[LINK] One must wonder

rchirgwin at ozemail.com.au rchirgwin at ozemail.com.au
Fri Sep 2 12:57:58 EST 2005 

*Disclaimer: correction on technical detail welcome.*

Jan, picking it up as 'twere explained to me...

If by "svc acronyms" you mean things associated with svchost, it's because svchost is invoked by the various windows applications ... It stands for "Services host". You could think of it as a "shell" in which apps run, I suppose (sorry for the vagueness of the picture).

The upshot of this is that if you look at Task Manager, you'll see a lot of instances of svchost - because you've loaded a variety of applications.

"Is svchost.exe spyware?" is a very common question (and I gather that there are some virii which imitate or replace svchost.exe with themselves, but I haven't seen this with my own eyes. 

Of course, rogue applications opening svchost.exe will make people think that svchost itself is the rogue application...

Regarding port numbers; I will most certainly slip up here, but someone can correct me!

Some applications have fixed port numbers, for eg http and Port 80 - but this is fixed in one direction only (?outgoing?). So the browser sets up its Port 80 connection out, but the return path picks up a "free" (ie, not assigned to any one application) port number. 

I *think* that's accurate? Enough?

Some applications are designed to grab free ports, and of course some applications are designed to use ports assigned to other applications as a means of crossing the firewall (for eg, non-browser applications using Port 80 because nobody blocks it).

The paranoid home user should, of course, tell the firewall that *only* the "legitimate" application should use a given port. Hence in my firewall only Firefox is given permission to open a Port 80 connection - this breaks IE which is a cross I'm prepared to bear!

What I'm getting at is that if you start looking at "all these ports" running on your machine, it's liable to cause unnecessary fright. The important corollary to an open port on your own machine is the identity of the machine it's talking to: it's often "localhost" - ie, the connection exists but it's going nowhere. 

The ISC graph doesn't refer to your machine, Jan. It's a plot of what SANS sees in firewall logs submitted to it by participants. So if a new malware exploits a particular service or port, that port gets lots of scans, the firewalls log lots of events, it shows up spiked on the chart.

Cheers,
Richard 

> 
> From: Jan Whitaker <jwhit at melbpc.org.au>
> Date: 02/09/2005 9:11:16
> To: adamneat at anoti.com
> CC: link at anu.edu.au
> Subject: RE: Re: [LINK] One must wonder
> 
> At 01:51 PM 1/09/2005, Adam Neat wrote:
> 
> >If people are keen to understand what processes running on their Windows box
> >are making network connections, look for a tool called F-Port. Lists all
> >network connections (in all states) in a similar manner to netstat, but then
> >also associates each process to network connections (in all states).
> 
> Made me look to see what Sygate Firewall tells me and I discovered it tells 
> me quite a lot. If you look under View/Connection Details, then hover on 
> each of them, it will show what is being run. The problem is that I don't 
> have a clue if it's a good thing running or a bad thing running. I did a 
> google on Gilat Skysurfer and came up with a site, 
> isc.sans.org/port_details.php?port=3013 , that does a port graph [my data?] 
> of ??. It sounds like it's all bad, but I have no clue.
> 
> That's just one example. What about all the svc acronyms that are shown? 
> It's all well and good to find the info, but then what? Any good tute 
> links, Linkers?
> 
> Jan
> 
> 
> 
> JLWhitaker Associates
> Melbourne, Victoria, Australia
> jwhit at melbpc.org.au  --  http://member.melbpc.org.au/~jwhit/whitentr.htm
> 
> 'Seed planting is often the most important step. Without the seed, there is 
> no plant.' - JW, April 2005
> _ __________________ _
> 
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
> 

This message was sent through MyMail http://www.mymail.com.au

More information about the Link mailing list