-
May 24th, 2005, 05:31 PM
#11
Junior Member
ok ports 6666 and 7007 i cant find them on my box management were can i find them ?
-
May 24th, 2005, 07:23 PM
#12
Have a look through Add/Remove Programs -> Windows components..
There's probably a whole lot you can remove from there..
(including those "simple tcp/ip services" I believe; not sure don't have a w2k handy )
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 25th, 2005, 06:41 AM
#13
Junior Member
Well thanks so much man i'v learned alot from your guys help and everthing and i'll try to do the best i can to close up those ports.
-
May 27th, 2005, 02:37 AM
#14
Junior Member
eh i i dont know how to close those bad ports. this is what i got back form Nmap
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
1029/tcp open ms-lsa
1445/tcp filtered proxima-lm
3389/tcp open ms-term-serv
6346/tcp open gnutella
6666/tcp open irc-serv
7007/tcp open afs3-bos
Ports 6666/7007 are the ones i want to close really bad can any one help?
-
May 27th, 2005, 11:40 AM
#15
Re: Is this safe or not ?
Is it safe?
--
Originally posted here by Logicalsifter
hello i have a question about my box(computer) ports i have widnows 2000 sever and i scaned my ports useing NmapWin v1.3.1 and i have me this.
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
Interesting ports on ??? (???.???.?.???):
(The 1578 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
548/tcp open afpovertcp
1025/tcp open NFS-or-IIS
1029/tcp open
ms-lsa
1030/tcp open iad1
1033/tcp open netinfo
3372/tcp open msdtc
3389/tcp open ms-term-serv
6666/tcp open irc-serv
7007/tcp open afs3-bos
Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3
Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds
is my ports on this box safe or not what should i do to keep them close ?
-
May 27th, 2005, 12:09 PM
#16
Member
Originally posted here by Tiger Shark
Was that scan from within a perimeter firewall or outside it.... More to the point, does a perimeter firewall exist?
'Cos if that box isn't firewalled it's probably already owned.....
Tiger one question, How would you guarantee that?
-
May 27th, 2005, 01:32 PM
#17
Tiger one question, How would you guarantee that?
It's pretty much given away by Nmap's OS guess.
Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3
On properly patched boxes NMap is much more explicit about the Operating System and will usually indicate a service pack level. This scan indicates no service pack whatsoever, it includes WinME which is rarely if ever confused with patched Win2k/XP boxes and finally it guesses at a Release Candidate, (RC1), or Beta versions. This implies a very old version of Win2k or possibly an early version of WinXP. In both cases it implies no patches whatsoever. Without patches and having all these services unfirewalled you could pretty much guarantee that the box were owned.
The only information that would refute that is the fact that the box is so insecure. Crackers often secure a box they exploit simply to keep other crackers off "their" box. The insecurity of this box would imply that it was uncracked and probably therefore it resides behind a firewall.
That's my read on it.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 29th, 2005, 08:07 PM
#18
Hi
I am aware that the thread was started a while ago,
but I was too busy
We here have a classical situation where one tries
to relate listening ports with "services or applications".
SirDice did a decent job. I'll continue a bit
I will present a simple way to do this, however,
the results cannot be trusted if a (ring-0-)rootkit
has been installed. In general, the whole setup looks
very suspicious - and you are running gnutella on a server?
The main tool we will use is fport[1]. This tool will
relate a listening port to an executable, which might be started
as "service or application", but in any case the information
can be found in the registry. We are using an external
tool, and not the native netstat, since the installed
version of netstat might not be trustworthy.
e.g. terminal service
For example, ms-term-serv is related to Microsoft's
terminal services termsrv.exe. You can either stop the
service (services.msc) or deinstall the software (Windows Components
Wizard). Information about its display name "Terminal Services"
and others can be found in the registry:
Code:
HKLM\SYSTEM\CurrentControlSet\Services\TermService
e.g. 6666 (or maybe irc-serv)
You will find with fport, that irc-serv might be related to
ircserv.exe. Hopefully, you have actually installed that thing...
It probably is not a service, but an "application", visible in the
task manager. Kill it there, then track down how it gets started.
This can be done in many ways, search the registry for the executable
given by fport. Most likely in
Code:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
but it also might be a service. Check the previous registry-key for
its entry. Remove it there.
e.g. 7007 (or maybe afs3-bos)
The port-assignment list[2] relates port 7007 to afs3-bos, but
without having in use other Andrew File System servers and services,
this seems unlikely. Hence, it might be some backdoor. Check the
executable given by fport and track it down (first step: registry).
conclusion
This system should be reinstalled, properly configured and patched
Cheers
[1] http://www.foundstone.com/index.htm?...desc/fport.htm
[2] http://www.iana.org/assignments/port-numbers
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|