Open Ports

[Graphicw]

I have a small home network which I am attempting to secure with a Netgear FVS318 firewall router. I have a total of 3 PC's on the network running Windows ME, Windows XP Home and Windows XP Pro. I am considering adding a Linksys BEFSX41 firewall router after the FVS318 as an added layer of protection. I do not run any software firewalls on any of the machines, all firewall functions are done by the router. The problem is that I am finding unknown open ports. The port numbers are 5870 and 15101. I am seeking assistance in identifying the ports. For the time being, I have blocked them through the router being that I do not know what they are.

[Showtime8000]

Personally, I see no cause for concern. As you stated, all of your firewall functions are done through your Netgear router; this should be plenty sufficient for a home user.

It may be some sort of auth service running from your router. I couldnt fine much more, but as I stated, there's really no cause for concern.

But, for the extra paranoid, run a scan-through for any trojans that may be binding to the unusually high port numbers. Also, you can use fport, which can map applications to the unusual ports. Get that here: http://www.foundstone.com/index.htm?...desc/fport.htm

Good luck

[Striek]

The official list of assigned and well known port numbers, and thier assigned applications, can be found at
http://www.iana.org/assignments/port-numbers

Neither of the ports you mentioned are on that list, which is THE official list. Blocking them would be a good idea.

[ric-o]

Great port lookup web site: http://www.treachery.net/security_tools/ports/
Good list of ports at http://keir.net/portlist.html

FPort is good, as Showtime8000 indicated, but I have had problems with it on XP (at least the Home version).

I know this isn't specifically what you asked about but it might help to check what processes are running here's a few good tools (note: I dont work for or am affiliated with any of these companies):
- PrcView at http://www.prcview.com
- Process Explorer by SysInternals at http://www.sysinternals.com
- PSList by SysInternals at http://www.sysinternals.com

Hope this helps you sleep at night!

[SoggyBottom]

Personally, I dont rely on the iana port listings to determine what is responsible for opening ports on a host. I prefer finding out what application is opening these ports.

For example, if you see port 1433 open on your machine, never assume that mssql is responsible for opening it. What if someone has installed netcat on your machine or a trojan, and configured it to open port 1433?

I use a tool called Active Ports on my WinDoze machine. Its pretty good, it will tell you what application is responsible for each open port. Similiar to the netstat -pa command on linux, but with a pretty interface

[Striek]

Yes, you must still look at which application is actually using these ports. However, the iana list will tell you whether or not they are supposed to be listening on those ports. The list is not a good resource on its own. You must still be aware of why each port on your computer is open. So unless you have changed applications specifically to use different ports, most valid applications will appear on the list.

[Showtime8000]

Originally posted here by SoggyBottom
What if someone has installed netcat on your machine or a trojan, and configured it to open port 1433?

Good point, but its very difficult to backdoor through a router, especially a secure one.

[Graphicw]

Thanks for all the tips. I have simply closed the two ports in question through the firewall, especially since none of the process viewer apps advised in this thread showed why those ports were open. I have ran a check for trojans, virii and spyware to find nothing on any of my XP machine. I did find trojans on an older WindowsME machine that I never use. That may explain the mystery ports that showed open during the firewall test.

[DarkCarniv0l]

Soggybottom and the group have some excellent information here! l

Let's not forget that an attacker cannot launch a backdoor from a remote machine unless the attacker already owns the system of course. Check your system for "cleanliness" Many of the backdoor servers use know exploits in internet clients. Make sure you have the latest service packs and security updates as a first line of defense. Firewalls are a must! Shutdown all unecessary services (very important). Another way to block back doors is to prevent inbound access to listening ports commonly used such programs. Monitor outbound firewall access control as well. Asute attackers will configure their servers to communicate over ports like 80 and 25.

Don't fall for the "nice free programs to remove backdoors" for example..... a BO-removal tool called BoSniffer is itself a trojan itself!


Here is a list of anti-virus companies. Some include trojan scanners

http://support.microsoft.com/default...NoWebContent=1

Welcome to the silent world of control!

Good luck,


DarkCarniv0l