here's my latest port scan on my maching:


TCP: 127.0.0.1 [135-epmap]
TCP: 127.0.0.1 [389-ldap]
TCP: 127.0.0.1 [1002]
TCP: 127.0.0.1 [1025-blackjack]
TCP: 127.0.0.1 [1720-h323hostcall]
TCP: 127.0.0.1 [3001-redwood-broker]
TCP: 127.0.0.1 [3002-exlm-agent]
TCP: 127.0.0.1 [3003-cgms]
TCP: 127.0.0.1 [5000-commplex-main]

are these open right now or what?
how do i go about blocking these?
i'm running winXP pro w/ Zone Alarm

go into custom settings and then block each port

It doesn't look like you scanned your ports online. Anyway if you did, you might have another program or software thats interfering and not intertwining with ZA's job as a firewall.

I am assuming you got this output from a netstat or you scanned the machine from itself based on the loopback address showing up?

If you have a personal firewall running, you probably shouldn't worry about it because those ports will be blocked from an external source by default. But if you are really worried, scan the machine from another machine with nmap and see what is truly open...

I am also curious as to why you have ldap running, is this a work machine?

Use netstat, and see if they really are open. I don't think they would be with zonealarm installed, zonealarm tend to block every port unless you give a program permission to use it and/or access the net. So, I don't really see how thats possible, but maybe you should try to reinstall zonealarm, so that the permissions are reset, or you edit them by using the zonealarm control panel. I strongly reccomend that you reinstall, as there are programs that are designed to mess with firewall and antivirus setting upon execution, so if that is true, zonealarm may have been compromised. If reinstalling doesn't work, that try getting another firewall as well as running a full virus scan of your system.

I just recently ran netstat, and here it is:

TCP 24.156.105.52:139 0.0.0.0:0 LISTENING
TCP 24.156.105.52:1185 63.108.181.201:80 TIME_WAIT
TCP 24.156.105.52:1186 168.143.179.189:80 ESTABLISHED
TCP 24.156.105.52:1187 63.108.181.201:80 TIME_WAIT
TCP 24.156.105.52:1195 63.108.181.204:80 CLOSE_WAIT
TCP 24.156.105.52:1196 63.108.181.204:80 CLOSE_WAIT
TCP 24.156.105.52:9533 0.0.0.0:0 LISTENING

here is what i got when I scanned remotely:


TCP: 24.156.105.52 [135-epmap]
TCP: 24.156.105.52 [139-netbios-ssn]
TCP: 24.156.105.52 [1025-blackjack]
TCP: 24.156.105.52 [5000-commplex-main]
TCP: 24.156.105.52 [9533]

9533 appears to be open in both cases, along with 139
port 139 is a NETBIOS session service, couldn't find what 9533 is used for.

before this i re-installed zone alarm and disabled the Win XP (non)-firewall.

Looks like you got something running that you don't want running. Try using another firewall, maybe you'll get different results. And run an antivirus scan as well. As for 139, are you using win95? There is a patch for that, but if you are going to install a new firewall anyway then you don't need it. And make sure you don't have file and printer sharing enabled.

yeah, i surely agree with KhaKisrule.
Try using another firewall, maybe you'll get different results. And run an antivirus scan as well.

TCP: 24.156.105.52 [1025-blackjack]
Do you run Norton Antivirus liveupdate??..that would be port 1025

I'm not running any live update at all, I don't even have Norton on the system. It's Windows XP pro, no file and print sharing and auto windows updates is disabled. I'm running Zone Alarm.
Any ideas on other firewalls would be appreciated as well. (I don't want to run Tiny or McAfee)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Elliente
I just recently ran netstat, and here it is:

TCP 24.156.105.52:139 0.0.0.0:0 LISTENING
TCP 24.156.105.52:1185 63.108.181.201:80 TIME_WAIT
TCP 24.156.105.52:1186 168.143.179.189:80 ESTABLISHED
TCP 24.156.105.52:1187 63.108.181.201:80 TIME_WAIT
TCP 24.156.105.52:1195 63.108.181.204:80 CLOSE_WAIT
TCP 24.156.105.52:1196 63.108.181.204:80 CLOSE_WAIT
TCP 24.156.105.52:9533 0.0.0.0:0 LISTENING

here is what i got when I scanned remotely:


TCP: 24.156.105.52 [135-epmap]
TCP: 24.156.105.52 [139-netbios-ssn]
TCP: 24.156.105.52 [1025-blackjack]
TCP: 24.156.105.52 [5000-commplex-main]
TCP: 24.156.105.52 [9533]

9533 appears to be open in both cases, along with 139
port 139 is a NETBIOS session service, couldn't find what 9533 is used for.

before this i re-installed zone alarm and disabled the Win XP (non)-firewall.


Thanks for giving us your IP ;)

seriously...

shouldnt give out ips and (especially what ports are open). The kiddiots will have a field day with this...

9533 is prolly some trojan.

On your ZA try going to the firewall section and go to advanced, try checking enable ARP protection, Allow uncommon protocols at High Security, and the one on top of the second one. If your on a network, check the enable gateway protection.
The least security someone could have is an anti-virus because thats where some hacks first occur, with the victims computer infected. Id get your computer scanned at Trend Micro and get an Anti Virus. I barely noticed the fact of the netstat results you put. Id get a DNS form of IP if you have broadband. Be careful when you post next time.

Wow, I guess that wasn't a very smart thing to do eh? Giving my IP address out I mean...LOL
Oh well, What I have running now is working great; McAfee and Sygate personal firewall; I recently ran some netstats and port scans, and everything is fine now! Come to think of it, Before my IP address changed a few days ago, I did notice a few more scans than normal!
Anyway, there are currently no open ports on my system! thanks for the input!

I guess I shouldn't give out my new IP eh!

if u r looking for a good firewall i would personally recommend agnitum outpost
heres the url if u r interested in it i find that it is better than zonealrm and sygatet
http://www.agnitum.com

I agree wholeheartedly with iNViCTuS and bombayofpigs. You really shouldn't post IP info with open ports while admitting you can't find the log files for your IDS. Next time you should x out the address like this.

TCP xx.xxx.xxx.xx:1185 xx.xxx.xxx.xxx:80 TIME_WAIT

You should leave the port numbers so we can have some idea about what is running, misconfigured, etc.

I know it's a pain in the ass, but there are somethings you shouldn't post in a public forum.