Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: ...the ports that cannot be closed because something else is already using them.

  1. #1

    ...the ports that cannot be closed because something else is already using them.

    AnalogX has a great little program that blocks ports, however whenever it is executed it claims that some ports cannot be closed as they may jeopardize system security. Although I constantly clean out my system with Spybot, Xoftspy, Ad-ware (lavasoft) and other software I still find garbage on my system. I understand that some ports are open by default with some XP processes however I'm getting pretty suspicious as the more ports I add to block on my system, the more ports aren't blocked with this port blocker which gives me the same message every time "may jeopardize security". I only have a small number of ports blocked due to reocurring issues as a result of scans. For example; an online Symantec scan I did recently stated that port 40423 was vulnerable or open (I forgot but in any event there was an issue with this port) - so I closed it naturally. Although when I use my port blocker it gives the following list of ports that could not be blocked because they were "already in use".

    21,25,80,110,119,123,137,138,139,445,1025,5000,40423

    These are only the ones I've manually put into the software from Analog X who knows how many else are being exploited!

    I've used Ethereal but since I'm an amatuer I don't know exactly what to look for. all the traffic appears to be normal. I've scanned my own IP address using Superscan which claims that none of my ports are open. The list of ports that are open is a little excessive and I don't think they're all related to XP processes that are just a part of the system. There is no doubt in my mind that there is something going on here behind the scenes. The question is what is the next step to take in defending myself?

  2. #2
    First thing is to work out what the ports areused for:
    eg 21=ftp
    25=smtp
    80=http
    110=pop3 etc etc....

    This is a good page: http://www.iana.org/assignments/port-numbers
    Also, do netstat -a at a command prompt and see what is doing what.
    Do netstat /? for a list of commands. netstat -o is a good one Then you can see PIDs that are assoc with certain ports.

    What's the name of the prog you're using?
    \"\'Do not despise the snake for having no horns, for who is to say it will not become a dragon?\"

  3. #3
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    soma56, I suppose I could just suggest that you slap a firewall up, configure the rulesets properly and forget about it but, I'm not. For starters, I don't even know if you have a firewall. There's always a chance that you do and have it set to allow most traffic. I'm not clairvoyant you know .
    Instead, I can start you off with some investigative tools to better help you figure out what traffic is floating in and out of your computer. These are basic tools, since you mentioned ethereal was a bit too complicated.
    These two programs are very basic for monitoring your traffic:
    Port Peeker
    TCPView (I use this one)
    (I recommend checking out other products from WebAttack.com because they have a lot of nifty programs). You can use these tools to see what is opening your ports. Remember though, these aren't pro-active protection, they're just simply traffic monitors. elmurado also suggested a great idea. Get to know what services run on what ports. It will help you vastly to understand the traffic monitor logs if you at least have a reference to what ports are associated with.

    Another angle to approach is to download some kind of active process monitor, such as TCActive, which comes bundled with The Cleaner. There are a ton of these kinds of process monitors, TCActive just happens to be one of my favorites. Once you have an active process monitor, you can go to a site like AnswersThatWork and check out what's running on your pc. Another great site is Windows Process Library. This is just one of many more investigative tools to better help you understand what may be opening ports on your pc.

    Now, if you don't have a firewall, I do recommend you get one sometime soon. You can play around with the tools I gave you but, in the meantime you should get some protection going on. You have a wide selection of good names such as: Sygate, Kerio, Zone Alarm to name a few. All of these firewalls are listed here and they are free.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I'm assuming you're on XP. Open a cmd prompt and issue the command netstat -aon.
    Look for ports that are in a LISTEN state. The output of the command also shows you the PID of the process that opened that port. Use your taskmanager to see what program runs with that PID.

    If you prevent that program from running (deinstall it, disable it's services etc) the port will be closed.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Junior Member
    Join Date
    Sep 2003
    Posts
    1
    all the ports you have listed except for the following are normally
    ports that you are using like ftp, pop3, http and of course the ports that netbios (session) use

    5000 -(not a listening port but instead a tcp port) this could be universal plug and play wich is installed on win xp..if you don't have this then it could be a trojan called sockets de troi or bubbel

    40423 normally is a trojan called masters paradise but then again it could be something else

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Jenna, I'm not really sure what you're trying to say. It doesn't make sense.

    Ftp, pop3, http are open ports (in listening mode) if you have a ftp, pop3, http service running (not normal on a "regular" workstation). TCP port 5000 is in listening mode if you have UPnP/SSDP enabled on WinXP (enabled by default).

    These ports aren't open (listening) when you only use outbound connections. Open ports (found using a portscanner) are always listening and used for inbound connections.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Well that's the tricky part. See I know that port 21 is for FTP and 23 is for Telnet and what some of the other ports are for but the thing is I don't have an FTP client and have never used FTP on this machine let alone telnet or pop3.........

    As far as I know, port 80 I use for a little surfing but even when no application is running all these other ports are in use. Sounds like I need to do some formatting. But before I do so were my suspicions correct?

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Did you do a netstat -aon? You can post it here if you want (just remove your own ip).
    Then we'll take a look at it.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Forgive my ignorance but what does the process involve? What are the steps. REmember, this is the nebies section...

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Assuming you have an english XP:

    Start -> Run....
    cmd.exe
    On the prompt type:
    netstat -aon | find /I "LISTEN"

    copy 'n paste that info here (just remove your IP address if it's in there).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •