Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: ...the ports that cannot be closed because something else is already using them.

  1. #11
    Junior Member
    Join Date
    Apr 2004
    Posts
    18
    Soma56,

    I am extremely concerned that you have so many active network connections and suspicious ones at that since I presume you are not running any services:

    21,25,80,110,119,123,137,138,139,445,1025,5000,404
    23
    As Elmurado as stated, some ports are active (open) if you are running a service - ports 0 to 1023 are the well known ports (commonly associated with services) - others will be dynamic e.g. will be active as part of a network connection. When you run your web browser, you will connect to port 80 (http) of the host machine (host running the service, in this instance, a web server i.e. Yahoo, for example) and establish a connection using a dynamic port on your machine (client).

    Right, we need to identify the active network connections to determine their state i.e. if they are LISTENING, then identify the processes and or services that are creating these connections to decide if they present a security risk and should be disabled.

    How to view network connections

    Since you have inferred that you are using WinXP, please follow SirDice's guidance and also read this tutorial on how to use 'Netstat'. Yes, whilst you can type 'netstat /?' at the command prompt, this tutorial holds your hand through the process and explains how to analyze the information (cheers Cheeseball).

    Ports 21 [ftp], 80 [http], 110 [pop3], 119 [nttp], are immediately suspicious if they are ports open on your machine that are LISTENING i.e. waiting for an inbound connection. If you are connecting to these ports i.e. upon netstat -ano:

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 127.0.0.1:1084 xxx.xxx.xxx.xxx:21 ESTABLISHED 1748

    Then you are connecting to hosts (foreign machines) running these services i.e. in this example, you've connected to an FTP server. If under local address, there is an established connection to port 21 on your machine, then you are running a FTP server.

    Right! We've identified what active connections you have and their state, we now need to identify the services correlating to these connections.

    How to identify processes

    This tutorial provides you with the necessary information to get down and dirty, allowing you to identify processes with their corresponding services. I am of the belief that it is far more educational to do this process by hand at first to get a feel for understanding your OS [winXP], improving your knowledge and also be able to develop some basic forsenic techniques to identify root causes. Once your comfortable, you can always use a third party app[lication] such as Fport, as recommended by 576869746568617.

    Fport will inform you of what service is being used by a process, and where that process is located on your machine. I personally don't use Fport purely because I prefer to get my hands dirty and do my own investigation to improve my knowledge. Once I've reached a state where I feel comfortable with this forensic work and can link a process to a service by looking at what network connections are active, then I'll use Fport. That said, due to the ports that you have active, I would recommend it in this instance to get to the root cause.

    How to find out the identity of each service

    Now that we've identifed what processes are active and the corresponding services, we now need to find out much more information on the nature of these services i.e. what do they do. Black Viper has a section on his website that identifies the services and also how to disable them. An excellent website for identifying services is this one (the Bible).

    To find the list of services on your machine (WinXP), click on Start/Run, then type 'services.msc'. You will then find a (long) list of services that can be configured (disabled, in this instance) using the websites above as references.

    DANGER! WILL ROBINSON! DANGER

    Do NOT disable RPC [Remote Procedure Call] because so many WinXP services rely on this function that you can disable your machine.

    Following the guidance given in the above websites on the services that you can 'safely' disable, you will then need to reboot your machine for these changes to take effect.

    Specific Vulnerabilities

    There are a couple of specific vulnerabilities that must be disabled (unless you have a pretty solid reason to keep these open) if you wish to secure your machine. Please see this post on Netbios hacking as to why certain ports such as 139 are extremely vulnerable and need to be closed. Now that you're suitably frightened (if you're not, then refresh your memory by reading your initial post and the ports that are open on your machine .. 139 is one of the offenders), here are a few links on how to close specific vulnerabilities:

    This link will fix (close) the vulnerabilities linked to TCP ports 135 & 445. This link will fix ports 135-139, as well as 445 by disabling Netbios over TCP/IP, whilst this link will also teach how to disable the ports associated with NetBIOS over TCP/IP being enabled (and scare you by showing you how trivial it is to hack a machine running with these ports open and NO firewall enabled).

    I presume (probably erroneously) that you have disabled file/print sharing?

    I cannot stress how important it is to read ShagDevil's response and read the links because I am worried that you have these ports open and NO firewall. If that is the case, then I would presume that your box has been owned i.e. hacked by a malicious (ab)user - probably a script kiddie just running a scanner over a range of IP's to find users who have left vulnerable ports open. I would suggest before you close these ports, first getting yourself a FREE firewall and installing that. Then downloading a 30 day trial of The Cleaner (see ShagDevil's post) to check for trojans (backdoors, RAT's - a vector for an (ab)user to have remote access, hence control of your machine). Then and only then, disable the services that you don't need/require.

    If I ran 'netstat -ano' straight after my machine boots, the only service running is the time service associated with port 123 (a little service that automatically updates my machine clock & date). It goes without saying that I'm also sitting behind a firewall (ZoneAlarm - yeah, I know, I know. I have Kerio but I haven't read the manual PDF) and have updated and installed Service Pack 2.

    It took me a few hours reading to get from your stage to the stage where I am at now i.e. minimal services running. So good luck and let us know how you get on. I am concerned that if you don't have a firewall then your machine may have been hacked by now (machines sitting in the wild running default settings typically last between 15-20 minutes before being hacked, according to various users - sorry, I don't have the link available to confirm this).

    Regards,
    Riotgirl
    \"Don\'t worry. I don\'t have low self-esteem. It\'s a mistake. I have low esteem for everyone else\".



  2. #12
    SirDice - At school right now however I'll give it a try. Thanks!

  3. #13
    Riotgirl - Taking a break in class right now however I will look at your post deeply a little later. Thankyou, it looks like you put a lot of work into it...

  4. #14
    Here's what netstat -aon | find /I "LISTEN" displyed:

    TCP 0.0.0.0:135 0.0.0.0:0 Listening 888
    TCP 0.0.0.0:445 0.0.0.0:0 Listening 4
    TCP 127.0.0.1:1025 0.0.0.0:0 Listening 232
    TCP MY IP ADDRESS:139 0.0.0.0:0 Listening 4

    I've got a port blocker from ANALOGX however it automatically closes as soon as I turn it on (suspiciously). This is with all my applications closed. "Nestat -a" brought up several established connections with 8 of the listing the foreign address as "*.*"
    Anything I should be worried about?

    The tutorial above by Riotgirl was pretty helpful in addition to Cheeseballs information on Netat. I 'll more time next week to completley divulfe in the information you've provided. Thanks!

  5. #15
    I'll be honest. I've used ANALOGX programs in the past and they have always been flakey. Netstat proves that nothing suspicious is running and thus chances are the ANALOGX program was just doing something completely on it's own.

    You have -nothing- to worry about, as none of the ports it listed are things you are actually running.

    Stay far FAR away from ANALOGX programs.

  6. #16
    Staying far away. Got it. Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •