Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Private Range Port Numbers with Established Connections


  • Please log in to reply
8 replies to this topic

#1 mikeb2623

mikeb2623

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 PM

Posted 26 March 2011 - 10:20 PM

I have just gotten rid of multiple infections and I was researching things and maybe a little paranoid but noticed some private range ports with established connections. The system seems to run fine and they are windows processes as far as I know. Please let me know,Thanks. I will post the netstat -b output in a word doc momentarily

BC AdBot (Login to Remove)

 


#2 mikeb2623

mikeb2623
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 PM

Posted 26 March 2011 - 10:27 PM

Scratch that it won't let me upload word docs

#3 mikeb2623

mikeb2623
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 PM

Posted 26 March 2011 - 10:28 PM

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -b

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:27015 MikeB-THINK:49162 ESTABLISHED
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:49162 MikeB-THINK:27015 ESTABLISHED
[iTunesHelper.exe]
TCP 127.0.0.1:50486 MikeB-THINK:50487 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:50487 MikeB-THINK:50486 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:50488 MikeB-THINK:50489 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:50489 MikeB-THINK:50488 ESTABLISHED
[firefox.exe]
TCP 192.168.1.73:51065 74.125.225.20:http CLOSE_WAIT
[x3watch.exe]
TCP 192.168.1.73:51163 www:http CLOSE_WAIT
[x3watch.exe]
TCP 192.168.1.73:51348 HP0D3552:microsoft-ds ESTABLISHED
Can not obtain ownership information
TCP [::1]:49155 MikeB-THINK:49157 ESTABLISHED
[LMS.exe]
TCP [::1]:49157 MikeB-THINK:49155 ESTABLISHED
[LMS.exe]

C:\Windows\system32>

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,250 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:05:36 PM

Posted 26 March 2011 - 11:21 PM

Proto Local Address Foreign Address State
TCP 127.0.0.1:27015 MikeB-THINK:49162 ESTABLISHED
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:49162 MikeB-THINK:27015 ESTABLISHED
[iTunesHelper.exe]

These are associated with Apple mobile devices like iPhones and iPods as part of iTunes. They're safe.


TCP 127.0.0.1:50486 MikeB-THINK:50487 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:50487 MikeB-THINK:50486 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:50488 MikeB-THINK:50489 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:50489 MikeB-THINK:50488 ESTABLISHED
[firefox.exe]
TCP 192.168.1.73:51065 74.125.225.20:http CLOSE_WAIT

It's obvious why Firefox would have connections. Safe.



[x3watch.exe]
TCP 192.168.1.73:51163 www:http CLOSE_WAIT
[x3watch.exe]
TCP 192.168.1.73:51348 HP0D3552:microsoft-ds ESTABLISHED
Can not obtain ownership information

This one is interesting. It's a monitoring program which alerts someone via e-mail should you visit a pornographic or otherwise "immoral" website. Seems to come from some religious organization. If you're the one who put it there, then it's safe. http://x3watch.com/




TCP [::1]:49155 MikeB-THINK:49157 ESTABLISHED
[LMS.exe]
TCP [::1]:49157 MikeB-THINK:49155 ESTABLISHED
[LMS.exe]

These are harder to judge. You have (I think) a Lenovo/HP branded laptop and there is a known HP branded application called Local Manageability Service (lms.exe) Double check that this instance of lms.exe is in fact the HP software.

#5 mikeb2623

mikeb2623
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 PM

Posted 27 March 2011 - 04:57 PM

I did install the x3watch and I do have an HP wireless printer so it looks like I should be ok. The forum said that the private range ports should never have connections.

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,250 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:05:36 PM

Posted 27 March 2011 - 06:52 PM

I'm not certain what you mean by "private range ports." Do you have a link to the page that talks about them?

#7 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:05:36 PM

Posted 27 March 2011 - 08:03 PM

I think what the member is referring to is the range of ephemeral ports. aka private ports as noted by the IANA.

The IANA suggests 49152 to 65535 as "dynamic and/or private ports"


More information on 'short lived' or ephemeral ports: http://en.wikipedia.org/wiki/Ephemeral_ports and even more information http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#8 mikeb2623

mikeb2623
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 PM

Posted 28 March 2011 - 02:29 PM

I'm not certain what you mean by "private range ports." Do you have a link to the page that talks about them?

This is the link I was referring to. Now that I read it again I see where I over reacted. http://www.bleepingcomputer.com/tutorials/tracing-a-hacker/

#9 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,250 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:05:36 PM

Posted 28 March 2011 - 02:58 PM

Oh, Bleeping Computer? Stay away from them they're nothing but charlatans and scammers from what I hear... :whistle:

As far as I'm concerned, and others may disagree, ports over 1024 may be used by anyone for anything. Malicious software doesn't restrict itself to a subset of all ports nor do they avoid using ports which are registered for other protocols.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users