Foundstone's Fport utility enables us to identify the full path of the application that is holding a given port open.
Note: Fport will only work on Windows NT, 2000, XP. I'd like to hear from anyone who is aware of a similar tool for Win9x and ME.
What to look for:
C:> fport FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 776 tcpsvcs -> 7 TCP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 9 TCP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 13 TCP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 17 TCP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 19 TCP C:\WINNT\System32\tcpsvcs.exe > Looks like Simple TCP/IP services are installed...TODO disable this 408 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 139 TCP 8 System -> 445 TCP > Usual Microsoft Networking ports...TODO install firewall not exposed to Internet! 756 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe > Usual Task Scheduler... 8 System -> 1027 TCP > ???... 1192 navapw32 -> 1041 TCP C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe > Norton Anti-virus...we see what good it did. 340 fwenc -> 1045 TCP C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe 340 fwenc -> 1046 TCP C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe > Checkpoint Secure Remote...Client has VPN client installed .. cool now attacker has access to whatever network this host is VPNing into 11908 NLNOTES -> 3123 TCP C:\notes\NLNOTES.EXE > Something associated with Lotus Notes...not sure why open ports required for mail *client* 9496 scvhost -> 4297 TCP c:\progra~1\Microsoft\Update\DLL\tk\scvhost.exe > RED ALERT: This looks like a bogus directory and something made to appear to be Microsoft related: scvhost.exe vs. svchost.exe!! 8 System -> 4618 TCP 8 System -> 4619 TCP 8 System -> 4865 TCP 8 System -> 4866 TCP > ???... 11572 awhost32 -> 5631 TCP C:\Program Files\Symantec\pcAnywhere\awhost32.exe > PcAnywhere...TODO install firewall not exposed to Internet! 980 beremote -> 6103 TCP C:\bentaa\beremote.exe > BackupExec client backup...expected 992 Explorer -> 43958 TCP c:\progra~1\Microsoft\Update\DLL\tk\Explorer.exe 992 Explorer -> 60000 TCP c:\progra~1\Microsoft\Update\DLL\tk\Explorer.exe > RED ALERT: Again more things made to appear to be Microsoft related 776 tcpsvcs -> 7 UDP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 9 UDP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 13 UDP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 17 UDP C:\WINNT\System32\tcpsvcs.exe 776 tcpsvcs -> 19 UDP C:\WINNT\System32\tcpsvcs.exe > Looks like Simple TCP/IP services are installed...TODO disable this 408 svchost -> 135 UDP C:\WINNT\system32\svchost.exe 8 System -> 137 UDP 8 System -> 138 UDP 8 System -> 445 UDP > Usual Microsoft Networking ports...TODO install firewall not exposed to Internet! 828 snmp -> 161 UDP C:\WINNT\System32\snmp.exe > SNMP ... TODO disable unless necessary 512 svchost -> 520 UDP C:\WINNT\System32\svchost.exe > udp/520 is RIP routing protocol...doubt that is needed TODO disable 216 services -> 1026 UDP C:\WINNT\system32\services.exe > Not sure what this is, but have seen other normal hosts with it open 228 lsass -> 500 UDP C:\WINNT\system32\lsass.exe 340 fwenc -> 259 UDP C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe 340 fwenc -> 1044 UDP C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe > Checkpoint Secure Remote...Client has VPN client installed .. cool now attacker has access to whatever network this host is VPNing into 11572 awhost32 -> 5632 UDP C:\Program Files\Symantec\pcAnywhere\awhost32.exe > PcAnywhere...TODO install firewall not exposed to Internet!