Is this safe or not ?

[Logicalsifter]

ok ports 6666 and 7007 i cant find them on my box management were can i find them ?

[SirDice]

Have a look through Add/Remove Programs -> Windows components..
There's probably a whole lot you can remove from there..
(including those "simple tcp/ip services" I believe; not sure don't have a w2k handy )

[Logicalsifter]

Well thanks so much man i'v learned alot from your guys help and everthing and i'll try to do the best i can to close up those ports.

[Logicalsifter]

eh i i dont know how to close those bad ports. this is what i got back form Nmap

Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
1029/tcp open ms-lsa
1445/tcp filtered proxima-lm
3389/tcp open ms-term-serv
6346/tcp open gnutella
6666/tcp open irc-serv
7007/tcp open afs3-bos

Ports 6666/7007 are the ones i want to close really bad can any one help?

[barrywilliams]

Is it safe?


--

Originally posted here by Logicalsifter
hello i have a question about my box(computer) ports i have widnows 2000 sever and i scaned my ports useing NmapWin v1.3.1 and i have me this.

Starting nmap V. 3.00 ( www.insecure.org/nmap )
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
Interesting ports on ??? (???.???.?.???):
(The 1578 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
548/tcp open afpovertcp
1025/tcp open NFS-or-IIS
1029/tcp open
ms-lsa
1030/tcp open iad1
1033/tcp open netinfo
3372/tcp open msdtc
3389/tcp open ms-term-serv
6666/tcp open irc-serv
7007/tcp open afs3-bos
Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3
Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds

is my ports on this box safe or not what should i do to keep them close ?

[linux1880]

Originally posted here by Tiger Shark
Was that scan from within a perimeter firewall or outside it.... More to the point, does a perimeter firewall exist?

'Cos if that box isn't firewalled it's probably already owned.....

Tiger one question, How would you guarantee that?

[Tiger Shark]

Tiger one question, How would you guarantee that?

It's pretty much given away by Nmap's OS guess.

Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3

On properly patched boxes NMap is much more explicit about the Operating System and will usually indicate a service pack level. This scan indicates no service pack whatsoever, it includes WinME which is rarely if ever confused with patched Win2k/XP boxes and finally it guesses at a Release Candidate, (RC1), or Beta versions. This implies a very old version of Win2k or possibly an early version of WinXP. In both cases it implies no patches whatsoever. Without patches and having all these services unfirewalled you could pretty much guarantee that the box were owned.

The only information that would refute that is the fact that the box is so insecure. Crackers often secure a box they exploit simply to keep other crackers off "their" box. The insecurity of this box would imply that it was uncracked and probably therefore it resides behind a firewall.

That's my read on it.....

[sec_ware]

Hi

I am aware that the thread was started a while ago,
but I was too busy

We here have a classical situation where one tries
to relate listening ports with "services or applications".
SirDice did a decent job. I'll continue a bit
I will present a simple way to do this, however,
the results cannot be trusted if a (ring-0-)rootkit
has been installed. In general, the whole setup looks
very suspicious - and you are running gnutella on a server?


The main tool we will use is fport[1]. This tool will
relate a listening port to an executable, which might be started
as "service or application", but in any case the information
can be found in the registry. We are using an external
tool, and not the native netstat, since the installed
version of netstat might not be trustworthy.


e.g. terminal service

For example, ms-term-serv is related to Microsoft's
terminal services termsrv.exe. You can either stop the
service (services.msc) or deinstall the software (Windows Components
Wizard). Information about its display name "Terminal Services"
and others can be found in the registry:

Code:

HKLM\SYSTEM\CurrentControlSet\Services\TermService

e.g. 6666 (or maybe irc-serv)

You will find with fport, that irc-serv might be related to
ircserv.exe. Hopefully, you have actually installed that thing...
It probably is not a service, but an "application", visible in the
task manager. Kill it there, then track down how it gets started.
This can be done in many ways, search the registry for the executable
given by fport. Most likely in

Code:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

but it also might be a service. Check the previous registry-key for
its entry. Remove it there.

e.g. 7007 (or maybe afs3-bos)

The port-assignment list[2] relates port 7007 to afs3-bos, but
without having in use other Andrew File System servers and services,
this seems unlikely. Hence, it might be some backdoor. Check the
executable given by fport and track it down (first step: registry).


conclusion

This system should be reinstalled, properly configured and patched


Cheers



[1] http://www.foundstone.com/index.htm?...desc/fport.htm
[2] http://www.iana.org/assignments/port-numbers