk about getting a web page the HTTP traffic will normally use port: 80 for the connection on the machine hosting the web server. That is where the connection is established & that is where the connection pertaining to web page viewing will come to an end. If you are communicating a server & uploading/downloading things through whats called the File Transfer Protocol this communication normally takes place over port:21. But, you must remember this about the communication. These ports 80, 21 for example, are ports waiting for a connection on a server. This is by no means what port you will see communicating on the local host (yourself). You will see some random port assignment on the local host, but, a familiar port for the server like 21 or 80. For an incoming connection you will most likely see something like.

Your_IP_ADDRESS:80 SOME_OTHER_IP_ADDRESS:4211 <– PC connecting to your PC on port 80

If you run this program through the command line(start –> run –> cmd OR command OR command.com this will bring up the command prompt).. Then, once that little black box is up & running type: “netstat -ta“(without the quotes). You will see what TCP communication is currently happening on your computer. Umm, the next part is my explanation of netstat command & what the result of the command means. If you would rather look at a wiki, just Google netstat. But, its my own explanation even if it is a bit wordy.

view of netstat command in action

First column tells you what the protocol in use is. If the connection is a TCP or UDP or IP whatever the protocol for the communication is.
Second & Third column is Rec-q & the other one .. Don’t worry about this to much as documentation on netstat command will tell you what all of the results will mean, but, I’m just trying to move on here.
Forth column is very important, this tells us what the local connections look like. What you will see here is your IP address (Whatever your computers number address looks like, as you can see from the 192.168.1.102 I’m running a local area network on a class C subnet. Your IP address will probably differ, especially if your connecting to the internet through a direct connection like through a modem it will be the IP address your ISP gives you) the 192.168.1.100:4241 is the local port. This is a random port, this will always be a random port, thats just how the computer works unless you’ve mucked with your kernel. The *:x11 in the figure tells me that I have an open port on my system.(more importantly it will say listening or established. The latter shows a connection with another PC is happening)
Fifth, column is something special too. This tells me where the connection is happening on the foreign computer. As you can see I have a http connection(port 80) to some server. This is natural since I’m looking at a web page. The *:x11 part basically stats that no IP address is currently associated with that port & the *:* in the foreign port space means no IP address, nor, port is associated. Which, is a good thing. If I didn’t have a firewall in place between me & the internet I could run the risk of someone being able to see what I see.(X11 is window environment, sorta like what you see when you use windows. It is a GUI)
Sixth column is telling me what state the connection is in. As you can see since I’m communicating with a web server that the connection is in an ESTABLISHED state, because TCP requires an ESTABLISHED state in order for communication to be possible. The LISTEN state is just that, its stating that my computer is waiting for some other computer to establish a communication & it is willing to do so.

You can skip to here if you want

Just to restate if you see the high weird ports coming from the LOCAL ADDRESS column, then you have nothing to worry about since this is natural & thats how computers work. But, what is weird.. Well, weird would be a connection like 192.168.1.01:21 under the local connection.. That would pretty much signify something fishy. Seeing how I’m not running a FTP service something is clearly up. But, skip to the end & we will see how we can tell if something fishy is really happening by port scanning.

Now, if you see weird connections happening from the fifth column to a foreign server then you should have to scratch your head a little. This could be showing sorta a call back(normally accomplished through IRC ports instead) function of some virii(plural of virus although not recognized in dictionaries). This is where one has to do a little poking around. You may want to do some basic investigation: when you see that weird port just type that into Google “port XXXX”, you can even type in the entire address if you want. This should display some information about what is going on, more than likely it could be something mundane like a connection to an instant messaging service like AOL or MSN etc. . This is where it would be beneficial to use the entire foreign column entry with “IP ADDDRESS:PORT” this could reveal some good information.
Another, thing to do is consult a common port list look under the decimal notation part to discern what port your looking at. To the right of that port number you will see likely services that are associated with that port number. You should use some common sense here, if your not connected to an FTP server uploading information or it tells you the port is an IRC port & you have no idea what IRC chat is something is up & you should have your computer scanned with an online virus scanner in safe mode with networking support. Possibly call a professional.

Lets check for fishy services.

Ok this will take no skill what so ever to do. What we will do is enlist the help of a hacker tool called nmap. You can download nmap here & thank Fyodor . Just find your operating system and follow the directions, remember if your running windows you must download & install something called winpcap which you can find its download location on the nmap page above. Remember, its command line & may I recommend for ease of use that you install both directly into the root drive(C:). After, you have installed winpcap & nmap both on the system you will have to open the command line once again. Navigate to the folder you installed nmap(should be something like C:/nmap). once your in the directory you can type the following command:

nmap -sSV YOUR_IP_ADDRESS_HERE -p1-65535

What nmap will then display is all open ports on your system that are waiting for a connection. It will give you not only the port number, but, the service that is associated with that port. It will be the common port more than likely & won’t report some unknown virus service name & will only tell you that the port is open,but, if the virus writer was daft, than, maybe they did put up a banner announcing it to the world. Just do some research on the open ports.

The output could look similar to something like:

Port State Service Version

80 open HTTP IIS6.0

—————————————-

Important note that if you know you don’t run anything like this & are totally lost by this point. Call a professional, or try your hand at.. Run >> services.exe . & Look for something that says web services or something like that, web server.. If it says running, turn it to off… If the app reports it is off, well something is messed up with your system, reinstall windows or run a virus scanner from something like HouseCall(PandaSoft, I think).

<h2>Stopping the Fishy activity</h2>

If you have a router or firewall, you should block incoming connections to all ports if your not hosting some service like a web server. Their is just no reason to allow any incoming connections to your computer. Please, use some common sense with the last note, if your running a web server than yeah, you’ll want to allow for incoming connections.. Then again I would trust you had a bit more knowledge. I guess this is the end of the post.. If I’ve inspired some FUD(Fear Uncertainty & doubt) sorry.. I was only trying to help. I hope you in the least have a better understanding & can at least probe the question a little better in your next search.
Cheers!

This entry was posted on Monday, August 25th, 2008 at 5:20 am and is filed under General SEO Posts, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.